Everyone is concerned about security, especially on our businesses. But some of us are taking things for granted, and suffer the consequences in the end. I’ve been reading a lot of WordPress Security Post and security threats that happened for some time now. Since this site has been injected with malware before, I’ve been very strict with security issues on all of my website. I try to read every WordPress Injection and Security Risk I can found and try to learn from them.
While updating your WordPress gives you security patch and bug fixes, it doesn’t stop crackers and bots from entering your website. Today I will share with you the WordPress Security Plugin that I found a week ago, it’s called Better WP Security Plugin.
A little bit about Better WP Security Plugin:
#1 WORDPRESS SECURITY PLUGIN
Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
You can download the plugin here.
Here are the tips and settings for this plugin that I use on this site.
Lets see how this plugin will work for you. Once you install this plugin simple activate it, click on “Security” tab given in your WP dashboard. You will be asked to take backup of your site if you haven’t taken yet.
If you click on “Create Database Backup”, backup of your database will be automatically emailed to your inbox. But if you have already your backup then you can proceed by skipping this step. Then this plugin will ask for your permission to edit WordPress Core files to give you high level security. If you don’t want to authorize this plugin to edit core files of your WP Installation then you can deny it and proceed further.
On our next tab, the plugin is asking us if we want to give it permission to write to WordPress core files. In order to secure the website to maximum level with this plugin, we need to allow this, so click the upper button to Allow this plugin to change WordPress core files.
Now that we have a backup of everything, we can go play with the options. You should be in Dashboard section of the plugin menu.
First one is the main reason why your website get’s easily hacked. You are using the default username admin. To change this, enter new username for that user and click Change Admin Username. Note that if you are logged in as that user, you will be logged out and will need to log in again with new username you chose.
Second option is for changing ID of the user under the id 1. Note that this feature is new and some users report problem with gravatar for their profile after changing this. If you are using gravatar feature for your WordPress profile, don’t use this yet. Otherwise, click Change User 1 ID.
Note: you will probably be logged out again, so log in and click the button again.
Basically what this do is you can lock out your admin dashboard for a certain period of time or by daily period. Use this option only if you are certain you will not need access to the dashboard outside of the specified time.
First option is User and Bot blacklist. You need to check the checkbox for Enable Default Banned List. This uses hackrepair.com list and blocks access to known parasites. For average user, this options is enough, you have option below to add your own list of hosts and user agents to ban.
For NEW WORDPRESS WEBSITES
What this feature do is change the name of your wp-content directory. In wp-content, wordpress storess themes, plugins, upload and more. If you already have images uploaded, do not use this as it will break the links. It is recommended to backup your WordPress files (via ftp or CPanel) before doing this.
Back UP Tab
Another great feature of this plugins is the database backup. For those that do not understand, every setting, post, comment, page etc. is saved in the database. Your website is pulling that content out of the database and displaying it in your website. That is why it is important to have database backup, as you can restore the last known good configuration any time. Check the first chechbox to enable the feature, than select backup interval. I suggest backing up at least once every month (for static websites) or once a week/day for blogs etc, where content is constantly added.
You have two options, to store backups on your server or to send them to the specified email. Use whatever you think fits you.
Backups to keep option applies only if you store backups on your server. I believe 20 is perfectly fine for that.
Another security step is to change the database prefix of your WordPress installation is wp_. You need to change this, as we do not want this information to be known to attackers. Just click Change Database Table Prefix button to change it to something random.
Make sure you back up your site first.
By default, WordPress login/register urls are wp-admin, wp-login and wp-register. You need want to change that. Please note that you need to remember new url’s. Note that some plugins that use registration/login may stop working and you will need to manually edit them for fix.
You will want this setting turned on. Select the first checkbox to enable 404 detection. Uncheck the second checkbox, as plugin can sometimes send multiple emails for nothing. Enable File Change Detection select the checkbox, leave everything else default.
This feature checks for wrong logins and bans hostname if too many wrong logins come too fast. It’s useful to prevent brute force attacks on your blog. First checkbox needs to be checked. Leave everything else on default, but turn off email notifications, as it may bug you. On Lockout Time Period, I set it to 1day, you can change it to whatever you want.
We are skipping this as this is very specific and you have to know what you are doing to do it.
Note that some options may or may not be compatible with certain plugins/themes. If you notice theme/plugin are going crazy, get back here and play with options that have warning below them to see what is causing problems.
Check every checkbox.
Check every checkbox
Check every checkbox
Strong password tweaks
You don’t have to use this if you do not allow registrations on your website. Otherwise, it might be smart to force users to use strong passwords.
Check every checkbox. Note that if you edit your theme from the backend using editor (under Appearance menu), you will want to leave last checkbox unchecked.
I know by now you may feel secured and safe, but the truth is everyday new attacks are being launch and you need to know how to prevent it. Keep yourself updated with different WordPress Attacks, injections and malware. Nothing is more scary than losing your website, especially if this is your business.