After Installing wordpress, there are lot of headaches to do for a decent sustainment of your website!
Even after we have configured our wordpress website with a strong user name and password, there are many possibilities for hackers!
They have many types of attacking models to get into your wordpress files. To protect wordpress, we need to find the best possibilities out there to reduce the risk of hacking!
Here are the two measurements you have to taken to protect wordpress and reduce the risk of attackers using your wordpress dashboard!
1. 2FA Security to protect wordpress!
2. Password Protect WordPress directory.
Any Usersname with strong password Is not enough To Completely protect wordpress from attackers. Even If you use any type of password generator tools.
In addition to strong Username and password, you must protect wordpress with these two security measurements.
My Website Has been Hacked
I have an experiment wordpress website, which is hosted on a free hosting service, where I will try my experiments only!
As It Is not important for me to secure, I have No security measures over there! But a strong password and User name!
Only occasionally did I open the WordPress dashboard, One Day I cannot Sign In to my wordpress dashboard! It is showing that password Is Incorrect.
I Just Visited my site to see what Is going on. There I can see Text Logo – Hacked by Imam –
And There Is a small paragraph written by hacker regarding the amount he needed to get back to my site!
Do you know how much daily pageviews I got from that website? Nothing, Except My Views.
So Attackers are always trying to hack many websites as they can, despite the low traffic or how popular your website!
How this happened is because of my ignorance. I did no security measures over there and It is not important to me also.
I just deleted the wordpress Installation and Started new one as it is my experiment website.
Suppose, It is your wordpress with unique contents created by you without any backup? And having a decent amount of traffic?
This situation will force you to pay what they asked!
Here Is two security measurements to protect wordpress and to not happen things like these.
Enable 2 Factor Authentication
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts because knowing the victim’s password alone is not enough to pass the authentication check.
Hackers are getting in trouble by not getting the access even after they get the user name and password of your wordpress!
How Two Factor Authentication Works?
1. The user is prompted to log in by the application or the website.
2. The user enters what they know — usually, username and password. Then, the site’s server finds a match and recognizes the user.
3. For processes that don’t require passwords, the website generates a unique security key for the user. The authentication tool processes the key, and the site’s server validates it.
4. The site then prompts the user to initiate the second login step. Although this step can take a number of forms, users have to prove that they have something only they would have, such as a security token, ID card, smartphone or other mobile device. This is the possession factor.
5. Then, the user enters a one-time code that was generated during step four.
After providing both factors, the user is authenticated and granted access to the application or website.
Enable It In Your WordPress site
1. Install Plugin Called Wordfence Login Security
2. Open your authenticator app and add a new entry; most apps have a plus sign or a tiny QR code
3. Scan the QR code on the login security page; your authenticator app should then display a six digit code
If you are accessing a site on a phone or tablet and obviously can’t point the camera at its own screen, you can copy the line of letters and numbers below the QR code, and paste that in an app, using the app’s “manual” setup option
° In the “Download recovery codes” section, click the Download button
Recovery codes can be used if you lose your device
° Print or save the file, and store it in a safe place
° Enter the six digit code that appears in your authenticator app
° This code changes every 30 seconds
If the code expires, you can enter the next code instead
° Click the Activate button!
Thats It! Your website is now protected with 2FA! You can read more about this from here
To completely protect wordpress, You need to do a lot of other things than this 2FA. But If you enable it, You are 99% Protected!
Password Protect wordpress admin directory
The most important directory in your wordpress is your wp-admin directory. You need to setup an additional user name and password to protect the directory from unwanted access!
To Setup Password for directory (Cpanel) Follow Below Steps!
1. Open Cpanel and search for ‘Directory privacy’
There you can select which directory you want to make private!
Choose ‘wp-admin’ folder by clicking ‘public_html’
And then enable this option to password protect wordpress admin directory
You can create a user for accessing that directory
Thats It! Now your wordpress admin area got three layered protection!
If you are not using Cpanel, Here Is how to manually protect your wordpress directory!
First create a .htpasswds file. You can do it by using this online generator. Upload this file outside your /public_html/ directory.
Then, create a .htaccess file and upload it in /wp-admin/ directory. Then add the following codes in there:
AuthName "Admins Only"
require user yourusernamehere
You must update your username in there. Also don’t forget to update the AuthUserFile location path.
If you facing 404 error after Enabling this, add the following code to your .htaccess file!
ErrorDocument 401 default
If you are using any Plugins that use Ajax, then your ajax funtionality would break in front end. So if you face any problem with that, you can fix that by doing below steps
1. Open the .htaccess file located in your /wp-admin/ folder (This is NOT the main .htaccess file that we edited above).
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
In the wp-admin .htaccess file, paste the above code!
Now You have Finished protecting your wordpress directory! Here we did protect wordpress admin directory by setting the privacy to a specific user and Enabled 2FA!
There are other security measures to protect wordpress. But this two is enough for almost 99% of hackers who is trying to access your wordpress dashoard.
But you cannot shield against those 1% of hackers who are Intelligent enough to get into your dashboard, even if you did any security measurements to proctect wordpress.
You can overcome even after your website has been hacked, If you have backed up all your data!