You need to enable JavaScript to use the communication tool powered by OpenWidget

Shipon Karmakar

How to Secure My WordPress Website

How to Secure Your WordPress Website: A Comprehensive Guide

WordPress is a popular and widely used Content Management System (CMS) that powers millions of websites on the internet. However, with its popularity comes the risk of security vulnerabilities and attacks from hackers. Therefore, it’s essential to take steps to secure your WordPress website and protect it from potential attacks. In this guide, we’ll show you how to secure your WordPress website without using any plugins.

Secure Your wp-config.php File

The wp-config.php file contains sensitive information such as your database username, password, and authentication keys. Therefore, it’s crucial to protect this file from unauthorized access. Here are some steps you can take to secure your wp-config.php file:

  • Move the wp-config.php file to a directory outside of the public_html folder. This prevents anyone from accessing the file through the browser.
  • Change the default database table prefix from “wp_” to something unique. This helps prevent SQL injection attacks, which can exploit vulnerabilities in WordPress plugins or themes.

Here’s how you can change the default database table prefix:

1. Open your wp-config.php file.

2. Find the following line of code:

$table_prefix = 'wp_';

3. Change the “wp_” prefix to something unique, such as:

$table_prefix = 'mycustomprefix_';

Disable File Editing in WordPress Dashboard

By default, WordPress allows users with administrator-level access to edit theme and plugin files from the WordPress dashboard. However, this feature can be dangerous as it allows users to modify files without any restrictions, which could lead to security vulnerabilities or even complete site breakage. To disable file editing in the WordPress dashboard, add the following code to your wp-config.php file:

<Files xmlrpc.php>
deny from all
</Files>

Change the Default “admin” Username

The “admin” username is the default username that WordPress creates when you install the CMS. It’s also the most common username used by attackers in brute-force attacks. Therefore, it’s essential to change the default “admin” username to something unique. Here’s how you can change the default “admin” username:

  1. Create a new user with administrator-level access.
  2. Log out of WordPress and log in with the new user account.
  3. Delete the old “admin” user account and assign all its posts to the new user.

Change the Login URL for WordPress

By default, the login page for WordPress is located at `yoursite.com/wp-login.php` or `yoursite.com/wp-admin`. This makes it easy for hackers to target your website by repeatedly attempting to log in using common usernames and passwords. To make it harder for hackers to target your login page, you can change the login URL to something else.

Here’s how you can change the login URL for your WordPress website:

  1. Open your functions.php file located in your theme folder.
  2. Add the following code to the bottom of the file:
function custom_login_url() {
    return home_url( '/my-login-page/' );
}
add_filter( 'login_url', 'custom_login_url', 10, 3 );
  1. Replace /my-login-page/ with the URL slug, you want to use for your login page.
  2. Save your changes.

Now, when you navigate to the WordPress login page, you’ll be redirected to your custom login URL.

Disable PHP File Execution

Hackers can upload malicious PHP files to your website and execute them, which can compromise your website’s security. To prevent this, you can disable PHP file execution in certain directories where it’s not needed. Here’s how you can disable PHP file execution:

  1. Create a new .htaccess file in the directory where you want to disable PHP file execution.
  2. Add the following code to the .htaccess file:
<Files *.php>
deny from all
</Files>

This code will deny access to all PHP files in the directory where the .htaccess file is located.

  1. Save your changes.

Automatically Log Out Idle Users

Leaving your WordPress dashboard open on a public computer or device can be risky, as it can allow unauthorized access to your website. To prevent this, you can automatically log out idle users after a certain period of inactivity. Here’s how you can automatically log out idle users:

  1. Open your wp-config.php file.
  2. Add the following code:
// Set the time (in seconds) for user inactivity
define( 'SESSION_TIMEOUT', 3600 ); // 1 hour

// Check if the user is logged in
if ( is_user_logged_in() ) {
    // Get the user's ID
    $user_id = get_current_user_id();
    
    // Get the user's last activity time
    $last_active = get_user_meta( $user_id, 'last_active', true );
    
    // Check if the user has been inactive for longer than the defined time
    if ( $last_active && ( time() - $last_active ) > SESSION_TIMEOUT ) {
        // Log the user out
        wp_logout();
        
        // Redirect the user to the login page
        wp_redirect( home_url( '/wp-login.php?logged_out=true' ) );
        exit;
    }
    
    // Update the user's last activity time
    update_user_meta( $user_id, 'last_active', time() );
}

This code will log out users who have been inactive for longer than the defined time and redirect them to the WordPress login page.

By following the steps outlined in this guide, you can secure your WordPress website without using any plugins. Remember to always keep your WordPress installation and plugins updated to ensure maximum security. By taking a proactive approach to security, you can reduce the risk of your website being hacked and keep your content safe.

SHARE NOW

Posted

in

,

by

Shipon Karmakar

Tags:

,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *