Skip to Main Content

WordPress Developer's Guide to Security: Management and Connections

Divi: the easiest WordPress theme to use

Divi: The best WordPress theme of all time!

With over 901.000 downloads, Divi is the most popular WordPress theme in the world. It is complete, easy to use and comes with more than 62 free templates. [Recommended]

Welcome to the third installment of our series dedicated to everything related to WordPress security. Hopefully by the time you finish reading this collection of articles you will have a clearer idea of ​​how to put in place proper security protocols for your site and maintain them while the CMS is going through some troubles. updates and changes.

I want you to be a security pro by the end! Okay, so maybe not a pro, but you definitely need to master the most important elements!

Here's a handy table of contents list for you in case you missed a previous article or wanted to jump further:

In today's article, I'll explore how to keep a site safe for a while and how to better manage connections. We're going beyond the 'pick a tough password' style advice here to dig a little deeper into the nitty-gritty. Are you ready?

Limit connections

One of the first things you can do to manage WordPress security is limit the number of times people can try to log in. As I mentioned in a previous article, many hackers use brute force attacks to try to crack your username and / or password. Even if these attacks are unsuccessful, the repetitive nature of the attacks can put a heavy load on your server.

By restricting connections, you prevent a hacker from even attempting a brute force attack. He could try two to three times, then his IP would be banned. You can easily set this up using the Limit Login Attempts plugin, according to Ryan Burr, a tech services expert and WordPress developer with One Stop Tek Shop. However, this plugin hasn't been updated for over two years, so while its features are great, you might want to pass it along lest you open yourself up to additional security vulnerabilities.

I recommend Login Lockdown instead. Since these two plugins allow you to limit the number of unsuccessful login attempts a user can make before their IP address is banned for the number of hours you determine, “brute force attacks would be much higher. difficult to achieve, ”Burr explains. “The attacker would need many different proxies as the plugin would continue to ban that IP address after a number of failed login attempts,” he says, noting that you can customize a variety of settings here to create the optimal security configuration. for your site.

Prohibit users who attempt to use Admin as their username

It's one thing to make sure you don't use admin as your username. It's another to prevent other people from trying to connect with it. Since "admin" has such brute force attack connotations these days, the random people who try to log into your site with it are often hackers. You can stop their attempts, however, by banning anyone who tries to use "admin" from logging in, says Damon Burton of SEO National.

Easily create your website with Elementor

Elementor allows you to easily create any website design with a professional look. Stop paying expensive for what you can do yourself. [Free]

He suggests using Wordfence to configure this auto-ban feature. Of course, this plugin includes many other features like two-factor authentication, blocking known attackers, etc. I will talk more about this plugin in our next article.

Establish the correct file permissions

Another thing you want to do is establish the correct file permissions on your site. According to, setting a directory with permissions of 777 could allow a hacker or other malicious entity to modify your files or even upload new files, such as malware. Your wp-config.php the file must be set to 600; your normal files should be set to 640 or 644; and your directories should be set to 750 or 755. While you don't have to make this change on every host, you should still review it through the WordPress guide to changing file permissions.

Create a .htaccess file

If you want nice permalinks on your site, you'll need an .htaccess file anyway. But adding one can actually boost your security a bit. Again, this is not a total solution on its own, but it works well in tandem with other methods.

Burr suggested a great tutorial for creating a .htaccess file, I feel compelled to link to here because it's so comprehensive, and it additionally offers a downloadable .htaccess file that you can start using on your site immediately. Once you've followed its basic setup instructions, you can block access to certain files in your WordPress directory. If people cannot upload these files, either directly or indirectly, the files cannot be tampered with. To "harden" your WordPress installation, you'll need to add a few lines of code to block access to a few specific files, including:

  • wp-config.php
  • readme.html
  • license.txt
  • wp-includes directory

Beyond blocking access to specific files, you can also block access to specific types of files. Typical file types to block include backups, configuration files, txt, and logs. Basically anything that is used on the backend for design, development, or documentation should be blocked.

If you want to block access to specific plugin or theme directories or any other directory on your site, you can also block the entire directory. It's a smart decision to make for any directory that doesn't have an index file. Directories without index files will list all the pages and all the files they contain when accessed. This gives hackers information they don't need, so hide it!

Are you looking for the best WordPress themes and plugins?

Download the best plugins and WordPress themes on Envato and easily create your website. Already more than 49.720.000 downloads. [EXCLUSIVE]

Hide login page

This is another modification of .htaccess but it's a little different from the others so I thought it deserved its own subtitle. You can completely deny access to your WordPress site's login page. Of course, this only works if your site has only one author and that author's IP address hardly ever changes. A few more lines of code in the .htaccess file will deny access to the login page to everyone except the IP addresses you specify.

Secure hidden connectionIf you want to keep your options open in terms of adding authors to your site later, you can always use a plugin to just hide the login page from unauthorized users. Secure Hidden Login is one of those options. While you can configure it so that the login screen appears when you click on the “WordPress” logo, a safer option would be to set keyboard activation. So someone goes to your website's wp-login page and can't find anything there. She could activate the username and password fields by pressing a key combination.

Remove builder tag information

Hackers do all kinds of things to try to access WordPress sites, one of which is running scripts to find WordPress installations on the internet based on fingerprints. “Footprints are identifiable or recurring lines of text or code that would identify that a site is using a particular set of code,” says Burton. WordPress is an example of “recurring lines of text or code”. Additionally, WordPress identifies by default that the site you are viewing was built on WordPress.

The source code of a WordPress site will say something like this, Burton says:

However, you can remove this tag from your source code, which gives hackers one less thing to find (and target) your site. “Webmasters can add the following line of code to their functions.php file:

Remove_action ('wp_head', 'wp_generator');

According to Burton, removing the Generator tag means your site no longer identifies as WordPress.

Enable two-step authentication

Another thing you can (and should) do to protect your site is to set up two-step authentication. By forcing users of your site to follow two steps to log in, it discourages brute force attacks and most hackers in general. Your site would be seen as too difficult to hack, which is definitely a good thing!

There are several plugins that enable this feature on your site. Some particular favorites include:

  • clef: Once configured, all you have to do is open the Clef application on your mobile phone and focus its camera on a moving image on your computer screen. It will “lock” into place and you will be logged in.
  • Duo two-factor authentication: After entering your password through the normal login form, you will need to perform a secondary step to log in, such as confirming it on a phone app, in a text message or during a phone call. logo-managerwp
  • ManageWP: Yes, we also offer two-factor authentication. After signing in as usual, you will need to confirm the connection by entering a verification code which is sent to you by email or SMS.


Managing security on your WordPress site and setting up connections to be as locked down as possible will take some time. But once all of these measures are in place, your site will be much more reliable for its users. And you'll have the peace of mind that malicious removal is unlikely. All the good stuff!

Easily create your Online Store

Download free WooCommerce, the best e-commerce plugins to sell your physical and digital products on WordPress. [Recommended]

Are you using any of the above security methods? Are you doing anything else that is in the area of ​​management and connections? I would love to hear your thoughts below! And don't forget to come back next week for the fourth installment of our safety series. Until there!

Source link

This article features 0 comments

Leave a comment

Your email address will not be published. Required fields are marked with *

This site uses Akismet to reduce unwanted. Learn more about how your comments data is used.

Back To Top