WordPress blogs are extremely popular with our customers, but they are also a popular target for hackers. This is why it’s important to take steps to secure your WordPress installation.
In this guide, we’ll cover several steps that you can take to secure your WordPress site from hackers and reduce your site’s bandwidth usage at the same time. The less requests made to your site, the quicker it will be to load for legitimate visitors.
You should also install a WordPress backup plugin and take regular backups to a different location such as Dropbox, so that you can easily restore your site in the event it does get hacked.
Most Important Step: Add A Security Plugin to Protect Against Brute Force Password Attempts
Brute Force password attempts are the most common way that hackers gain access to your WordPress install to deface it and trash your site.
While the Loginizer plugin (formerly “Limit Login Attempts”) is one of the most widely used plugin to protect a WordPress site and installed by default on some of our providers, there are better options that you should replace it with.
Replacing it with a full security plugin like Wordfence is a great way to increase the protection on your site from a large number of brute force hacking attempts and decrease the risk of having your site defaced.
Wordfence allows you to block IP addresses who attempt to login with an incorrect password or incorrect username, based on custom parameters including how long it counts those attempts over and how long it will block an offending IP address for.
We recommend installing Wordfence on your site and enabling the following settings.
In the Wordfence > Options page, tick the “Enable login security” box under Basic Options.
Then scroll down to the “Login Security Options” and set the options the same as the screenshot below:
This will lock out anyone who attempts to login with an incorrect password, and block their IP address for 60 days.
Wordfence Alternative: You can also use the Login LockDown plugin to protect against Brute Force attempts. This does the same thing as the Login Security component of Wordfence, and allows you to mix up the plugins that you are using for this function.
Under Settings, Login LockDown, configure it the same as the screenshot below.
Rename wp-login.php and wp-admin folders
The Rename wp-login.php plugin will allow you to rename the wp-login.php file and wp-admin folders to something unique, reducing the traffic to those pages that would otherwise be generated by hackers that are trying to gain access to your site by brute force guessing passwords.
Disable XML-RPC or Protect it with .htaccess Rules
WordPress has support for XML-RPC, which allows for remote management and control of the WordPress site. The file that manages this is xmlrpc.php in the top level of your WordPress site, and it’s also one of the ways that a hacker can gain access to your site.
If you’re not using any remote management tools like MainWP or InfiniteWP to manage your WordPress sites, then disabling RPC support can be done by installing the “Disable XML-RPC” plugin. However, this is not the most effective way.
For the most effective way to disable xmlrpc.php, or if you are using a remote management tool that you want to have access while restricting it for the rest of the web, you can disable it through your .htaccess file. To do this, you’ll need to edit your site’s .htaccess file, which can be done by using the File Manager in your site’s cPanel dashboard.
To do this, log in to the site’s cPanel and open the “File Manager”. Click the Settings button in the top right and tick the box to “Show Hidden Files (dotfiles). Navigate to the “public_html” folder and you should see the .htaccess file.
Click the Edit button, and add these lines to the end of the file.
# Protect xmlrpc.php file
<Files xmlrpc.php> Order Deny,Allow Deny from all Allow from 184.108.40.206 </Files>
Replace the IP address 220.127.116.11 in the example code with the IP address of the server that you’re running your management panel on. If you’re not running a management panel, delete the “Allow from 18.104.22.168” line.
Implementing all of these steps will help reduce the amount of bandwidth that your site uses, and at the same time significantly improve the security of your site. At the very least, you should implement either Wordfence or Login LockDown, and configure it based on our screenshots above to secure your sites from Brute Force password attempts.