WordPress is one of the most widely spread systems on the web used for creating websites. This naturally turns it into an object of interest for a big number of unauthorized third party access attempts and malicious activities.
Despite the good level of security provided by WordPress developers, there are also few more protection methods which every user can apply for additional security.
In WordPress Manager by SuperHosting you can check and enable some basic and recommendatory security options.
✅ Administrator Usernames
One of the most popular usernames is “admin”. But malicious persons are well aware of this fact and that is one of the first names they would try when attempting to access the administration of a website.
If this is the case with you, hurry up to change the current username for accessing the website’s administration panel. If there is more than one administrator, change all usernames.
In a new WordPress installation you can also set up the administrator’s username.
✅ Admin Password Security
A few tips for choosing a strong password:
1. Do not use consecutive numbers or letters. Example: 123456, abcdef or others like this.
2. Do not use your personal name, surname, phone number, Personal ID No., nickname or other personal data.
3. Do not use common combinations. Example: 13579, asdasd, 1q2w3e4r, qwertyuiop, admin, password, administrator, etc.
We recommend using a password generator to create a secure password using random characters.
✅ Table Prefix in the Database
You can easily change the “wp_” prefix in the table names through the WordPress Manager.
Do not forget to add “_” at the end of the new name prefix.
✅ Security of the wp-config.php File
This configuration file keeps system information that should not be available on the web. It contains details on the basic WordPress settings as well as data for the connection to the database. Only the WordPress system needs this information.
If you have enabled additional protection, the system will block attempts for unauthorized access or changes of the configuration file.
✅ Displaying Directories Content on the Website
When a certain domain is loaded, an index file is also being loaded as its name is most often index.html, index.php or something similar.
If there is no index file, the respective directory’s content is displayed in the form of a list of directories and files.
The file structure should not be freely accessible on the web. Otherwise information for the website like used themes, plugins and others would be very easy to reach.
Normally you would discover the index.php file in every WordPress directory as the file contains few lines with code. It will be loaded when there is an attempt to access the directory and the browser will just display a blank page.
Despite the existence of index files in the website’s directories, displaying content is highly recommended to be disallowed.
✅ Key Security
When a user visits your website through a browser, the data is stored in a cookie.
To provide better encryption of the data stored in the cookies, WordPress uses various security keys.
A check verifies whether the keys are long enough, if they contain mixed symbols (letters and numbers) and if they are strong enough.
When there are encryption keys with weak strength, generate new ones using the "Generate new keys" button.
✅ Visibility of the WordPress Version
This check verifies whether the WP version is available in the website code and publicly visible.
The malicious access attempts become much easier if unauthorized parties know which WordPress version is used on your website.
✅ Protection of Media Files Directories (wp-content/uploads)
WordPress allows media files such as images, audio, video files and many others to be uploaded. Uploaded media files are stored in the wp-content/uploads. Only executable PHP files are not stored there.
If due to any reasons this directory contains executable PHP files, the security system does not allow them to be executed. This way the website is protected from a situation when malicious files might be uploaded and executed.
✅ Protection of the wp-includes System Directory
The wp-includes directory is part of the WP structure. It contains the system code of the website. And there should not be any other scripts except for the WordPress code. The protection stops direct calling and execution of scripts without interfering the website’s operation.
Thus malicious attempts are prevented.
✅ Additional Protection When Accessing the Website Administration
It is highly recommended to add further protection to the WP administration.
This feature adds one more username and password when accessing the admin panel.
After you enable the protection, when the administration is accessed a pop-up window will appear. Then you will need to enter the access credentials.
✅ Backups Accessible through the Web
This type of protection checks if there are hosting account backups accessed through the web.
We recommend that you store backups in directories that cannot be publicly accessed. Thus you will avoid malicious activities and information leaks.
✅ Protection for the Plugin and Theme Directory
The directory containing themes and plugin files in WordPress is called wp-content.
If you choose High level of protection it is possible that an additionally installed theme or plugin turns out to be incompatible.
✅ Features of XML-RPC
XML-RPC is a protocol which enables WordPress management. In the system it is used trough the xmlrpc.php file.
Third parties use this file’s features to perform Brute Force attacks for guessing usernames and passwords.
But the protection restricts access to this file so the chance of a Brute Force attack is considerably smaller.
✅ Editing Files through Administration
The WordPress administration allows you to edit PHP files that are part of plugins and themes. If there is unauthorized access to the website’s administration and the option for file editing is enabled, it will be very easy to inject malicious code to the files. If the code is executed, the whole hosting account might be affected.
So disabling Editing Files through Administration will increase your hosting account level of security to a big extend.
✅ Administration restriction by IP
You can use this option to configure access restrictions to the website administration by IP address.
To enable protection, use the Activate button.
When security is enabled, the IP address you are currently using is automatically allowed to access the administration of the selected site.
To add more IP addresses, in the list of allowed IP addresses, click on Whitelist.