Article sections
ESSENTIAL SECURITY MEASURES
There are several essential steps you should take to enhance the security of a WordPress site:
Strong Passwords
Use a strong password for all administrator accounts, and change passwords periodically. Strong passwords are not easily guessed. To break into an account with stong passwords, hackers use a brute force attack. Stopping brute force attacks is covered below.
If your site has been compromised (or you even suspect that it has been compromised), you must also change the security keys in the wp-config.phpfile that are used to encrypt cookies. Simply changing passwords is not enough, because an attacker may still have a valid cookie and be able to access your site.
For more information about how to configure security keys in the wp-config.php file, please visit http://codex.wordpress.org/Editing_wp-config.php#Security_Keys.
Unique Username
Do not use the default admin username for the adminstrator. Instead, create a user with a different username, assign the administrative role to it, and then delete the default adminadministrator.
Update WordPress, Plugins and Themes
WordPress is updated regularly to address known vulnerabilities. Running old versions of WordPress makes it easy for hackers to gain access to your site. Run updates regularly to make sure WordPress and all related plugins are up to date. For more information about how to update WordPress, please see this article.
Delete Unused Plugins and Themes
Even though unused plugins and themes are disabled, that code is still visible on the Internet and can be a target for hackers. Be sure to delete any unused themes or plugins in order to reduce the opportunity for hackers to gain access to your site.
Regular Backups
Make regular backups of your WordPress site. Backups will not prevent a site from being compromised but they do help get a site back online quickly in case of compromise. You can use Softaculous to back up, restore, and update your WordPress site from one convenient interface. For more information about how to do this, please see this article.
DEFENDING AGAINST BRUTE FORCE ATTACKS
A brute force attack is a simplistic type of attack where a user or script tries to gain access to a site by repeatedly guessing different username and password combinations. Unfortunately, many people have username and password combinations that are easily guessed, so brute force attacks are often effective.
If your WordPress site experiences a brute force attack, you may notice that the site responds slowly, or not at all. Additionally, you may be unable to log in. This is because the flood of login attempts during a brute force attack causes numerous PHP and MySQL calls. These calls increase server load and adversely affect website performance.
Method #1: Password-protect the WordPress login page
WordPress uses the wp-login.php file for logins. By adding password protection to this file, you add another layer of security to your site. Users must enter a username and password before they can even access the wp-login.php file to log in to WordPress.
To set up password protection for the WordPress login page, follow these steps:
- Use your web browser to go to http://www.htaccesstools.com/htpasswd-generator.
- In the Username text box, type a username.
- In the Password text box, type a password for the user.
- Click , and then copy the line of text. The line of text should contain the username you specified, followed by a colon (:), and then the encrypted password. For example:
username:$apr1$IUQgDA6U$qbXb9wEnjirNCqxezpjoe5
- Create a file named .wp-password in your A2 Hosting account’s home directory (/home/username, where username represents your A2 Hosting account username). Paste the line of text from the previous step into the file. There are two ways you can create and edit this file:
- Log in to your account using SSH, and use a text editor from the command line.
- Log in to your account using cPanel, and use an editor in the File Manager.
- Save the .wp-password file and exit the text editor.
- Create an .htaccess file in the directory where you installed WordPress:
- If you installed WordPress in the domain’s document root, then this directory is /home/username/public_html, where username represents your A2 Hosting account username.
- If you installed WordPress in a subdirectory or subdomain, then this directory is /home/username/public_html/directory, where directory represents the WordPress location.
- Copy and paste the following text into the .htaccess file:
# Prevent Apache from serving .ht* files: <FilesMatch "^\.ht"> Order allow,deny Deny from all </FilesMatch> ErrorDocument 401 "401 Unauthorized" ErrorDocument 403 "403 Forbidden" # Protect wp-login.php: <Files wp-login.php> AuthUserFile /home/A2-USERNAME/.wp-password AuthName "Please log in" AuthType Basic require user WP-USERNAME </Files>
New line Incomplete article
https://www.a2hosting.com/kb/security/application-security/wordpress-security