14 Vital Tips to Make You Drool

Make Money With PLR Working From Home

Wordpress Header

As you may know, I spend hours and hours always searching for new and improved resources.  Every once in a while I come across a blog that is amazing which allows me to use their material and offer it to our mailing list because it is extremely helpful in building an effective WordPress Ebook store.  

This blog post comes from 14 Vital Tips to Protect Your WordPress Admin Area (Updated)

and the website that put this together is  http://www.wpbeginner.com/

Now that the niceties are done here is the excerpted information from that website;

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress admin area.

Wordpress Security

1. Use a Website Application Firewall

A website application firewall or WAF monitors website traffic and blocks suspicious requests from reaching your website.

While there are several WordPress firewall plugins out there, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud-based WAF to protect your website.

All your website’s traffic goes through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.

For more details, see how Sucuri helped us block 450,000 attacks in one month.

2. Password Protect WordPress Admin Directory

Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your website.

First login to your WordPress hosting cPanel dashboard and then click on ‘Password Protect Directories’ or ‘Directory Privacy’ icon. READ MORE

3. Always Use Strong Passwords

Always use strong passwords for all your online accounts including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phones.

For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.

5. Limit Login Attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the Login LockDown plugin. Upon activation, go to visit Settings » Login LockDown page to configure the plugin settings.

For detailed instructions, see our guide on why you should limit login attempts in WordPress.

6. Limit Login Access to IP Addresses

Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.

Simply add this code to your .htaccess file.

01 AuthUserFile /dev/null
02 AuthGroupFile /dev/null
03 AuthName "WordPress Admin Access Control"
04 AuthType Basic
06 order deny,allow
07 deny from all
08 # whitelist Syed's IP address
09 allow from xx.xx.xx.xxx
10 # whitelist David's IP address
11 allow from xx.xx.xx.xxx
12 </LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

7. Disable Login Hints

On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts.

You can easily hide these login hints by adding this code to your theme’sfunctions.php file or a site-specific plugin.

1 function no_wordpress_errors()
2   return 'Something is wrong!';
4 add_filter( 'login_errors', 'no_wordpress_errors' );

8. Require Users to Use Strong Passwords

If you run a multi-author WordPress site, then those users can edit their profile and use a weak password. These passwords can be cracked and give someone access to WordPress admin area.

To fix this, you can install and activate the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.

It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.

9. Reset Password for All Users

Concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.

First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.

For detailed instructions, see our guide on how to how to reset passwords for all users in WordPress

10. Keep WordPress Updated

WordPress often releases new versions of the software. Each new release of WordPress contains important bug fixes, new features, and security fixes.

Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.

11. Create Custom Login and Registration Pages

Many WordPress sites require users to register. For example, membership sites, learning management sites, or online stores need users to create an account.

However, these users can use their accounts to log into WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities. However, it stops you from properly limiting access to login and registration pages as you need those pages for users to signup, manage their profile, and login.

The easy way to fix this is by creating custom login and registration pages, so that users can signup and login directly from your website.

For detailed step by step instructions, see our guide on how to create custom login and registration pages in WordPress.

12. Learn About WordPress User Roles and Permissions

WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site you can select a user role for them. This user role defines what they can do on your WordPress site.

Assigning incorrect user role can give people more capabilities than they need. To avoid this you need to understand what capabilities come with different user roles in WordPress. For more on this topic see our beginner’s guide to WordPress user roles and permissions.

13. Limit Dashboard Access

Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default they can all access the admin area.

To fix this, you need to install and activate the Remove Dashboard Accessplugin. Upon activation, go to Settings » Dashboard Access page and select which users roles will have access to the admin area on your site.

For more detailed instructions, see our guide on how to limit dashboard access in WordPress.

14. Log out Idle Users

WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.

For more details, see our article on how to automatically log out idle users in WordPress.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step by stepWordPress security guide for beginners.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *