How to secure WordPress against attack is the big question. Because of the popularity of wordpress software, you can clearly see a lot of attacks targeting your wp-admin page with the aim of taking over the admin rights of wordpress and starting to install malicious software.
To prevent this, the following necessary steps will need to be taken to ensure system optimization
- Backup wordpress regularly, by day or by week to be able to get back the backup when needed (because once infected with malicious code, it is difficult to separate the source code)
- Install the plugin to hide the login page: https://wordpress.org/plugins/wps-hide-login/
- Install F2A 2-layer security code to help secure login through Wordfence
- Block wp-admin access via htaccess
Below are the details of the above mentioned items:
1- Backup website
Back up Website regularly through backup function on hosting or you can use FTP to backup source code and database daily. Contact your WordPress hosting to buy or use this function (JAYbranding offers a daily backup function for the last 1 week)
2- Install WPS Hide Login
By default, when you type yourdomain.com/wp-admin or yourdomain.com/wp-login.php, it will automatically redirect to the login page. According to this security, the software often uses the chain attack function, for example, they will continuously enter the user name admin / 123456 and other easy-to-remember passwords, then when the system is duplicated, the system will be logged in.
The form of hiding the login page is the most primitive form, but at least it limits the attacking robots.
How to do, after installing the plugin WPS Hide Login, you access the settings section and change the default login page to the desired page. Should add random character string to increase security for example loginmxjfei328
If you forget this string, you just need to delete the plugin and the web will be back to normal
3- Install 2-layer security via Wordfence plugin
After installing the Wordfence plugin https://en.wordpress.org/plugins/wordfence/, go to Login Security \ select the Two Factor Authen tab.
Then use any app on your phone such as Authy or Google Authenticator and scan the image displayed on your window. Since then every time you login it will ask for an additional code, this code you will get from your phone
4- Lock folder through htaccess
This method only applies to those of you who have knowledge of coding and is the most secure form of lock and the most difficult to hack for both robots and hackers.
It will lock in the form of showing a login user / pass box for users to enter, incorrect input will delete access
Step 1: Go to the page Htpasswd Generator and generate a random user/password for htaccess. Then press Create .htpasswd file. This tool will automatically generate a .htpasswd file:
Step 2: Use the above file to save “.htpasswd” and upload it to the WordPress root directory. You can use notepad to compose files:
Step 3: Add the following code inside the .htaccess file available on the server (in the root directory):
# Stop Apache from serving .ht* files
<Files ~ "^.ht">
Deny from all
# Protect wp-login
AuthName "Private access"
require user yourusername
Remember to change yourusername to username in the .htpasswd file.
Thus, you can already activate security for wordpress on your hosting. At JAYbranding, we have built-in for you so that businesses can focus on developing content rather than worrying about website security.