WordPress Security(Part 03)
This is the 3rd part of this course. I strongly recommend reading 1st part and 2nd part if you didn’t read.
Use SSL: SSL (Secure Socket Layer) is used to make a secure connection between the browser and the server. Any data passing between the browser and the server are encrypted.
Credit cards and login passwords etc. should be exchanged via SSL.
Another benefit of SSL is SEO(Search Engine Optimization). If you want your website to be on the top in Google, then SSL is a must. Google favours sites that use SSL. So you now have two reasons to apply this particular of our WordPress security tips.
You can get SSL free if you don’t have one. Personally, I use certbot to create free SSL for my websites. But you can also consider others like sslforfree.com, zerossl.com and letsencrypt.org etc.
Disable Directory Browsing: If the visitor access a directory of your WordPress website like http://yoursitename.com/wp-includes then he will be able to see all the files inside the directory if the directory has no index.php or index.html.
This is not good for security, the hacker can find a vulnerable file by browsing your directories and can use it to hack your website.
This feature can be disabled through .htaccess(Webserver configuration file)
Read this article to disable directory browsing.
Logout Idle users: Idle logged in users can also make your website open for malicious attackers. WordPress authentication is using session cookies and hackers can use them to gain access to your website. This type of hacking is called session hijacking.
A variety of plugins are available to log out idle users' login sessions. For more details please read this article
Move Directories: Like every other process, hacking is a process that involves many steps. The very first step is called Reconnaissance and Scanning.
In this 1st step, the hacker gathers some information about the target or victim. One piece of information is the technology used by the target website, which the hacker must know before the attack.
After knowing the technology, the hacker tries to use the known vulnerability in the technology to gain access to the target.
If the hacker found, your website is using WordPress then he may try to scan the known directories like wp-admin, wp-content and wp-include.
So, it is better to mislead the hacker and change the default directories' names and paths.
You can follow the below links to move WordPress directories somewhere else.
- https://wordpress.org/support/article/editing-wp-config-php/#moving-wp-content-folder
- https://wordpress.org/support/article/editing-wp-config-php/#moving-plugin-folder
- https://wordpress.org/support/article/editing-wp-config-php/#moving-themes-folder
- https://wordpress.org/support/article/editing-wp-config-php/#moving-uploads-folder
- https://paulund.co.uk/move-wp-content-folder-to-different-location
Force SSL for Admin and Logins: I already explained above what is SSL and why we need it. In this specific section, I just want to show you, how you can force it for logins. So that the sensitive data like login details etc. reach the server encrypted from your computer.
You just need to add one line code to your config.php as shown here.
Continue 4th part here...
