Protecting your WordPress site from hackers is a very important step to take as soon as it’s live, that’s when it’s exposed to all sorts of attacks. Having a great password isn’t just enough (though its one of the first step to take), attackers could still try out several means possible so as to gain access to your root folders, while some others navigate to your admin login page and try out different usernames and passwords over and over again until “Eureka” they got it (Brute Force).
Now, as said earlier having A Great Password is cool, the longer the better, try to use numbers, letters (both Upper and Lower case) and even symbols, if possible avoid dictionary words, the same also can be done to your usernames.
Plugins like “Jetpack” have lots of functions, among which is the feature “Protects”, Jetpack Protects is a brute force attack prevention tool, it tracks failed login attempts, if an IP has several failed attempts in a short period of time they are blocked from logging in to the site, this helps prevents brute forcing.
Another important way of stopping Hackers is by preventing them from having access to your login form. By default all WordPress login forms can be accessed by using /wp-login.php or /wp-admin after the domain name, i.e www.yourname.com/wp-login.php (or /wp-admin) when this is done you are directed to a WordPress page requesting for a user name and password (try it on your WordPress website), preventing access to this login form and your entire wp-admin directory is a great way to stop all brute force attacks.
To achieve this we have to set up an htpasswd prompt in cPanel (it is assumed you know about cPanel, a control panel that lets you easily manage many aspects of your account, such as the files, applications, email etc, goto http://yoursite.com/cpanel). The htpasswd provides an additional authentication thereby doubling your site security.
Set up htpasswd in cPanel
Login to your website cPanel. Check the “Files” section and click the “Directory Privacy” icon, now, Depending on the cPanel theme you are using, you may have to check a different section, i use “paper_lantern” theme, in other themes you will have to scroll down to the “Security” section and click “Password Protect Directories”, it’s the same thing.
Choosing the Directory to protect
When the “Directory Privacy” or “Password Protect Directories” is clicked a pop up is displayed such as this;
Next select “Web Root (Public_html/www)” and hit go. This takes you to a page where your root directories are, select “wp-admin”
After this is done, the next step is to set the Username and Password
Set the Username & Password
When the wp-admin directory is clicked another pop up such as this comes up;
You will now have to set up the Name of the protected directory, Username & Password. Check the box close to “Password protect this directory” and enter a name or message, this can be anything, its a message that appears in the prompt, then enter a username and an alphanumeric password then save. Please ensure to keep your username and password safe so you don’t forget them.
Now test your site to see if its protected, goto http://yoursite.com/wp-login.php or http://yoursite.com/wp-admin. Hope you learnt something, feel free to share comments.
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress is installed on a web server, which either is part of an Internet hosting service or is a network host itself; the first case may be on a service like WordPress.com, for example, and the second case is a computer running the software package WordPress.org. An example of the second case is a local computer configured to act as its own web server hosting WordPress for single-user testing or learning purposes. Features include a plugin architecture and a template system. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites. It was released on May 27, 2003, by its founders, Matt Mullenweg and Mike Little, as a fork of b2/cafelog.