An individual or an online business owner must have knowledge of WordPress open source Content Management System (CMS) platform. For all those who are new to this term, WordPress is the simple and most used open-source online content management system (CMS). WordPress platform help you to create your customized blog or website effortlessly without hiring professional web developer. It is an impressive piece of trivia to note that WordPress powers more than 29% of all the sites. WordPress distributed by the GPLv2 license and permits an individual to use or even make changes to its software. To sum of all, WordPress comes as a boon to both small and large large online enterprises in the content creation space to take pride in their websites.
This article sheds light on the six most recent and viable tips that will help you to secure WordPress website.
WordPress – The Omnipotent CMS Calls For Online Security
WordPress platform used as a multipurpose requirement that helps you to build various types of websites including business sites, blogs, resumes, portfolios, forums, membership sites, e-commerce sites and social networks.
Follow Essential Tips to ensuring Security of Your WordPress Site
Tip 1: Always Create Strong Username and Password
The recent version of WordPress does not support the concept of a default admin username. That means you will be able to change the username. Admin Renamer Extended is a site that enlists a host of security plugins that can provide a safety cover to your username.
Any password which can guess easily can be cracked easily. A simple “1234” or “admin” as the password can threaten the security of your WordPress login page. In an attempt to steer clear of all such instances, caution should show, while coining a password. A secure password cannot be guessed by data sniffer. The following 3 free-to-use online password generator tools, including LastPass, Secure Password Generator or Norton’s Password Generator help you to create strong password and your website users to come up with strong passwords.
Tip 2: Hide the WordPress Admin Page and Login Page
All fraudsters can get into your WordPress login pages to infiltrate. In an attempt to foil all such safety-breach attempts, it pays to keep your admin and login pages obscure. As you hide your admin and login pages, you will build a wall of protection to your WordPress website, restricting hackers’ point of entry.
Another step to ensure security to your WordPress site is that change the login page URL. In addition to masking the login.php page, you need to protect the wp-admin directory. For this, you can bank upon Protect Your Admin and WPS Hide Login.
Tip 3: Enable HTTPS and Secure label next to your WordPress Site
With so much in favor of the open-source CMS called WordPress, it is necessary to add an extra layer of security called Hyper Text Transfer Protocol Secure (HTTPS) to all the online web pages in cases of during financial transaction and sites collecting personal and sensitive information. If user fill out sensitive and personal information in unsecured (HTTP) web forms for transacting online, then information may gets leaked, a security breach occurs, resulting in the loss of money or privacy. Hence, you should strive for a perfect alternative to tighten the security of such WordPress sites.
The third tip is to secure website using an SSL certificate. SSL stands for Secure Sockets Layer. You will be able to establish a secure connection between the browser and the server by installing SSL certificate on your web server. World’s most trusted Certificate Authority issues an SSL certificate after domain and organization verification process done. Online WordPress information will be protected and safe over SSL secured WordPress site. SSL ensures that the login page highly secured through a 256-bit encrypted secure communication between the server and the browser. So, information will be transmitted in encrypted form over HTTPS enabled website.
The following step-by-step instructions should follow before you install and configure the SSL certificate:
Step 1: Identify a Trustworthy SSL Certificate Provider
You can get an SSL certificate from your web hosting provider for free as part of your shared web hosting plans. Let’s Encrypt, and Comodo offers domain validation SSL certificate at zero cost for 90 days. Additionally, you can check it out the paid SSL certificate available for up to 2 years validity and warranty option. Free SSL and paid SSL certificates are same in terms of providing security to online data transmission. You can obtain paid SSL certificate issued and signed by trusted Certificate Authority (CA) from authorized SSL certificate reseller or provider at a huge discount price.
CA authorized SSL certificate reseller offers Organization Validation or Extended Validation (EV) SSL certificate to increase website credibility and users’ trust. EV SSL issued only after conducting strict organization validation method. A reliable SSL certificate provider is one who allows you to create a store and secure all your active domains, without any hassles.
Step 2: Add an SSL Certificate to Your Website
Once you choose trusted SSL certificate provider, then next step find suited SSL certificate for your site. First, you will require to generate a CSR (Certificate Signing Request) file along with a private key to obtain SSL certificate.
All those WordPress bloggers who are connected to an Apache or NGINX web server or have a VPS or dedicated server can pen the following commands.
- The first step is to generate a private key and valid CSR on server using OpenSSL. A tip here is to save this certification information on your private web server in a secured folder.
openssl req -newkey rsa:2048 -nodes -keyout yourdomain.com.key -out yourdomain.com.csr
Above command used to create both the CSR file and the private key.
- The next step is, Enter the required information to generate .CSR file including Personal information like Email Address, Your Domain Name, Name of your organization along with the name of your country and the state you live in should enter in the CSR form as mentioned below:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (e.g., city) : Los Angeles
Organization Name (e.g., company) : Your Company Ltd
Organizational Unit Name (e.g., section) :
Common Name (e.g., server FQDN or YOUR name) : yourdomain.com
Email Address : firstname.lastname@example.org
- Upon given details mentioned above, you will get a valid private key along with a .CSR file that will be verified by the SSL provider. Just, you need to copy the .csr file and paste it into online order form to purchase SSL certificate for your WordPress website.
- Now, you should approach your SSL provider to verify your newly obtained SSL certificate. You have to paste the .csr value in a form. Note that every SSL provider has a unique .csr value.
- After completing above procedure, you will get your SSL certificate from CA through registed email address, which you mentioned in the CSR form.
- Now, upload SSL certificate to the web server to enable all the safety provisions of SSL. This procedure is called the installation of the SSL certificate.
Step 3: Install the Newly Obtained SSL Certificate on your Web Server
Suppose you have ordered a low-cost RapidSSL certificate from here at – https://www.cheapsslshop.com/rapidssl-certificate, you will get SSL certificate file on your registered email from Certificate Authority upon successful verification of domain control and organization as mentioned in below screen shot:
Step 4: Configure the SSL Certificate on to Your Apache Web Server
If you have an Apache web server, the following steps will help you to configure the SSL certificate so that your web server is in tandem with all the new requirements of HTTPS.
- The configuration process starts off by creating a backup of your existing Apache 2 configuration file for your WordPress website. You need to copy and paste this backup file so that you can refer to it when errors pop up. The command to initiate a backup operation is:
cp yourdomain.conf yourdomain.conf.backup
- All the configuration files of your Apache server stored in the directory: /etc/apache2/sites-available
- After this, you can install your SSL certificate. Here, you need to edit your virtual host configuration file using the below command:
- Then you need to add all the specifications of SSL. The following commands help you perform the required action.
- Next, you should specify the location of your Intermediate Certificate following these instructions.
SSLCACertificateFile /var/www/intermediate.crt (for Apache 2.4.8+)
SSLCertificateChainFile /var/www/intermediate.crt (for older Apache versions)
- Now, you need to redirect your website from HTTP to HTTPS. You can initiate this action by adding Virtual Host configuration to the yourdomain.conf VPS configuration file. Run following command:
Redirect permanent / https://yourdomain.com/
- As the penultimate step, you need to save the file, eventually enabling Apache SSL by:
sudo a2enmod ssl
- The last step would be to reload Apache to initiate service and save all the changes made earlier. You can do this by executing following command:
sudo service apache2 restart
After completing the above-mentioned step-by-step procedure to set up SSL certificate, your website will open as an HTTPS verified entity. Now, all your website users including yourself can make the most of the safety provisions that are made available through the SSL certificate.
Tip 4: Make Sure All Your WordPress Pages loaded over HTTPS Connection
Your diligence in installing and configuring the SSL certificate to your WordPress website is only half the job done. It is because of all the links and pages of your blog/website are still not compatible with the HTTPS provisions. That means some of the links might even display the HTTP version. HTTPS is a security platform that helps you safeguard the information that is available online.
To fix this problem, you need to use a WordPress plugin that will help you redirect all the existing HTTP URLs and traffic to a secured HTTP connection. That means, ensuring all the WordPress pages are connected via HTTPS is a non-negotiable activity promoting the security of your blogs and websites.
Easy HTTPS Redirection can be a perfect option to ensure that all your web pages use the HTTPS connection under all conditions.
Tip 5: A Close Watch on the Number of Login Attempts
Another viable means to secure your WordPress website is to cut down the number of login attempts. Fraudsters eyeing to access your site will try different combinations of usernames and passwords. Such instances raise a red flag that there were attempts to breach the security of your blog/website.
While attempting to ensure the security of your open-source blog or website, you need to block all the repeated attempts made by tricksters. Such forced login attempts can eliminate by safety solutions that come with the names: Login Security Solution and Login LockDown. With these tools, you can effortlessly locate and identify the IP address linked to these multiple futile login attempts.
Tip 6: Two Factor Authentication – Another Safety Cover
A yet another ingenious means to envelop your WordPress website or blog with a safety cover is to follow the path of Two Factor Authentication. All mobile users browsing the WordPress blogs can rely on Google Authenticator. Two Factor Authentication WordPress plugin runs through an app that can install on any of your Blackberry, Android or iOS-powered devices.
Through the plugin, you obtain a QR code that can scan with your smartphone, or you can manually key in the secret code. Only those mobile users with superior access privileges can derive the benefit of this authentication code input. With this feature of inputting authentication code, you can safeguard the login page of your website through your smartphone which cannot be physically accessed by a hacker.
The fact that WordPress comes across as an open-source online platform to create blogs and websites comes with a flipside. All the online personal and sensitive information that is available on WordPress resources is available for everyone to use or misuse. In an attempt to close all the loopholes concerning the security and privacy of online information, the above tips assist individuals and business enterprises in many ways. Implementing these tips, you can protect your blog/website from malpractices undertaken by online tricksters. Eventually, your secured WordPress sites and blogs will satisfy all the security needs of your users.