How To Secure Your WordPress Blog From Hackers

I really like the guys at Inmotion Hosting. Normally when your blog get puts a huge load on their server the host usually shuts you down. The then send you and email and tell you to fix the problem. On the weekend I was notified that Ez eSports Betting had suffered a brute force attack! Instead of the usual “Hey dude, your site is stressing out our server fix it or else” email the guys at Inmotion Hosting they temporarily disabled the login script.

Secure WordPressThis is so much better than taking your blog offline as you’re the only one affected. As for everyone else business goes on as usual. They also provided a link as to how you can prevent these type of attacks. As I wanted to make my WordPress blog as secure as possible I took their advice.

Secure WordPress From Devilish Hackers

As you can see I produced a step by step video as to how you can secure your WordPress blog from hackers. As some brute force attacks focus on your wp-admin and wp.login.php scripts the following fixes will require them to provide a username and password before they can have access to your wp-admin! This takes all the stress off the servers making for happy hosts, secure WordPress sites and disappointed hackers.

I give credit where credit is due so I’m going to link to the tutorial that helped me to secure my blogs. Now where there is nothing wrong with that tutorial there was a couple of points that I misunderstood which caused me some issues. My fault not theirs! So, I thought it a good idea to do my own version in the hope that other non techies can benefit from it.

Note, this will only work on self hosted WordPress blogs that have access to cPanel.

Secure WordPress Login Steps

[highlight]Note, you should always make a backup of any file before you edit it.[/highlight]

  1.  Click on Password Protect Directories found under your security section of cPanel
  2. Select your document root and then click on go.
  3. Click on the wp-admin directory
  4. Check Password protect this directory, give it a name, then click save
  5. Click on Go Back
  6. Now select a strong username! I like to think of my username as an extension of my password. Not using your actual name or easy to guess words makes it that much harder for hackers to infiltrate your security
  7. You can use the password generator or invent your own difficult password. Use uppercase, lowercase, numerals and other characters to make your password as difficult as possible. My password always have more than 10 characters which I store in my password manager.
  8. Once you’ve entered your username and password you click Add/modify authorised user. If you now try to login to your wp.admin you will be prompted with a username and password screen.
  9. Now go back to cPanel and click on File Manager, Select the Document Root for your domain. Check Show Hidden Files (dotfiles), then click Go.
  10. Click on you wp-admin directory, highlight your .htacess file and click edit. Then add the following code to your .htaccess

    [php]ErrorDocument 401 "Denied"
    ErrorDocument 403 "Denied"

    # Allow plugin access to admin-ajax.php around password protection
    <Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>[/php]

  11. Just in case you’re wp-admin doesn’t have an .htaccess here’s mine in it’s entirety.

    [php]
    ErrorDocument 401 "Denied"
    ErrorDocument 403 "Denied"

    # Allow plugin access to admin-ajax.php around password protection
    <Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
    </Files>

    AuthName "WPSecurity"
    AuthUserFile "/home/edit/.htpasswds/public_html/wp-admin/passwd"
    AuthType Basic
    require valid-user
    [/php]

    Note, where mine says edit you would put whatever is that part of your cPanel as highlighted in the video. Don’t forget to click on save once you’re done.

  12. OK, now from the left-hand directory listing, click on public_html. Right-click on your .htaccess file, then click on Edit.
  13. Now paste the following code to your .htaccess

    [php]ErrorDocument 401 "Denied"
    ErrorDocument 403 "Denied"

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Secure Area"
    AuthUserFile "/home/edit/.htpasswds/public_html/wp-admin/passwd"
    require valid-user
    </FilesMatch>[/php]

    Once again don’t forget to replace the ‘edit’ part of my code to reflect the information in your cPanel. When all is done click on save.

Your WordPress blog is now so much more secure than it was before you started this little exercise. Having said that there is one more bit of code that you add to make it even more bulletproofed. Once again Inmotion Hosting provided me with the solution to “limit WordPress admin login attempts by IP address, or referrer.”

As my IP is always changing I went for the “you can protect your WordPress site by only allowing login requests coming directly from your domain name. Simply replace example.com with your own domain name

Most brute force attacks rely on sending direct POST requests right to your wp-login.php script. So requiring a POST request to have your domain as the referrer can help weed out bots.”

Here is the code to add to your .htaccess, the one you’re just finished editing.

[php]ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/home/edit/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</FilesMatch>

# WordPress Security

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>

# End WordPress Security[/php]

The new code is the one between the #Wordpress Security tags. Just make sure you replace example.com with you’re own domain.
That’s it! Your WP blog is now a lot securer than it was. I’ve even deleted my “limit login attempts” plugin as it’s no longer needed removing some of the strain placed on my server.

I hope you’ve found this post useful. If so why not share it around. :smoke_tb:

Digiprove sealCopyright secured by Digiprove © 2015
Previous Post

Humour For Friday Funnies #191

Everybody loves a bit of humour and that's exactly what makes Friday Funnies so popular. ... Read more

Next Post

Friday Funnies #192 Nun Grading Papers

As you know I get most of my jokes for Friday Funnies in my inbox. ... Read more

Please follow and like:
3
2
1k
LINKEDIN

Peter Pelliccia

I'm an Aussie blogger who loves to blog and share everything that I've learned on my blogging journey, including blogging tips and ways to blog for money. I am also trying to make my way on YouTube. You can follow my progress by subscribing to My Bonzer Channel.

This Post Has 2 Comments


  1. Twitter:
    If never experienced any security problems on my wordpress but i don’t even want to experience them. I’m definitely following your steps to secure my wordpress account.

    Thanks alot for sharing!

  2. I’m so sorry your site had to go through that and also scared about the possibility that I could suffer an attack like that. I’m using the brute force protection provided by the Jetpack plugin but I don´t know if that could stop the stress on the server you experienced. I will add this post to my favorites just in case. Thanks for the info!
    Isabel Raynaud recently posted…Ritual de fin de año: Haz que el año nuevo sea fantásticoMy Profile

Comments are closed.