Mangcoding

icon chat
Yayan Kurnia Akbar - Tuesday, 4 March 2025 - 4 months ago

11 Steps to Secure Your WordPress

single image
Photo By Unsplash

Hello Guys.. Mangcoding is here to give you a step-by-step tutorial on how to protect your blog. But before we start, there are some simple security steps for WordPress that you should know :

  • Always update your WordPress blog, plugins, and themes, as new versions often come with better security fixes.
  • Use a strong password (don’t use “12345” or “qwerty”!).
  • Connect to your site only using an SFTP client.
  • Install an antivirus program on your PC.
Link Mangcoding

Step 1 – Backing Up

The first thing you should do is back up your database. You can manually back it up in phpMyAdmin by opening the Export tab. Check the image below!

mangcoding export db

Another way is to use a WordPress plugin that allows you to back up your database. There are many such plugins, but today, Mangcoding recommends using BackWPUp.

After backing up the database, you can also back up your theme files and upload folders. You can use SFTP, for example.

There’s no need to back up WordPress core files and plugins, as you can always download the latest WordPress version and reinstall the latest plugins.

Link Mangcoding

Step 2 – Chmod

You need to set the following permissions for your WordPress files and folders :

mangcoding directory

To set chmod permissions, you can use your SFTP client.

Link Mangcoding

Step 3 – Securing the Admin Area

Second-Layer Protection

This is a very strong security measure, but Mangcoding does not recommend it in the following cases :

  • If you use the admin-ajax.php handler on your website
  • If you are not the only author on the blog

So, there are two ways to secure your website: using a password or securing it with an IP address.

First Method – Additional Password Protection. Start by adding extra password protection. You need to create two files in the wp-admin directory : .htaccess and .htpasswd

AuthType Basic
# Welcome message
AuthName "Hi, Dude!"
# Full path to .htpasswd file
AuthUserFile /home/rudrastyh.com/public_html/wp-admin/.htpasswd
require valid-user

The second file is .htpasswd, which must contain the username and password, with each pair on a new line. You can generate an encrypted password on this page. Example content of the .htpasswd file :

user1:$apr1$lw9zPE5c$uTNLHKL6LTk4M4awpGHlZ0
user2:$apr1$xpogQMCP$kC9GZ8ufEMfABa5NfjvGP1

Blocking the Admin Area Based on IP Address

If you don’t want to log in to the admin area twice, you can block it by IP address. All you need to do is add a file to the /wp-admin/ directory with the following .htaccess content :

satisfy any
order deny,allow
deny from all
allow from 11.178.207.255
#you can specify another lines with allowed IP addresses
require valid-user
Link Mangcoding

Step 4 – Securing Against Brute Force Attacks

Changing the Default Error Message on Failed Login Attempts

When you fail to log in, WordPress will notify you by default whether you entered an incorrect username or password. This can make it easier for hackers to launch brute force attacks, as they can figure out your login credentials.

There are two default error messages in WordPress. When the username is invalid :

mangcoding error user

And the error when the password is incorrect :

mangcoding error password

There is an easy way to merge these two error messages into one, for example, “Error: Username or password.” You can insert this code into your functions.php file.

function remove_default_login_errors() {
    return 'Error: username or password is incorrect.';
}


add_filter('login_errors', 'remove_default_login_errors');

And the result looks like the image below :

mangcoding error login

Changing the Default Admin Username

Everyone knows the default WordPress admin username. Of course, hackers know it too. So, please use the function below, which allows you to change the user login as you wish.

function true_change_username($new_username, $user_id = 1) {
    global $wpdb;
    $wpdb->update(
        $wpdb->prefix . 'users',
        array('user_login' => $new_username),
        array('ID' => $user_id),
        array('%s'),
        array('%d')
    );
}

$new_username

(string) nama pengguna baru
$user_id
(bilangan bulat) ID pengguna yang ingin Anda ubah nama penggunanya, secara default – pengguna admin dengan ID = 1

Next, insert this function into your website and then run it.

true_change_username( 'superadmin' ); // this will change default admin username

How to Hide the Username from the Comment Class

If you have changed the username, but what if this doesn’t help? Please take a look at the image below; this is the HTML code of a user’s comment on the blog :

mangcoding error user code

The image above shows the username. When you log in as an admin and post a comment, hackers can easily obtain your login. How can you prevent this?

The first way is to avoid using an admin account to comment on the blog. The second and best way is to change or hide the admin username from the comment class attribute by inserting the following code into your theme’s functions.php file.

function true_username_css_class($classes) {
    foreach ($classes as $key => $class) {
        if (strstr($class, "comment-author-superadmin")) {
            // you should change superadmin to your current username
            $classes[$key] = 'comment-author-admin';
            // if you want to cheat hackers, or just comment-admin, if you want to completely hide username from the class
        }
    }
    return $classes;
}


add_filter('comment_class', 'true_username_css_class');

If you want to remove all usernames from the comment class :

function true_completely_remove_css_class($classes) {
    foreach ($classes as $key => $class) {
        if (strstr($class, "comment-author-")) {
            unset($classes[$key]);
        }
    }
    return $classes;
}


add_filter('comment_class', 'true_completely_remove_css_class');

Limit the Number of Login Attempts

There are many great plugins to limit login attempts, one of which is Simple Login LockDown. This plugin disables the login function for a specific IP range if multiple failed attempts are detected within a short period.

Link Mangcoding

Step 5 – Securing the Configuration File

The wp-config.php file contains the database username and password, so it must be protected as well. How can you do this? Simply move your wp-config.php file to a directory above your website’s root folder.

You can also protect it by configuring the .htaccess file. Place the following code in the .htaccess file located in the same directory as wp-config.php.

order allow,deny
deny from all
Link Mangcoding

Step 6 – Disable the File Editor

If someone gains access to your website dashboard as an administrator, they may also be able to edit your theme and plugin files. To prevent this, you should add the following line of code to your wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

After you do that, the editor will disappear completely.

Link Mangcoding

Step 7 – Change the Database Prefix

If you haven’t installed your blog yet, you can set the database prefix during the installation process.

mangcoding table

If you have already installed your WordPress blog, follow these instructions. First, you need to open your wp-config.php file and modify the following line :

$table_prefix  = 'wp_';

For example, for this :

$table_prefix  = 'new1234_';

After that, you need to run some SQL queries. You can do this in the SQL tab of phpMyAdmin :

RENAME TABLE wp_commentmeta TO new1234_commentmeta;
RENAME TABLE wp_comments TO new1234_comments;
RENAME TABLE wp_links TO new1234_links;
RENAME TABLE wp_options TO new1234_options;
RENAME TABLE wp_postmeta TO new1234_postmeta;
RENAME TABLE wp_posts TO new1234_posts;
RENAME TABLE wp_terms TO new1234_terms;
RENAME TABLE wp_term_relationships TO new1234_term_relationships;
RENAME TABLE wp_term_taxonomy TO new1234_term_taxonomy;
RENAME TABLE wp_usermeta TO new1234_usermeta;
RENAME TABLE wp_users TO new1234_users;
UPDATE new1234_options SET option_name = 'new1234_user_roles' WHERE option_name = 'wp_user_roles';
UPDATE new1234_usermeta SET meta_key = 'new1234_capabilities' WHERE meta_key = 'wp_capabilities';
Link Mangcoding

Step 8 – Removing the WordPress Version from RSS Feeds and Website

This step can be very important, especially if you don’t update WordPress regularly. It is also the simplest step to do. Just insert the following code into your functions.php file :

function remove_wp_version() {
    return '';
}
add_filter('the_generator', 'remove_wp_version');
Link Mangcoding

Step 9 – Prevent Image Hotlinking

Hotlinking occurs when someone steals your website content (usually images) and directly links to it on their own website. The problem is that they are not only stealing your images but also using your bandwidth.

So how can we prevent this? It’s quite simple! You just need to add another piece of code to your .htaccess file. You can use the .htaccess file located in your website’s root directory as well as the one in the images directory.

# this line may already be in the file RewriteEngine On

# list here the websites with allowed access to your images
# DO NOT FORGET TO SPECIFY YOUR OWN DOMAIN!
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yahoo\.com/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^$ [NC]

# hotlink.png is the image which will be requested instead of your website images
RewriteRule .*\.(jpe?g|gif|bmp|png)$ hotlink.png [L]
Link Mangcoding

Step 10 – Protect Your Uploads Directory

This code denies access to any file in the directory except those with the specified extensions. It also disables PHP files in this directory (as well as in all its subdirectories).

#at first we completely disable access to all the files
<FilesMatch ^>
    Order Allow,Deny
    Deny from all
</FilesMatch>
#after that add file extensions you want to allow access
<filesmatch ".(jpg|jpeg|jpe|gif|png|tif|tiff|pdf)$"="">
    Order Deny,Allow
    Allow from all
</FilesMatch>

 

Or you just want to disable the execution of PHP files :

<Files *.php>
    deny from all
</Files>

Mangcoding recommends that you protect the /wp-includes/ directory as well.

Link Mangcoding

Step 11 – Delete Unnecessary Files

The first file you should delete is readme.html, located in the root folder of your blog. This file contains the version of WordPress you are using. Keep in mind that hackers can find the exact exploit for the exact WordPress version.

Another file is install.php, located in the /wp-admin/ directory. This is an installation script and should also be deleted.

Deleted files will reappear after a WordPress update.

That’s the explanation of 11 Steps to Secure Your WordPress that Mangcoding can share. Hopefully, this article is useful and provides new insights for you. If you have constructive feedback or suggestions, feel free to leave a comment or contact us via email and Mangcoding’s social media.

Sumber : Rudrastyh

Link Copied to Clipboard