WordPress blogs are extremely popular with our customers, but they are also a popular target for hackers. This is why it’s important to take steps to secure your WordPress installation.
In this guide, we’ll cover several steps that you can take to secure your WordPress site from hackers and reduce your site’s bandwidth usage at the same time. The less requests made to your site, the quicker it will be to load for legitimate visitors.
You should also take regular backups of your site to a different location such as Dropbox, so that you can easily restore your site in the event it does get hacked.
Brute Force password attempts are the most common way that hackers gain access to your WordPress install to deface it and trash your site.
While the Loginizer plugin (formerly “Limit Login Attempts”) is one of the most widely used plugin to protect a WordPress site and installed by default on some of our providers, there are better options that you should replace it with.
Replacing it with a full security plugin like Wordfence is a great way to increase the protection on your site from a large number of brute force hacking attempts and decrease the risk of having your site defaced.
Wordfence allows you to block IP addresses who attempt to login with an incorrect password or incorrect username, based on custom parameters including how long it counts those attempts over and how long it will block an offending IP address for.
We recommend installing Wordfence on your site and enabling the following settings.
In the Wordfence > Options page, tick the “Enable login security” box under Basic Options.
Then scroll down to the “Login Security Options” and set the options the same as the screenshot below:
This will lock out anyone who attempts to login with an incorrect password, and block their IP address for 60 days.
Wordfence Alternative: You can also use the Login LockDown plugin to protect against Brute Force attempts. This does the same thing as the Login Security component of Wordfence, and allows you to mix up the plugins that you are using for this function.
Under Settings, Login LockDown, configure it the same as the screenshot below.
The WPS Hide Login plugin will allow you to rename the wp-login.php file and wp-admin folders to something unique, reducing the traffic to those pages that would otherwise be generated by hackers that are trying to gain access to your site by brute force guessing passwords.
If you’re not planning to login to the WordPress admin for a while, or you are willing to only use the 1-Click WordPress Admin Login from within your LaunchCDN account, you can disable the wp-login.php file using .htaccess rules. You can also lock it down to a single IP (eg if you have a VPN with a dedicated IP that you use to access your sites).
To do this, you’ll need to edit your site’s .htaccess file, which can be done by using the File Manager in your site’s DirectAdmin dashboard.
Start by clicking the Cog (⚙️) icon in your LaunchCDN client area next to the site you wish to edit, and then click "Login to Server Panel". Once you're logged into site’s DirectAdmin panel, open the “File Manager”. Navigate to the “public_html” folder and you should see the .htaccess file.
Right click and choose Edit button, and add these lines to the end of the file.
# Protect wp-login.php file
<Files wp-login.php> Order Deny,Allow Deny from all Allow from 8.8.8.8 </Files>
Replace the IP address 8.8.8.8 in the example code with the IP address of your dedicated IP for VPN. If you’re not running a VPN with a dedicated IP, delete the “Allow from 8.8.8.8” line.
Implementing all of these steps will help reduce the amount of bandwidth that your site uses, and at the same time significantly improve the security of your site. At the very least, you should implement either Wordfence or Login LockDown, and configure it based on our screenshots above to secure your sites from Brute Force password attempts.
