WordPress is used by millions of web designers and bloggers who want their own websites. It’s often the top choice for those looking to launch any kind of website, from personal blogs to professional businesses. It’s popularity is a blessing and a curse; it has hundreds of great plug-ins to choose from, but it’s also prone to fixes, updates, and vulnerability to attacks. Simply put, WordPress is a work in progress and is always undergoing maintenance to ensure it remains the best. There are several security plugins and codes that don’t come pre-installed with WordPress that you should implement for maximum security protection.
How well is your website protected? To enhance your WordPress security, first and foremost, never set the default “admin” as a username. The majority of brute force and hack programs attempt to break into the backend using “admin” as the username, even if they never figure out an author name.
To make breaking into your WordPress backend harder, choose a password that’s not listed in the dictionary, contains alphanumeric characters and a mixture of lowercase and capital letters. Don’t choose passwords that are sentences, or have a number pattern sequence that could be picked up after a dozen attempts. By choosing a hard-to-guess password, you’ll thwart attempts at hacking, giving you plenty of time to notice that something is wrong when you’re monitoring your website.
For additional security, limit the number of password attempts to your backend, which can be done with a plugin called Limit Login Attempts that displays and email you the IP address of would-be hackers who attempted to login but failed. Once you have the IP address, you can ensure they never return to your website using a plugin called Simple IP Ban.
After I released my website to the public and it had been up for a few months, I noticed several visitors going to my author URLs and subsequently, there was an increase in the number of attempted passwords through the backend. I used Who’s Online? and ThreeWP Activity Monitor to track locations of users who were going on my site and to monitor the activity of my backend logins.
WordPress leaves the author accounts of your website easily exposed, which makes it vulnerable to attack. Why is this an issue? Because theprimary author of the website is most likely the administrator of the website. This exposes the username to the hacker, leaving them with only a password to guess.
At the end of the .com in your WordPress website, type in ?author=1 – this exposes the administrator. It’s that simple to discover. So, how can you prevent this? By adding code in your functions.php, you can protect against any attempt to find out any username on your website, which reduces the chances of vulnerabilities and hack attempts.
This code redirects visitors who try to visit a URL using the author parameter back to the main page of your website:
wp_redirect( home_url() ); exit;