This blog post guide, is for you that run a self-hosted or wordpress.org website. It’s very easy and you don’t need to be a rocket scientist or a web developer to do it. I will explain everything with screenshots, and the plugins I will be using are free, so you can do it right now.
Wordfence is a plugin that has a free and a premium version. I use the free version and this guide covers exactly that, the free version capabilities. It’s really incredible how many security features it gives you.
You go to Plugins / Add new and you search in the field for Wordfence. You install it and activate it. Once you activate it will prompt you to follow it’s setup so just go ahead and do it. Really, you don’t have to think about weird settings, just follow their wizard and trust me, it will do the work for you. One tricky thing is that it asks for your email. This is not something you can avoid and you shouldn’t because Wordfence needs to have a way to contact you, to inform you about security issues or any suspicious movement on your website. Then, it will ask you to add a premium key. Ignore it. It will ask you if you want to buy one now, but next to the buttons on right, find the “No thanks” and click it. You can now go ahead with the free version.
It will still guide you to click to certain locations, as part of a mini tutorial. Then you can browse around yourself to get familiar with it. You can even run your frist scan and see what the results are. It will return a small report and perhaps some things that it wants you to correct. Another thing is that it will prompt you to download and backup your .htaccess file. Go ahead and do it. It wants you to take a back up before it will add some lines of code into your .htaccess file which is for security purposes.
Now since we have done the basics, let’s how else we can improve the safety of our websites.
How to block login attempts from bots/hackers, with Wordfence
Ok, so this one is very easy, like it will blow your mind how easy it is.
However, there is one important requirement. And it’s non-negotiable 🙂 Your own username cannot be admin. Please, use anything else but admin, ok? This is the number one username bots and hackers use when they try to login on a website.
So, once you have updated your username, then go ahead and navigate to Wordfence according to the following images:
What we are doing here is we are going to All options and click on Brute force protection. From there you have some drop down options. These options will limit how many times one can try unsuccessfully login. For instances after 3 failed login attempts you can say to lock that user out for 5 hours. It’s up to you how you want to do that. For me what is important is to lock out users that try to login in a short period of time.
But the most important thing, the one that I do in all of our client’s websites is to immediately lock out invalid usernames, but also block IP address of people that try to login with a certain username, such as admin.
I know that my username is not admin, and as long as I am a valid user with a valid username, then I’m good to go. Of course there is the chance of mistyping your username, so it’s up to you how strict you want to be. Wordfence will notify you that you are locked, and it will also tell you that if it’s you and it’s a mistake, then get an email with instructions on how to login again. So no worries.
But there is something else you can do to be even more protected and that is to change the wp-login.php or admin URL, to something else. That way the bots or human hackers will have a hard time trying to login into your admin panel.
Please note: I am not a security expert, and these methods doesn’t not mean that your site will be bullet proof, but you will significantly reduce any malicious attacks on your website.
Install WPS Hide Login free plugin
This amazing plugins gives you the possibility to change the default url from yourblog.com/wp-login.php to yourblog.com/whatever/ and whoever tries to access the default url, they will be greeted with a 404 error. Nice, right?
Here’s how you do it.
You download and activate the plugin. Then if you to your Settings menu in your WordPress dashboard, you will notice some extra options if you scroll down, as seen on the image below:
All you have to do is put a word that you like, or keep login, or whatever you want, just make sure to bookmark it, or simply remember it 🙂
The redirection URL is a good option as well. Let them end up in a 404 and stop their hacking attempt right there!
You are all set. If you do the above changes to your WordPress website, your site or blog, will instantly become way more safe. There are of course more things one can do, like 2FA, but especially if you are a beginner, I say start with these and you will learn more things in time.
Let me know how you liked this guide, and if you have any questions, leave me a comment 🙂