In this article, we will talk about how you can protect all the software that you have on your website. Note, that the information in this article is applicable to WordPress websites. 

Essential WordPress Security Measures

There are several essential steps you should take to enhance the security of a WordPress site. Look through the steps provided below and try to follow as many security methods as you can.

Strong WordPress Passwords

It is always a good idea to create strong passwords for all your accounts. If you want your account to be secure, it also is very helpful to change your password from time to time. Strong passwords are usually really hard to hack, especially if they contain special symbols. Hackers in those situations have to use brute force in order to access your account. You can try to stop brute force attacks. If your site has been compromised (or you even suspect that it has been compromised), you must also change the security keys in the wp-config.php file that are used to encrypt cookies.

Unique WordPress Username

Never use the name that is given to you by default for the administrator. What you should do instead, it creates another user with a name different from the default administrator name. Put the administrator role on the new user and delete the default admin.

Update WordPress, Plugins and Themes

You might want to avoid running old versions of WordPress as it will have already known vulnerabilities that hackers may use to get to your account. Make sure that you update WordPress as soon as the update is available as in updates previous vulnerabilities are usually covered up and dealt with.

 Delete Unused WordPress Plugins and Themes

Even though unused plugins and themes are disabled, that code is still visible on the Internet and can be a target for hackers. Be sure to delete any unused themes or plugins in order to reduce the opportunity for hackers to gain access to your site.

Regular Backups

Although backups will not protect our website from hacker attacks, they can help you in case someone would attack your website and encrypt or change the data on it. You can use Softaculous to back up, restore, and update your WordPress site from one convenient interface. We also recommend you to have a few backups of your website and store them in different locations. For instance, you can save one backup to your local computer and another one to the cloud. In this case, you will have a backup even if something happens to your computer.

Defending against WordPress brute force attacks

A brute force attack is a simplistic type of attack where a user or script tries to gain access to a site by repeatedly guessing the different username and password combinations. A lot of people, unfortunately, have passwords and usernames that are really easy to guess. That is why brute force attacks are so popular and a lot of hackers use them, knowing that people can’t be bothered to put a strong password on their account. If your WordPress site experiences a brute force attack, you may notice that the site responds slowly, or not at all. Additionally, you may be unable to log in. This is because the flood of login attempts during a brute force attack causes numerous PHP and MySQL calls. These calls increase server load and adversely affect website performance. Below we present a few methods with which you can defend against brute force attacks on your site.

Method #1: Password-protect the WordPress login page

WordPress uses the wp-login.php file for logins. When you add password protection to this particular file, it’s like adding another layer of security. The more layers you have, the tougher it is for someone to break into your account. Users must enter a username and password before they can even access the wp-login.php file to log in to WordPress.

If you want to set up password protection for your WordPress login page, follow the steps provided below:

• Use your web browser to go to http://www.htaccesstools.com/htpasswd-generator.
• In the Username text box, type a username.
• In the Password text box, type a password for the user.
• Click Create .htpasswd file, and then copy the line of text. The line of text should contain the username you specified, followed by a colon (:), and then the encrypted password. For example:

username:$apr1$IUQgDA6U$qbXb9wEnjirNCqxezpjoe5

• Create a file named .wp-password in your A2 Hosting account's home directory (/home/username, where username represents your A2 Hosting account username). Paste the line of text from the previous step into the file. There are two ways you can create and edit this file:
  • Log in to your account using SSH, and use a text editor from the command line.
  • Log in to your account using cPanel, and use an editor in the File Manager.
• Save the .wp-password file and exit the text editor.
• Create an .htaccess file in the directory where you installed WordPress:
  • If you installed WordPress in the domain's document root, then this directory is /home/username/public_html, where username represents your A2 Hosting account username.
  • If you installed WordPress in a subdirectory or subdomain, then this directory is /home/username/public_html/directory, where directory represents the WordPress location.
• Copy and paste the following text into the .htaccess file:

# Prevent Apache from serving .ht* files:

<FilesMatch "^\.ht">

Order allow,deny

Deny from all

</FilesMatch>

ErrorDocument 401 "401 Unauthorized"

ErrorDocument 403 "403 Forbidden"

# Protect wp-login.php:

<Files wp-login.php>

AuthUserFile /home/TBC-USERNAME/.wp-password

AuthName "Please log in"

AuthType Basic

require user WP-USERNAME

</Files>

• In the .htaccess file, make the following changes:
  • Replace TBC-USERNAME with your TBC-Hosting account (cPanel) username.
  • Replace WP-USERNAME with the username that you specified in step 2.
• Save the .htaccess file and exit the text editor.
• Use your web browser to go to the WordPress login page (for example, http://www.example.com/wp-admin, where example.com represents your domain name).
• You should be prompted to type a username and password. Type the username and password combination that you specified in steps 2 and 3. The WordPress login page should appear, and you can now log in to WordPress as you normally do.

Method #2: Block IP addresses from accessing the WordPress login page

You can also counter brute force attacks by blocking IP addresses. There is a configuration that allows you to enter specific IP addresses that will have access to your WordPress account. Everything that is not on the list will be blocked instantly.

To prevent IP addresses from accessing the login page, follow these steps:

• Create an .htaccess file in the directory where you installed WordPress:
  • If you installed WordPress in the domain's document root, then this directory is /home/username/public_html, where username represents your A2 Hosting account username.
  • If you installed WordPress in a subdirectory or subdomain, then this directory is /home/username/public_html/directory, where directory represents the WordPress location.
• Copy and paste the following text into the .htaccess file:

<Files wp-login.php>

order deny,allow

allow from xxx.xxx.xxx.xxx

deny from all

</Files>

• In the .htaccess file, replace xxx.xxx.xxx.xxx with the IP address that you want to allow for WordPress logins. All other IP addresses will be blocked from accessing the wp-login.php page.
• Save the .htaccess file and exit the text editor.
• Test your WordPress site to make sure that it still functions correctly, and that you can access the administration login page.

Method #3: Change the WordPress login URL

The default WordPress login page is wp-login.php, and a basic WordPress installation does not allow you to change this location. However, the Rename wp-login.php plugin allows you to change the WordPress login URL. If you do that, you can reduce the impact of brute attacks which are usually scripts that are programmed to hit the wp-login.php page over and over again with login attempts.

When you change the WordPress login URL, anyone who tries to access the wp-login.php page or wp-admin directory receives a “404 Not Found” error message.

To change the WordPress login URL, follow these steps:

• Log in to your WordPress site.
• Click Plugins, and then click Add New.
• In the Search text box, type rename wp-login, and then click Search Plugins.
• The Rename wp-login.php plugin appears in the list of search results.
• Under Rename wp-login.php, click Install Now, and then click OK to start the installation.
• After the plugin installation finishes, click Activate Plugin. The Permalink Settings page appears.
• Under Common Settings, select a permalink structure for your site.
• Under Login, in the Rename wp-login.php text box, type a URL for the login page, or accept the default value of login.
• Click Save Changes. The new WordPress login URL appears near the top of the Permalink Settings page.
• Test your WordPress site to make sure that it still functions correctly, and that you can access the login page using the new URL. Additionally, if you try to access wp-login.php or wp-admin, you should receive a “404 Not Found” error message.

Method #4: Enable Cloudflare for your site

Cloudflare is a content delivery network (CDN) that can block malicious requests before they reach your site. For example, Cloudflare-enabled sites were significantly protected during a large-scale WordPress brute force attack that occurred in April 2013.

Cloudflare works by routing traffic to your website through its own network. As a result, Cloudflare is able to block certain types of malicious requests. Cloudflare also increases website performance by leveraging its worldwide server network to deliver content to users more efficiently.