wordpress security increase
To reduce the attack to your WordPress site you can follow the below instructions
1: Increase Security from htaccess file
Add the below code to your htaccess file and replace the xxx.xx.xx.xxx with your IP. IP of your system from which you want to login to your site admin section.
<Files>
order deny,allow
deny from all
allow from xxx.xx.xx.xxx
</Files>
2: Change credentials
Change admin username and password to at-least 10 characters long with combination of all possible type character.
Like: W!w@1)*&<?lkiJH
3: Send mail to admin on login failure
For every login fail send mail to administrator. To implement this functionality add the below code to
filename: function.php of currently active theme
goto last: paste the below code
add_filter('login_errors', 'send_failure_notification_to_admin', 10, 1);
function send_failure_notification_to_admin($error) {
$subject = 'Login Failure to ' . site_url();
$notify_message = serialize($_SERVER);
@wp_mail( 'YOUR-MAIL-ID', $subject, $notify_message );
return $error;
}
Replace YOUR-MAIL-ID by the mail ID, you frequently open.
In this mail you will get the details from where the login failure happened.
4: Send mail to admin after success login
For every success login send mail to administrator. Add the below code to mentioned files.
filename: wp-login.php present in root
goto line: 613
Just after:
if ( !is_wp_error($user) && !$reauth ) {
add the below code:
do_action( 'send_success_notification_to_admin' );
filename: function.php of currently active theme
goto last: paste the below code
add_action('send_success_notification_to_admin', 'send_success_notification_to_admin');
function send_success_notification_to_admin() {
$subject = 'Login Successful to ' . site_url();
$notify_message = serialize($_SERVER);
@wp_mail( 'YOUR-MAIL-ID', $subject, $notify_message );
}
Replace YOUR-MAIL-ID by the mail ID, you frequently open.
In this mail you will get the details from where the successful login happened.
5: Change the login credentials for all
Change the credentials of your cpanel, database, WP admin and have a paper with you with all details. At the time of login always see the credentials from there and then login. Don’t do any login fails own self.
6: Allow only 2 login attempts
Use this plugin: http://wordpress.org/extend/plugins/limit-login-attempts/
7: Extra password field in login form
A completely new way have another password field in login form. Means two password field in a single login form.
filename: function.php of currently active theme
goto last: paste the below code
add_action('login_form', 'add_another_pwd_field');
function add_another_pwd_field() {
?>
<p>
<label for="user_pass2"><?php _e('Extra Security (Re-enter password)') ?><br />
<input type="password" name="pwd2" id="user_pass2" value="" size="20" /></label>
</p>
<?php
}
add_action('wp_authenticate', 'extra_security');
function extra_security() { if(isset($_POST['pwd2'])) { if ( $_POST['pwd'] === $_POST['pwd2']) { //Login successful } else { send_failure_notification_to_admin('error'); die(); } } else { send_failure_notification_to_admin('error'); die(); } }
After adding the above code goto domain/wp-login.php, there you can see an extra field added to the login form. In this field provide your password again. Means if you provide the same data in password and this new extra field then only WordPress will validate your credentials from database else it send mail to admin regarding login failure.
8: Update Your wp-config.php Keys
Open https://api.wordpress.org/secret-key/1.1/salt/ copy the keys.
Open wp-config.php file from root. Goto line 45 replace all 8 keys by new ones. After this you have you login to your site admin section even though you are logged in.
I am sure after following the above instructions your site will be much more secure 🙂