How to improve the security of wordpress

Whether your website is large or small, losing site data or being unable to manage your own site can be nerve-wracking. WordPress drives 25% of the world’s web. For hackers, WordPress websites are one of their most important targets.

In this article, we will discuss some tips to enhance WordPress security.

1. Bcrypt Password Hashing

WordPress was founded in 2003, when PHP and the Web were still in their infancy. At that time, Facebook had not yet appeared, and PHP did not have an OOP architecture; therefore, the security of WordPress today is slightly outdated, such as the way its passwords are encrypted.

WordPress still uses MD5 hashing today. Basically, it just turns 123456 into this: e10adc3949ba59abbe56e057f20f883e.

However, today’s computers are much more sophisticated than they were 10 years ago, so such passwords can be easily broken.

Since version 5.5, PHP has a local encryption method. If your WordPress website uses a PHP version higher than 5.5, you can use this feature.

You can install Composer or MU-Plugins plug-in to resave your password.

2. Enable WordPress.com protection

Brute-force is the most common password cracking method used by hackers. Therefore, you need to set some passwords that are very difficult to guess.

Automattic, the parent company of WordPress.com, has acquired a very popular anti-brute-force plugin. The name of this plug-in is BruteProtect, and it has now been integrated into Jetpeck.

It turns out that the protection efficiency of this plug-in is very good.

First, you need to install the latest version of Jetpack and then connect your website to WordPress.com. Then open the protection module and add your own IP to the whitelist.

# After that, your website will be more secure.

3. Hide login URL

Everyone knows that to log in to the WordPress backend, you only need to add wp-login.php after the domain name. Not only you know it, but hackers also know it. Therefore, you need to hide your login URL and make this URL only available to you.

Luckily, you can achieve this with some simple plugins:

1) iThemes Security

2) WPS Hide Login

4. Turn off "Forgot Password"

The "Forgot Password" function allows you to retrieve your password through other methods, but hackers can also This is how to get your password. Therefore, you'd better turn off this feature.

We need to create a new file and upload it, name it forget-password.php.

First, we need to change the URL of the lost password:

function lostpassword_url() {
return site_url( 'wp-login.php' );
}
add_filter( 'lostpassword_url','lostpassword_url' );

Remove link. However, WordPress does not support this natively, so we need to use JavaScript.

function lostpassword_elem( $page ) { ?>
<script type="text/javascript">
(function(){
var links = document.querySelectorAll( &#39;a&#39; );
for (var i = links.length - 1; i >= 0; i--) {
if ( links[i].innerText === "Lost your password?" ) {
links[i].parentNode.removeChild( links[i] );
}
};
}());
</script>
<?php }
add_action( &#39;login_footer&#39;, &#39;lostpassword_elem&#39; );

Finally, redirect the "lost password" URL to the login page.

function lostpassword_redirect() {
if ( isset( $_GET[ 'action' ] ) ){
if ( in_array( $_GET[ 'action' ], array( 'lostpassword', 'retrievepassword' ) ) ) {
wp_redirect( '/wp-login.php', 301 );
exit;
}
}
}
add_action( 'init','lostpassword_redirect' );

5. Enable HTTPS

HTTPS provides an extra layer of protection for your site and can also improve your ranking in search engines. Now you can get an HTTPS certificate for free through the Let’s Encrypt project.

For WordPress websites, you can easily use this certificate using WP Encrypt. What I suggest you do now is use HTTPS.

For more wordpress related technical articles, please visit the wordpress tutorial column to learn!

The above is the detailed content of How to improve the security of wordpress. For more information, please follow other related articles on the PHP Chinese website!