Security is a big issue. Not only common people but even big companies are trying their best to make their data secure and safe. WordPress the most popular software to build website is also targeted by hackers. Recently it was reported that critical ‘Backdoor Attack’ Warning Issued For 60 Million WordPress Users.
A website hacking campaign, that has been ongoing since July, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software into something that is potentially even more problematical. Mikey Veenstra, a researcher with the Defiant Threat Intelligence team, said that “the campaign has added another script which attempts to install a backdoor into the target site by exploiting an administrator’s session.”Forbes – Critical ‘Backdoor Attack’
According to Mikey Veenstra, a researcher with the Defiant Threat Intelligence team, 98% of WordPress vulnerabilities are related to (outdated) plugins.
If you have been using some plugin that haven’t been updated for a time, It’s time to uninstall these plugins and look for better alternatives.
How to make your blog secure & safe even if you are not a WordPress Ninja?
There are dozens of ways to make WordPress secure, it starts with installing and using the latest version of WordPress. Never use an outdated and old version of WordPress.
Always buy/download plugins and themes from trusted developers, marketplaces. Never use NULL version of any premium plugin and NEVER EVER use admin as your site username and weak password.
These are just a few ways, We can even list 50 different ways to make your website secure and safe and if you are an absolute beginner, you might be wondering how do I follow these instructions?
A lot of WordPress beginners Google following question
- What is functions.php?
- How do I edit wp-config.php file?
- where can I find .htaccess file?
- How to rename WordPress login?
and many other questions.
I am not going to make things complicated for you. Today, I am going to share a free WordPress security plugin. It’s called Defender WordPress Security, Malware Detection, and Firewall.
This is a good question. There are many reasons to install and trust defender WordPress security plugin. Here are few reasons to convinces you.
- This plugin is created by WPMU DEV team. They have 4.96 Average rating at TrustPilot and 793,187 happy members.
- Plugin is up to date, Works with the latest version of WordPress.
- The free plugin offer enough features for WordPress bloggers.
- It is very simple and easy to use plugin. Even novice WordPress users can make their website secure with Defender.
- Detailed documentation is available to learn how to use different Defender features.
Now, let’s talk about the features of this easy to use security plugin. Most of these features are free but some features are for members only.
- Get peace-of-mind with a more secure site.
- Analyze site security
- Security tweak recommendations
- Resolve issues with a click
- Manual and automatic IP lockout
- Filterable IP logs
- Scan core files for changes
- 2-Factor Authentication – passwords and mobile app verification codes
- Customize 2-factor email
- Vulnerability scans
- Schedule scans
- Repair/restore changed files
- Choose file types to scan
- Skip files based on file size
- Receive email reports
- Set report recipients
- Google blacklist monitoring
- Automated backups
- Full website backups
- Cloud backups
- Site interactions with logging
How to install and setup Defender Security Plugin?
Login to WordPress dashboard and go to plugins – Add new page. Search for Defender. Install and activate Defender plugin by WPMU DEV. Upon activating, You will be redirected to Installed plugin page.
From the installed plugin page, You can quickly activate/deactivate plugin. Access Settings, Docs and upgrade page. Go to Defender – Dashboard and you will see Quick Setup pop up screen. You can skip this screen or click Get Started button and follow the instructions.
After scanning our site Defender gave us 11 potential security issues. We had 7 security tweaks suggestion and 4 issue related to files.
Security Tweaks suggestion by Defender
From the Security Tweaks suggestion box, just click on View all button to view and fix issues. In the screenshot below, You can see a list of issues that need to be fixed.
You can click on each item to view more details including problem overview, status, and how to fix it. Normally, You can fix or ignore the issue with a single click. First of all, we were asked to disable trackbacks and pingbacks.
By default, WordPress allows you to edit WordPress themes and plugins from the Dashboard, If you are developing websites for clients and adding some more users to manage your site content, You should disable file editor.
From the Appearance drop down menu, You can see the Theme Editor option, Defender makes it simple to disable File Editor with one click.
The third suggestion was to regenerate the key salts, These WordPress security keys are used by WordPress to ensure better encryption of information stored in a user’s cookies when logged in to a WordPress website or blog. You can also choose how often Defender should notify you to change these keys.
This process is simple and straightforward. You can easily fix all these issues.
According to Defender, 4 files were potentially harmful on our server. You can see the screenshot below. 3 of them were error logs while the 4th file was from Google to verify our website.
We deleted 3 log files, while 4th file was important and we knew that it wasn’t harmful at all, so we kept it. So, be careful while deleting files from your server.
IP lockouts settings
With the Login Protection enabled, hackers trying to randomly guess your login credentials will be locked out after a set number of failed login attempts. Default value is 5. You can also choose how long the bad guys should be locked out.
Admin, administrator and few most widely used username online. From the Login protection page, you can also add a list of banned username.
With 404 detection enabled, Defender will keep an eye out for IP addresses that repeatedly request pages on your website that don’t exist and then temporarily block them from accessing your site.
How to ban IP addresses or countries with Defender?
Go to Defender – IP lockouts – IP banning page to view all the settings.
You can also ban, blacklist and white-list some IP Addresses and countries. You can even use Locations feature to ban any countries you don’t expect/want traffic from to protect your site entirely from unwanted hackers and bots or white-list countries and they will always be able to view your website.
How to rename WordPress login page or add Two-factor authentication to WordPress with Defender?
For the best security, WordPress login page must be protected. Defender has two ways to make WordPress login page secure and safe.
Two Factor Authentication
This is a way to add an additional step to secure online accounts, with this feature enabled, you will need to enter an app-generated pass-code using your phone. You will have to install Google Authenticator app for Android or iPhone.
With Two Factor Authentication enabled, every user must enter a code that Google Authenticator app shows for few seconds. Without the correct code, you won’t be able to access WordPress Dashboard.
Rename WordPress Login page
Go to Defender – Advanced tools – Mask login area page and enable this feature. Now enter new login URL and save your changes.
Keep in mind, if you forget this new address, you won’t be able to login to your WordPress Dashboard.