I recently had completely changed my attitude toward WordPress security. It happened after I installed Pojo’s Activity Log plugin in my personal website.
Suddenly I saw, with my own eyes, unfamiliar people trying to log into my website. IPs from Turkey and the US, trying to login to my site using all sorts of usernames: admin, beta, test… What was even more disturbing was the fact that these were just the hacker attempts performed in the last 3 hours!
I felt like ants were crawling up my skin. What could those hackers possibly want from me?
I was even more upset to realize that I was going to have to go on forums and message boards trying to understand what was the best solution to protect my website.
Luckily, I got a big help from our CEO, Ariel, who pointed me to an earlier tutorial on a plugin called ithemes, one of the most popular WordPress security plugin that solves issues concerning user hacking my site.
After trying it successfully on my own site, I wanted to give you a simple step-by-step tutorial on how to totally protect your WordPress from hackers, using only two lightweight plugins. (it’s been a week since I installed them myself and I am happy to say that there were zero hack attempts so far).
Step 1: Find Out If You’re Being Hacked
So the first thing to do is install the free Activity Log plugin, made by the talented team at Pojo.
Simply put, this plugin lets you know who tried to login to your site. This way, you can find out if hackers are trying to crack your password and hack your site.
To install, go to the plugin page.
Click on New Plugin.
Search for Activity Log.
Now go to the activity log admin.
There you will start seeing activities done on your WordPress.
If you wait a few hours, you’ll be able to see if people are actually trying to hack your site.
This plugin is also very useful for sites that allow user generated content, as well as sites that are run and maintained by an outside webmaster or by someone other than the owner. It allows the site owner to track who published, edited, installed or did anything on the site while logged in.
Step 2: Secure The WordPress Site
Now we head to install the next plugin for our security, called iThemes Security. This is a very popular plugin, downloaded by over 700K users. To install, we need to go over a similar installation process like we did before.
Go to the plugins menu > Add new plugin > Search for iThemes Security > Install.
Now you will get two messages at the top of the page.
The first message is about the API key activation:
Get Free API Key.
This features allows you to get updates on problematic IPs that should be blocked.
The second message gets you to the main settings page:
Secure Your Site Now
Now, In the settings page, you will notice a window with 4 primary options:
Back Up Your Site
Because this is a delicate plugin, the first thing we will need to do is backup our database. This way we can roll back any change that we do on the site. Pressing the backup button will bring you to the backup settings page, where you’ll be able to send the backup file to your mail or server directory.
Allow File Updates
Some of the key security features of this plugin require making changes to the files: wp-config.php / .htaccess.
Pressing this button will enable the plugin to make these requires security changes to the file.
Secure Your Site
Pressing this button will turn on all the security default abilities of the plugin, with a single click.
Step 3: Advanced Options in iThemes Security
This step is not obligatory, and explains about the custom security settings that I make when installing new sites.
It is more advanced, so make sure you have the right know-how to handle such changes.
I am only going to explain about the plugin’s features that I myself am using, so bare in mind the plugin itself has many other features inside.
1. Blacklist Settings
Under “Brute Force Protection”. I check the “Enable local brute force protection” checkbox.
I keep all the default numbers settings.
2. Change the Login Area
One of the biggest vulnerabilities of WordPress is that everyone knows you login at wp-login or wp-admin. With iThemes security you can change the URL used for login. This seems simple but you wouldn’t believe how many hack attempts this blocks.
You check the “Hide Backend” field.
And enter your own “Login Slug”. Don’t forget this slug!
Many people, like me, are not looking for complex coding solutions, or security solutions that can jeopardize the site speed. For these purposes, I recommend spending a few minutes installing and configuring the two plugins I mentioned in this post.
Please let me know if there are any other security plugins that you think are invaluable.