Recently I have been doing a lot of testing on a couple of my web sites that run WordPress and realized that securing your site takes a bit of effort. There are some plugins that do a great job at certain things however I wasn’t able to find any that did a great job of securing everything that I would prefer be secured. Below I describe a multi-pronged approach to securing your WordPress site from hacking attempts using multiple WordPress plugins as well as performing a couple manual steps that ensure the WordPress details exposed to the world are minimal.
There are many tricks or little configuration items you can use to make your WordPress powered site more secure than it comes by the default install. One of those items is to require the login to happen over HTTPS and require that all WordPress admin traffic takes place over HTTPS as well. I personally also use a plugin called WP Block Admin to only allow users with certain credentials access to wp-admin so consider looking into that as well if you have areas of your site that are not in the admin section that require users to login like a forum or to leave comments.
Recently I was upgrading various WordPress plugins one of which was the WP Block Admin plugin. This plugin will redirect all users with certain permissions away from the default /wp-admin directory back to the homepage after login. This is beneficial if most of your users only have to login for a forum or for comments on WP posts. After upgrading the plugin I noticed it was no longer working. I went through the below steps to resolve the problem.
First off the configuration file for this plugin is very simple thus making it an easy problem to resolve. The plugin is located in the /wp-content/plugins/ sub directory in a folder called wp-block-admin and besides a readme file there is only one PHP file located in this directory called wp-block-admin.php. Besides the commenting (including version number) at the top of the file the only other difference in the file was on line 33.
I have a couple people who write articles from time to time sand after installing WP Block Admin they were unable to get to wp-admin anymore. Since we are only using three user levels on this site which are Admin, Author, and Subscriber. On install WP Block Admin is set to only allow Admin and Editor access to /wp-admin so you have to modify wp-content/plugins/wp-block-admin/wp-block-admin.php. Find the line like this:
$wpba_required_capability = ‘edit_others_posts’;
Change it to this:
I have been adding some additions to WordPress to lock it down a bit and keep regular users away from wp-admin. There is a bunch of stuff out there to do this type of thing but I found the best combination to upgrade your register/login system and to keep the average user away from wp-admin so they stay on the site was to use Register Plus and WP Block Admin. They both serve different purposes but combined together they provide a much nicer user experience.
Register Plus: This WordPress plugin will allow you to create custom emails to users, a custom registration form, a password strength meter, a captcha, user registration verification emails, and more. When creating the custom registration form you can add custom fields, add custom CSS, etc. All in all in provides complete customization of the registration form and process.