Basic WordPress Security: HTTP Security Headers, Directory Listing, Exposed WordPress Username etc

1. Introduction How to implement HTTP Headers and Author: Greetings everyone. I am Saujan Pradhan, and today we will learn how you can implement the HTTP security headers, disable directory listing, and find out and secure if your username is exposed on your WordPress website. So basically, your website will improve from "F" score to "A" score with all the security headers. We will also disable this directory listing for your website as it is not good from this security prospect. And finally, we will check if the author's name is exposed or not and try to login with the author's name.....then usually WordPress will confirm by saying that the username is correct and not the password. So we will secure all these; error messages and also hide the author info. Thus, the only objective of this course is to improve the security of your WordPress website. What will we learn in this course? You will learn about some basic codes that you can use on your site to get a perfect "A" score for security headers, and as well disable directory listing and hiding the author's names. We will do all this by using codes and not any plugin, and these can be done in a very short time. What skills or coding knowledge is required for this lesson? Everything is clearly explained, thus, a basic knowledge of WordPress will suffice for this course. You will not require any coding skills. Simply copy and paste the codes as explained, and you are ready to go. So after this lesson, the overall security of your WordPress website will be improved. We will implement all the necessary security Headers, disable directory listing and as well hide the authors (in most cases username) details; overall improving the security of the website. So let's get started. 2. How to Implement Security HTTP headers and disable directory listing with or without cPanel access: Greetings everyone. In this tutorial, we will quickly learn how to improve the security gaiters and disable digital listing for your WordPress website using a cPanel or without using it. So I'll demo site is, hey, let's learn something.com slash demo. This is basically an n-fold him. Anyway, if you login to the dashboard, that is WPS admin, enter your username and password. Now, if you go to Tools and site held, if you are using a really simple SSL plug-in, then you should see these improvements. Not all recommended security haters are installed. Or alternatively, if you go to security haters.com and check your website, copy paste the URL and scan. You can see all these headers are missing and the site as F score. So we will improve all these security headers. In order to do so, let's do it using the cPanel. Go to the cPanel URL into your username and password and login. I have two-factor authentication. So here's the code. So we are now logged in. You see panel might look a little different, but find the File Manager. Every cPanel does have a fund manager. Click on it and look at your website files, usually under public underscore HTML. Click on it. Now here are all the website files. We now need to make some edits on dot as the access file. It's currently hidden. So for that, go to settings. So all hidden files save. So here's our dot as the access file. For safety purposes, simply download it and keep it as a backup. Anyway. Or else, right-click, click on 8080. So this is our dot as the access file. So here are the cause you need to add these codes will be provided. Simply copy this and carefully paste it over here, or you can add it at the bottom. Please be very careful while adding this code as a site may not work if there's any era. Anyway, save changes. And now let me refresh the site held. So we have resolved this security headers. Let me rescan the site again. So you can see it's all green. And we have also score an a. So this is how you can add security haters to your WordPress website. Just a reminder. If in case you made any mistake in the dot SPSS file, your site might display an era. In that case, simply revert the change by pressing control plus state or upload the dot STX as file that was backed up. Or carefully recopy the code and it will work anyway. So this security it is issue has been fixed. Now you can also disable the directory listing. So what that means is if you go to your website URL and add slash WP deaths includes CSS. This is all visible for security reasons. This is not good, so we will simply disable all this directory listing. This is very simple to do. Simply go back to the dot SESS file and add this option deaths indices, copy this and paste it. Save changes. So it saved. Now if I refresh this, it will throw an error. So this is how you can improve security headers and disable direct listing using a cPanel. But if you did not have access to the sea panel, you can also make changes using the WordPress login normally, however, you will need to be very careful while making the changes from the Wordpress backend as if there's any mistake, you won't be able to access the site and we'll have to use the cPanel. Anyway, let me close this l l log into your dashboard. Wps amine. If you did not have access to cPanel, then we will use a plugin to access all the files, go to plug-ins and add new and search for WP file manager. So this is the plugin file manager, install it and activate. Once it's activated, you'll see the file manager here. Click on it. You can skip this or verify. Anyway. So here all the website files, as you can see, even all the hidden files. So here's the dot S dx's file. Let me close this. Anyway. Here's the dot SDSS file, right-click and go to Code Editor. So there won't be this code. Will just have to copy and paste the code here and save changes. The only thing you need to be careful while using this plugin is if you made any mistake while pasting the code, hey, your website will not be accessible. You will not be able to login to your dashboard. So in that case, you will have to access, USE panel or FTP located website files and make necessary changes to dot as the Access file. Or you can as well download and deleted. By doing so, you will then be able to gain access to your website. If you carefully copy and paste the code, there won't be any issue. After doing this updates. You can uninstall this plug-in if you wish to hold this lesson was helpful. Thank you very much. 3. Know how your WordPress website's username might be exposed and how you can secure it: Hello everyone. In this tutorial, you will get to know how your WordPress website, user name might be exposed and how you can secure it. By default, it's very easy to guess your username on a WordPress website. Let's take an example by visiting our demo site. Here let's learn something dark arms last demo. So this is our demo site. So whichever your site is, simply add question mark, author is equal to one. So basically it gives the author name. In most of the cases, this author name is username, as people rarely change the display name or use nicknames. Now if I try to log in the dashboard slash WP dash admin, and try this username, copy this and paste. Try random password. Now what workers does is it tells me the username is correct, not the password. So basically the WordPress confirms that this is the right username. Does anyone trying to hack your site might easily get this information and try to attack the site as it's clearly visible in the URL. Now there's also another way to find the other's name. Let me try with the new browser. Go to the site and add slash WP dash Jason slash, WP slash v2 slash users slash one. As you can see, the artist name is exposed. If you change this one to two, then other author names will also be sown. Decide has only one author, so it's not showing. Likewise for the earlier method, you could replace one with two to find the existing Arthur names anyway. So as the author name in most of the cases is the username, so is exposed. As mentioned earlier, using this information, someone might try to access your website and workers will confirm if the username is correct or not suffers less change the inner message. So if anyone finds the name, at least, workers will not reconfirm it. If the username is correct or not. To do that, login to your dashboard. After login, go to appearance and theme editor. I understand. And find functions dot PHP. Scroll down. And here's the code. Simply copy this and paste it. So the first step is we are changing the error message. Anything written here between commas will be displayed as either message. Let me open in the, in cognitive mode and try with the correct username and a random password. So what we are doing now is we are changing this error message. This message will be replaced by whatever message we write here. For now, it's an incorrect username or password. A bid the file. It's updated. Let me refresh the space and try to login with the correct username and a blank or a wrong password. It will display an incorrect username and password. And thus, it will not be possible to know if it's a correct username or not. So whatever username we try right or wrong, the same misses will be displayed. Now, let's block access to this. And this. In order to do that again, go to function dot PHP. We will be using another code. Here are the codes. Simply copy the code and paste it at the bottom and update file. Now if I refresh this, we will be redirected to the home base. If I tried to access author is equal to one. We will be redirected to the home base. So basically, this is the code we are redirecting to the home base. And for the other one, if I tried to refresh this. So it's again hidden. So this code is blocking it for this one. So this is how you can stop WordPress from exposing the other name. The other important thing you can do is go to users. And let's edit this user. So it's always a good idea to have a different nickname. Like for now, it's displaying as dazed, 1-2-3, 4-5-6. So instead of this, right, any other names different than your username, so that username is not publicly visible. I'll give a random name. Now. After that, in the drop-down, you will see the option. So this will also be hidden, as you can say. And simply update profile. You can login with your username. We are just trying to change how it is publicly displayed. And the final beside the author is, if we check this side, here's an unnecessary index dot PSP in-between deadweight losses. If you go to the settings and promote links. So it is coming from here. Simply use post name. If you want a category name. Then select category and post name. Unsaved changes. Then if I refresh this. So the URL is clean, I hope this lesson was helpful to you. Thank you very much.