WordPress Protection Security for your Website

WordPress Protection Security for your Website

WordPress is renowned for its usability and simple access, however it’s popularity also makes it a beautiful target for bad actors. This WordPress security guide is an introduction into the way to protect visitors, mitigate threats, and make a safer WordPress site.

Recent statistics show that over 28% of website administrators across the online use WordPress. Its popularity comes at a price; often targeted by malicious hackers and spammers who seek to leverage insecure websites to their advantage.

WordPress security is about risk reduction, not risk elimination. Because there’ll always be risk, securing your WordPress site will remain endless process, requiring frequent assessment of those attack vectors.

Now a days WordPress most popular in website development so we have to learn how to secure your website.

1. Must use Google Re captcha plugin

  • Add reCaptcha to:
    • Registration form
    • Login form
    • Reset password form
    • Comments form
    • Contact Form
    • Testimonials
    • Custom form
  • Hide reCaptcha for the allow listed IP addresses
  • Disable the submit button
  • Validity check of keys in admin panel
  • Available reCaptcha themes for Version 2:
    • Light (default)
    • Dark
  • Compatible with Limit Attempts
  • Hide reCaptcha in your forms for certain user roles
  • Hide reCaptcha Badge (Invisible and V3)
  • Supports reCaptcha:
    • Version 2
    • Version 3
    • Invisible reCaptcha
  • Add custom code via plugin settings page
  • Compatible with latest WordPress version
  • Incredibly simple settings for fast setup without modifying code
  • Detailed step-by-step documentation and videos
  • Multilingual and RTL ready.

2. Keep your WordPress, Plugins and Themes up-to-date

By keeping your theme safely up so far , you create sure that your site are going to be 100% compatible with the longer term WordPress releases ( 3 per year ). We always test the upcoming beta version of WordPress many weeks beforehand to repair any potential problem with our themes.

3.Never Use well known name for admin user

You should not keep your username as admin, administrator, wpadmin etc. keep your username little tough so Your username should have special characters, or be your email address. Use an email address instead of username

4. Rename the URL of your WordPress Login Page

You have to follows some given below step

  1. Login to your ManageWP Dashboard.
  2. In the left navigation menu, click on the site you changed the login URL for.
  3. Click “Options”.
  4. Change the “Website Admin URL” option from …/wp-admin/ to …/login/ (or whatever you changed it to).
  5. Click “Save Changes” and the window will auto-close after a green “Options Updated” message is displayed for a second or two.
  6. Click on the site again and click the “Site Admin” (or the icon next to it to open it in a new window) to make sure ManageWP can auto-login for you at the new URL.
  7. If you were able to login via ManageWP Dashboard, you’re all done.

5. Install WordPress security plugins

You should install this one plugins always in your website wordfence .It allows you to scan your child sites for security issues, monitor live traffic, and manage Wordfence settings across your Network and all from your Dashboard!.

6. How to check which plugin should be install

plugin is a piece of software that you can add to your WordPress website to add new features.

Plugins can be incredibly useful tools. With that in mind, it is important to evaluate the value and risks of each plugin you add to your site. Installing the wrong plugin can be damaging, by breaking your site or opening it up to security risks. Let’s try to be savvy when deciding which plugins to use. Only use high rated and reputed plugins . Replace outdated plugins and use new alternatives.

7. Enable Two-factor Authentication (2FA) for wp-admin

Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password.

8. Use WPS Hide Login plugin

WPS Hide Login is a WordPress plugin that creates a secret admin login page. This prevents hackers from attacking the admin login page with a password guessing attack since the login page is hidden. The vulnerability allows a hacker to cause the plugin to reveal the URL for the hidden page.

In order to remove the login menu/ +Submit Properties, you need to go to 

Theme Options->General->Header and

set Show user login menu in header ? to NO

10. Create a strong password for each user and database user

Tips for creating strong passwords

  1. Never use personal information such as your name, birthday, user name, or email address.
  2. Use a longer password.
  3. Don’t use the same password for each account.
  4. Try to include numbers, symbols, and both uppercase and lowercase letters.

11. Change your WordPress credentials regularly

To change your password in current versions:

  1. In the Administration Screen, menu, go to Users > All Users.
  2. Click on your username in the list to edit it.
  3. In the Edit User screen, scroll down to the New Password section and click the Generate Password button.
  4. If you want to change the automatically-generated password, you can overwrite it by typing a new password in the box provided. The strength box will show you how good (strong) your password is.
  5. Click the Update User button.

Your new password becomes active immediately.

12. Use SSL on your WordPress site

SSL stands for Secure Sockets Layer, which is a global standard security technology. This enables encrypted communication between a web browser and a web server.

When you install one on your website (webserver), it activates the padlock and the https protocol. This allows secure connections from a web server to a browser. In year’s past. an SSL certificate would usually only be found on websites that were performing financial transactions and taking personal information.

As time went by, they became popular for all social media sites. Then, Google started encouraging all sites to have an SSL. At this point, it is highly recommended to have one. Essentially, an SSL certificate binds the following two things together:

  1. A domain name, server, or hostname.
  2. An organizational identity (like a company name) and a location.

The process isn’t difficult. From your dashboard,

click on Settings > General.

You will see a text box for “Site Address.” Make sure your domain’s prefix shows “https.” This will help the redirect of your secure content and will solve a few problems with posts and pages not showing correctly.

You can also modify the .htaccess page manually if you feel like doing it that way and understand how. Take a quick look at how to do this below.

Should you want to modify the .htaccess manually, the coding is quite simple. Just open the file in an editor and enter the following lines:


# HTTP TO HTTPS #
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

13. Delete unused themes from File Manager

you can use an FTP client or the File Manager app in your WordPress hosting account dashboard. Once connected, go to /wp-content/themes/ folder and download the inactive theme folder to your computer. Once you have safely backed-up your old theme, you can proceed to delete it.

14. Protect the WordPress wp-config.php

Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details. You certainly do not want the content of this file to fall in the wrong hands, so WordPress wp-config.php security is definitely something you should take seriously.

Move WordPress wp-config.php file

Ideally you should be able to simply move the WordPress wp-config.php file to an unpredictable location to protect the sensitive data stored in this file, though this is a difficult task and time consuming. You would have to make changes to the WordPress source code and maintain it with every upgrade. Alternatively you can simply create a new file and move all the WordPress wp-config.php sensitive entries to this file as explained below.

Remove Sensitive Information from wp-config.php

Create a new ‘config.php’ file

Create a new file called ‘config.php’.  The file should be created in a non-WWW accessible directory. For example, if your blog or website content is in /home/youruser/public_html/, then create the file config.php in /home/youruser/ so the file cannot be reached by any of your visitors. Typically this should be a directory before public_html or www directory.

Open the existing WordPress wp-config.php file and move the lines which contain the database connection details, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file as shown in the below example. Add <?php at the beginning of the new config.php file and ?> at the end of the file.

<?php
define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host
 
// The WordPress Security Keys
 
define('AUTH_KEY',         'Your_key_here');
define('SECURE_AUTH_KEY',  'Your_key_here');
define('LOGGED_IN_KEY',    'Your_key_here');
define('NONCE_KEY',        'Your_key_here');
define('AUTH_SALT',        'Your_key_here');
define('SECURE_AUTH_SALT', 'Your_key_here');
define('LOGGED_IN_SALT',   'Your_key_here');
define('NONCE_SALT',       'Your_key_here');
 
// The WordPress database table prefix
$table_prefix  = 'wp_'; // only numbers, letters and underscore
?>
new config.php file

Modify wp-config.php file

After removing all the sensitive data from the wp-config.php file, simply add the following line straight after <?php in the wp-config.php file; include(‘/home/yourname/config.php’);. So the first two lines of your wp-config.php should look like this;

12<?phpinclude('/home/yourname/config.php');
Modify wp-config.php file

Now instead of having all the sensitive information stored in your wp-config.php file, the wp-config.php file is reading such information from a different location.

15. Prevent access or disable via .htaccess files license.txt, wp-config-sample.php, and readme.html

You don’t really need to remove these files. It’s much easier to just block access to them. If you are using pretty URL’s you already have an .htaccess file. Using .htaccess to block the files is secure and you only have to add a directive once.

Blocking files is done by adding a directive to .htaccess like this:

    <files filename.file-extension>
         order allow,deny
         deny from all
    </files>

So, to block readme.html you do this:

    <files readme.html>
         order allow,deny
         deny from all
    </files>

Do the same with the license file or any other file you want to prevent anyone from accessing. Just open .htaccess in Notepad or any other basic text editor, add the directives and save, making sure that the text editor keeps the file name exactly – without any .txt on the end.

16. Disable Editing in Dashboard via the wp-config.php with the code

When file editing is enabled, Administrator users can edit the code of themes and plugins directly from the WordPress dashboard. This is a potential security risk because not everyone has the skills to write code, and if a hacker breaks in, they would have access to all your data. That’s why we recommend disabling it.

  1. Log into the One.com control panel.
  2. Open File Manager under Files & Security.
  3. Locate the file wp-config.php and check the box to select it.
  4. Click Edit in the menu bar at the top of your screen.
  5. Search wp-config for define(‘DISALLOW_FILE_EDIT’, it is usually located towards the bottom.
  6. If you’ve found it, check it’s set to “true” (see below). If it’s not there, you need to add it to the bottom of the file, like this:
define('DISALLOW_FILE_EDIT', true);
  1. Click Save at the top of your screen.

17. Deny access to all files and folders through .htaccess by adding

Create a . htaccess file in the root of your project directory structure. Then open the . htaccess file and write this directive deny from all.

1deny from all
htaccess file 

Now you are done. If you want to check whether this directive is working or not. Try to access any file or folder of your project. You will get the following message.Java

12345Forbidden You don’t have permission to access /example/ on this server. Apache/2.4.7 (Ubuntu) Server at localhost Port 80
Folder

For more tips use visit to https://secure.wphackedhelp.com/blog/wordpress-security-checklist-guide/

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *