How to Secure WordPress WebSite Domain & Hosting Server ?

How to Secure WordPress Site?

How to Secure WordPress Site? >> Innovative Techniques of Digital Marketing to Grow & Sustain RMG Business

How to Secure WordPress Site: Hackers can steal your information and password to install malware software so they can distribute.

• Google blacklisting more than 20,000 websites for malware and more than 50,000 for phishing each week. (Source: sucuri . net )
• 90k website hacks everyday, 10k websites blacklisted everyday.
• There is an attack every 39 seconds by Hackers and steal 75 records in every second (Source: Security Magazine )
• 73% black hat hackers said traditional firewall & antivirus is irrelevant (Source: Thycotic . com)
• Hackers make 300,000 new malwares daily. (Source: McAfee)
• 30,000 websites are hacked every day. (Source: Forbes)
• Shared Hosting Providers. hackers escalate their privileges on whole server, so automatically gaining access to your website
• 170,000 times a year criminals attempt to steal domains.

WordPress Site Statistics

• WordPress powers 35% of the internet in 2020 and 28% of eCommerce site
• 98% of WordPress hack are related to plugins
• 87% of websites have mid-level weaknesses. (Acunetixs Report 2019)

Check List

Security Name	At	Bn	Sp	Hd	Hl
1. WORDPRESS SECURITY	.	.	.	.	.
Set strong passwords	Y	Y	Y	Y	Y
How to Backup and Restore WordPress Site with or without Plugin	Y	Y	Y	Y	Y
Update Theme Storefront, Kuteshop, Woodmart & Sahifa	Y	Y	Y	Y	Y
Update Plugin (Free & Pro Only)	Y	Y	Y	Y	Y
Remove unused theme Active/Disabled	Y	Y	Y	Y	Y
Remove unused theme Active/Disabled	Y	Y	Y	Y	Y
Remove Inactive User from WP, cPanel, FTP etc	.	.	.	.	.
Do not use Admin / Root as User Name	Y	Y	Y	Y	Y
New User Default Role set as Subscriber	Y	Y	Y	Y	Y
Set strong passwords	Y	Y	Y	Y	Y
Automatically log out Idle Users in WordPress	.	.	.	.	.
Change Default Login URL	.	.	.	Y	.
Limit Login Attempt	.	.	.	.	.
Add Security Questions to WordPress Login Screen	Y	Y	Y	Y	Y
Add two factor authentication for WP	.	.	.	.	.
Enable Web Application Firewall (WAF) In WP	.	.	.	.	.
Change WordPress Database wp_prefix	Y	Y	Y	Y	Y
Disable Directory Indexing (Robots.txt)	Y	Y	Y	Y	Y
Protected Access to WP Admin FOLDER	.	.	.	.	.
Scanning WordPress for Malware and Vulnerabilities	Y	Y	Y	Y	Y
Configure Brute Force Protection in WordPress	Y	Y	Y	Y	Y
How to block spam comments	Y	Y	Y	Y	Y
Fixing a Hacked WordPress Site	Y	Y	Y	Y	Y
1 Click Staging	Y	Y	Y	Y	Y
2. HOSTING SERVER SECURITY	.	.	.	.	.
Set strong passwords	Y	Y	Y	Y	Y
Add two factor authentication for hosting	Y	Y	Y	Y	Y
Enable Web Application Firewall (WAF) in Hosting	.	.	.	.	.
Disable SSH Access	.	.	.	.	.
Incorrect File Permissions	.	.	.	.	.
How to Edit Wp Config Php From Dashboard	.	.	.	.	.
Disable XML-RPC in WordPress	.	.	.	.	.
Prevent PHP direct execution on sensitive directories	.	.	.	.	.
WordPress Htaccess Configuration Access Control Allow Origin	.	.	.	.	.
Check & Compare All System HTML Files	Y	Y	Y	Y	Y
Check & Compare All System Php Files	Y	Y	Y	Y	Y
Configure Brute Force Protection in Hosting	.	.	.	.	.
Hotlink Protection (cPanel)	.	.	.	.	.
3. CDN SECURITY
Set strong passwords	Y	Y	Y	Y	Y
How to implement cloudflare CDN	Y	Y	Y	Y	Y
4. SSL SECURITY
How To Install SSL Certificate in cPanel for WordPress Website	Y	Y	Y	Y	Y
SSL between Hosting & Cloudflare	.	.	.	.	.
5. DOMAIN SECURITY
Set strong passwords	Y	Y	Y	Y	Y
Add two factor authentication for domain	Y	Y	Y	.	.
Keep note for all registration information	Y	Y	Y	Y	Y
Set domain expiry notification	Y	Y	Y	Y	Y

Backup your Website

This is very important because when your file will be infected you may not clean all infected code, so in this situation you can restore your files

Disable File Edit

WordPress has built in code editor under Appearance menu which allows you to edit your theme and plugin files from your WordPress admin area. You should disable it. You can add code in wp-config.php files

1 // Disallow file edit
2 define( ‘DISALLOW_FILE_EDIT’, true );

Limit Login Attempt

Limit Login Attempts to protect your site from brute force attacks

• phppot . com/wordpress/how-to-limit-login-attempts-in-wordpress/
• stackoverflow . com/questions/25836668/wordpress-limit-login-attempts-without-plugins

Add below code to WordPress functions.php. This code contains the WordPress action & filter hook and the corresponding callback function. The callback contains code for restricting number of invalid login attempts.

function check_attempted_login( $user, $username, $password ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );

        if ( $datas['tried'] >= 3 ) {
            $until = get_option( '_transient_timeout_' . 'attempted_login' );
            $time = time_to_go( $until );

            return new WP_Error( 'too_many_tried',  sprintf( __( '<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) );
        }
    }

    return $user;
}
add_filter( 'authenticate', 'check_attempted_login', 30, 3 ); 
function login_failed( $username ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );
        $datas['tried']++;

        if ( $datas['tried'] <= 3 )
            set_transient( 'attempted_login', $datas , 300 );
    } else {
        $datas = array(
            'tried'     => 1
        );
        set_transient( 'attempted_login', $datas , 300 );
    }
}
add_action( 'wp_login_failed', 'login_failed', 10, 1 ); 

function time_to_go($timestamp)
{

    // converting the mysql timestamp to php time
    $periods = array(
        "second",
        "minute",
        "hour",
        "day",
        "week",
        "month",
        "year"
    );
    $lengths = array(
        "60",
        "60",
        "24",
        "7",
        "4.35",
        "12"
    );
    $current_timestamp = time();
    $difference = abs($current_timestamp - $timestamp);
    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) {
        $difference /= $lengths[$i];
    }
    $difference = round($difference);
    if (isset($difference)) {
        if ($difference != 1)
            $periods[$i] .= "s";
            $output = "$difference $periods[$i]";
            return $output;
    }
}

Add two factor authentication

Source: wpbeginner . com/wordpress-security/#whysecurity

Do not use Admin / Root as User Name

Change Default Admin username if any. If not you are not able to delete user, make him subscriber.

Change WordPress Database wp_ Prefix

We can change it tow ways. One is Plugin Installation and custom SQL mode.

We can change it both custom more or with SQL command. The steps given below –

Step 1 – Change all table prefix in wp-config.php. Edit below prefix from File Manager

$table_prefix = ‘wp_’;

Change as

$table_prefix = ‘wprmg_’;

Now Save the file

Step 2 – Change all table prefix in database

Click on database name > Select all table start with wp_ ; > Click With selected to open drop down > With selected > Type in wp_ in the From-field, and type wprmg_ in To-field, wprmg_ > Click Continue for change

Step 3 – Replace all references into the old prefix

WordPress still contain to the old table prefix. To all changing the prefix, you need to replace these with new prefix.

Now go to SQL command in phpmyadmin and copy and paste the following commands

update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_capabilities' where meta_key = 'OLDPREFIX_capabilities';
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_user_level' where meta_key = 'OLDPREFIX_user_level';
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_autosave_draft_ids' where meta_key = 'OLDPREFIX_autosave_draft_ids';
update NEWPREFIX_options set option_name = 'NEWPREFIX_user_roles' where option_name = 'OLDPREFIX_user_roles';

Replace OLDPREFIX and NEWPREFIX, with your own old and new prefix. Like in the example below, where we replace wp_ with david_:

update david_usermeta set meta_key = 'david_capabilities' where meta_key = 'wp_capabilities';
update david_usermeta set meta_key = 'david_user_level' where meta_key = 'wp_user_level';
update david_usermeta set meta_key = 'david_autosave_draft_ids' where meta_key = 'wp_autosave_draft_ids';
update david_options set option_name = 'david_user_roles' where option_name = 'wp_user_roles';

Click on Go to run the commands and complete the change.

Change Default Login URL Without Plugin

Process 1: WordPress default URL: /wp-login.php or /wp-admin

• At first go to public_html
• Then take backup wp-login.php file
• Then rename wp-login.php into any namen like mashiur.php
• Then open file mashiur.php in any editor like notepad++
• Then Replace all wp-login.php into mashiur.php (Generally 12 file will replace)
• Finally it is done. Now go to your new URL and login

Process 2: Add the following code to your .htaccess file to change the name of your login URL:
01 RewriteRule ^mynewlogin$ http://www.yoursite.com/wp-login.php [NC,L]

Process 3: Plugin Installation

Prevent PHP direct execution on sensitive directories

Directories such as “wp-content” and “wp-includes” are generally not intended to be accessed by any user, consider hardening them via Sucuri Security -> Settings -> Hardening.

Disable SSH Access

By default it may open. 99% hacker try to login with SSH console. So must disable it

Configure Brute Force Protection

You can protect from WordPress Plugin, cPanel, WHM, VPS, even form dedicated server control panel

Jetpack Security :

User Free feature of Jetpack plugin to protect brute force attack

cPhulk Brute Force Protection Configure

Disable XML-RPC in WordPress

domain.com/xmlrpc.php
XML-RPC file is required to jetpack to work. Without the xmlrpc, Jetpack will not work.

1 Click Staging

Safely test changes to your website before you roll them out to visitors without breaking your site. Staging gives you confidence to test changes before you publish without worry. It creates a copy of your site in a “sandbox” environment where you can experiment & preview changes without it affecting . When you’re ready, push your changes to your live site with a simple click!

• You’ll see a link and login information abccom.stage.site
• When you go here, you’ll be asked for user name / password. Its provided on the same staging tab
• The staging site should be a replication of your live site.You can then login to the staging wp-admin and make the changes there
• Remember, your changes in the staging will not affect the live site.If you like the changes you made on the staging site and want to push to the live site, you can request that on the staging tab

Security Plugin List

(A) Jetpack – WP Security, Backup, Speed, & Growth

(B) Wordfence Security – Firewall & Malware Scan

(C) All In One WP Security & Firewall

(D) Defender Security – Malware Scanner, Login Security & Firewall

(E) Cerber Security, Anti-spam & Malware Scan

(F) Security & Malware scan by CleanTalk

(G) WP Hide & Security Enhancer

(H) NinjaFirewall (WP Edition) – Advanced Security

(I) Shield Security: Powerful All-In-One Protection

(J) Security Ninja – Secure Firewall & Secure Malware Scanner

(K) MalCare Security – Free Malware Scanner, Protection & Security for WordPress

(L) BulletProof Security

(M) Sucuri Security – Auditing, Malware Scanner and Security Hardening

(N) Titan Anti-spam & Security

(O) WP Activity Log

(P) Anti-Malware Security and Brute-Force Firewall

(Q) Hide My WP Ghost – Security Plugin

Free Features

1. Block spam comments
2. Brute force attacks to hack password
3. Brute force attacks to identify account name
4. Two-factor authentication (2FA)
5. CAPTCHA stops bots from logging in
6. Google reCAPTCHA for against spammers.
7. Limit Login attempt
8. Custom Login URL
9. WordPress.com powered login & 2FA for extra protection
10. Back up your site automatically and restore
11. Set a maximum password age and force users to choose a new password
12. Security Protection for WordPress login form
13. Security Protection for WordPress backend
14. Uptime / downtime monitoring
15. Checks core files, themes and plugins for malware
16. Activity log and Alert to admin for file editing
17. Repair files that have changed by overwriting them with a pristine, original version.
18. Checks your content safety by scanning file contents, posts and comments for dangerous URLs and suspicious content
19. Block logins for administrators using known compromised passwords.
20. Firewall identifies & blocks malicious traffic
21. Blocks requests that include malicious code & content.
22. Temporary Privilege Access permissoin

Login masking – change the location of WordPress’s default login area
Login lockout – failed login attempts lockout
404 Detection – automated block of bot IPs
Geolocation IP lockout – block users based on location and country (IP blocking)
WordPress Security Firewall – block or whitelist IPs
Disable trackbacks and pingbacks – spam prevention
Change default database prefix – they won’t find this
Disable file editor – if they get in, they won’t get far
Prevent PHP execution – because it’s daaaangerous
Permit or restrict access by White IP Access list and Black IP Access List with a single IP, IP range or subnet.
Cerber anti-spam engine for protecting contact and registration forms.
Protects wp-login.php, wp-signup.php and wp-register.php from attacks.
Hides wp-admin (dashboard) if a visitor isn’t logged in.
Immediately blocks an intruder IP when attempting to log in with non-existent or prohibited username.
Restrict user registration or login with a username matching REGEX patterns.
Block access to XML-RPC (block access to XML-RPC including Pingbacks and Trackbacks).

External Tutorial

Topic	URL
cPHulk Brute Force Protection	docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/#blacklist-management
cPHulk Brute Force Protection	youtube.com/watch?v=mmhXVY2eNpM
VPS Backup Setup	docs.cpanel.net/whm/backup/backup-configuration
WP Login URL Change	themesgrove.com/change-wordpress-login-url-without-plugin
WP Login URL Change	elegantthemes.com/blog/resources/how-to-obscure-your-sites-login-page-without-a-plugin
1 click staging	dreamhost.com/features/wordpress-staging