How to Secure WordPress WebSite Domain & Hosting Server ?
How to Secure WordPress Site?
How to Secure WordPress Site? >> Innovative Techniques of Digital Marketing to Grow & Sustain RMG Business
How to Secure WordPress Site: Hackers can steal your information and password to install malware software so they can distribute.
- Google blacklisting more than 20,000 websites for malware and more than 50,000 for phishing each week. (Source: sucuri . net )
- 90k website hacks everyday, 10k websites blacklisted everyday.
- There is an attack every 39 seconds by Hackers and steal 75 records in every second (Source: Security Magazine )
- 73% black hat hackers said traditional firewall & antivirus is irrelevant (Source: Thycotic . com)
- Hackers make 300,000 new malwares daily. (Source: McAfee)
- 30,000 websites are hacked every day. (Source: Forbes)
- Shared Hosting Providers. hackers escalate their privileges on whole server, so automatically gaining access to your website
- 170,000 times a year criminals attempt to steal domains.
WordPress Site Statistics
- WordPress powers 35% of the internet in 2020 and 28% of eCommerce site
- 98% of WordPress hack are related to plugins
- 87% of websites have mid-level weaknesses. (Acunetixs Report 2019)
Check List
| Security Name | At | Bn | Sp | Hd | Hl |
|---|---|---|---|---|---|
| 1. WORDPRESS SECURITY | . | . | . | . | . |
| Set strong passwords | Y | Y | Y | Y | Y |
| How to Backup and Restore WordPress Site with or without Plugin | Y | Y | Y | Y | Y |
| Update Theme Storefront, Kuteshop, Woodmart & Sahifa | Y | Y | Y | Y | Y |
| Update Plugin (Free & Pro Only) | Y | Y | Y | Y | Y |
| Remove unused theme Active/Disabled | Y | Y | Y | Y | Y |
| Remove unused theme Active/Disabled | Y | Y | Y | Y | Y |
| Remove Inactive User from WP, cPanel, FTP etc | . | . | . | . | . |
| Do not use Admin / Root as User Name | Y | Y | Y | Y | Y |
| New User Default Role set as Subscriber | Y | Y | Y | Y | Y |
| Set strong passwords | Y | Y | Y | Y | Y |
| Automatically log out Idle Users in WordPress | . | . | . | . | . |
| Change Default Login URL | . | . | . | Y | . |
| Limit Login Attempt | . | . | . | . | . |
| Add Security Questions to WordPress Login Screen | Y | Y | Y | Y | Y |
| Add two factor authentication for WP | . | . | . | . | . |
| Enable Web Application Firewall (WAF) In WP | . | . | . | . | . |
| Change WordPress Database wp_prefix | Y | Y | Y | Y | Y |
| Disable Directory Indexing (Robots.txt) | Y | Y | Y | Y | Y |
| Protected Access to WP Admin FOLDER | . | . | . | . | . |
| Scanning WordPress for Malware and Vulnerabilities | Y | Y | Y | Y | Y |
| Configure Brute Force Protection in WordPress | Y | Y | Y | Y | Y |
| How to block spam comments | Y | Y | Y | Y | Y |
| Fixing a Hacked WordPress Site | Y | Y | Y | Y | Y |
| 1 Click Staging | Y | Y | Y | Y | Y |
| 2. HOSTING SERVER SECURITY | . | . | . | . | . |
| Set strong passwords | Y | Y | Y | Y | Y |
| Add two factor authentication for hosting | Y | Y | Y | Y | Y |
| Enable Web Application Firewall (WAF) in Hosting | . | . | . | . | . |
| Disable SSH Access | . | . | . | . | . |
| Incorrect File Permissions | . | . | . | . | . |
| How to Edit Wp Config Php From Dashboard | . | . | . | . | . |
| Disable XML-RPC in WordPress | . | . | . | . | . |
| Prevent PHP direct execution on sensitive directories | . | . | . | . | . |
| WordPress Htaccess Configuration Access Control Allow Origin | . | . | . | . | . |
| Check & Compare All System HTML Files | Y | Y | Y | Y | Y |
| Check & Compare All System Php Files | Y | Y | Y | Y | Y |
| Configure Brute Force Protection in Hosting | . | . | . | . | . |
| Hotlink Protection (cPanel) | . | . | . | . | . |
| 3. CDN SECURITY | |||||
| Set strong passwords | Y | Y | Y | Y | Y |
| How to implement cloudflare CDN | Y | Y | Y | Y | Y |
| 4. SSL SECURITY | |||||
| How To Install SSL Certificate in cPanel for WordPress Website | Y | Y | Y | Y | Y |
| SSL between Hosting & Cloudflare | . | . | . | . | . |
| 5. DOMAIN SECURITY | |||||
| Set strong passwords | Y | Y | Y | Y | Y |
| Add two factor authentication for domain | Y | Y | Y | . | . |
| Keep note for all registration information | Y | Y | Y | Y | Y |
| Set domain expiry notification | Y | Y | Y | Y | Y |
Backup your Website
This is very important because when your file will be infected you may not clean all infected code, so in this situation you can restore your files
Disable File Edit
WordPress has built in code editor under Appearance menu which allows you to edit your theme and plugin files from your WordPress admin area. You should disable it. You can add code in wp-config.php files
1 // Disallow file edit
2 define( ‘DISALLOW_FILE_EDIT’, true );
Limit Login Attempt
Limit Login Attempts to protect your site from brute force attacks
- phppot . com/wordpress/how-to-limit-login-attempts-in-wordpress/
- stackoverflow . com/questions/25836668/wordpress-limit-login-attempts-without-plugins
Add below code to WordPress functions.php. This code contains the WordPress action & filter hook and the corresponding callback function. The callback contains code for restricting number of invalid login attempts.
function check_attempted_login( $user, $username, $password ) {
if ( get_transient( 'attempted_login' ) ) {
$datas = get_transient( 'attempted_login' );
if ( $datas['tried'] >= 3 ) {
$until = get_option( '_transient_timeout_' . 'attempted_login' );
$time = time_to_go( $until );
return new WP_Error( 'too_many_tried', sprintf( __( '<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) );
}
}
return $user;
}
add_filter( 'authenticate', 'check_attempted_login', 30, 3 );
function login_failed( $username ) {
if ( get_transient( 'attempted_login' ) ) {
$datas = get_transient( 'attempted_login' );
$datas['tried']++;
if ( $datas['tried'] <= 3 )
set_transient( 'attempted_login', $datas , 300 );
} else {
$datas = array(
'tried' => 1
);
set_transient( 'attempted_login', $datas , 300 );
}
}
add_action( 'wp_login_failed', 'login_failed', 10, 1 );
function time_to_go($timestamp)
{
// converting the mysql timestamp to php time
$periods = array(
"second",
"minute",
"hour",
"day",
"week",
"month",
"year"
);
$lengths = array(
"60",
"60",
"24",
"7",
"4.35",
"12"
);
$current_timestamp = time();
$difference = abs($current_timestamp - $timestamp);
for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) {
$difference /= $lengths[$i];
}
$difference = round($difference);
if (isset($difference)) {
if ($difference != 1)
$periods[$i] .= "s";
$output = "$difference $periods[$i]";
return $output;
}
}
Add two factor authentication
Source: wpbeginner . com/wordpress-security/#whysecurity
Do not use Admin / Root as User Name
Change Default Admin username if any. If not you are not able to delete user, make him subscriber.
Change WordPress Database wp_ Prefix
We can change it tow ways. One is Plugin Installation and custom SQL mode.
We can change it both custom more or with SQL command. The steps given below –
Step 1 – Change all table prefix in wp-config.php. Edit below prefix from File Manager
$table_prefix = ‘wp_’;
Change as
$table_prefix = ‘wprmg_’;
Now Save the file
Step 2 – Change all table prefix in database
Click on database name > Select all table start with wp_ ; > Click With selected to open drop down > With selected > Type in wp_ in the From-field, and type wprmg_ in To-field, wprmg_ > Click Continue for change
Step 3 – Replace all references into the old prefix
WordPress still contain to the old table prefix. To all changing the prefix, you need to replace these with new prefix.
Now go to SQL command in phpmyadmin and copy and paste the following commands
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_capabilities' where meta_key = 'OLDPREFIX_capabilities'; update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_user_level' where meta_key = 'OLDPREFIX_user_level'; update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_autosave_draft_ids' where meta_key = 'OLDPREFIX_autosave_draft_ids'; update NEWPREFIX_options set option_name = 'NEWPREFIX_user_roles' where option_name = 'OLDPREFIX_user_roles';
Replace OLDPREFIX and NEWPREFIX, with your own old and new prefix. Like in the example below, where we replace wp_ with david_:
update david_usermeta set meta_key = 'david_capabilities' where meta_key = 'wp_capabilities';
update david_usermeta set meta_key = 'david_user_level' where meta_key = 'wp_user_level';
update david_usermeta set meta_key = 'david_autosave_draft_ids' where meta_key = 'wp_autosave_draft_ids';
update david_options set option_name = 'david_user_roles' where option_name = 'wp_user_roles';
Click on Go to run the commands and complete the change.
Change Default Login URL Without Plugin
Process 1: WordPress default URL: /wp-login.php or /wp-admin
- At first go to public_html
- Then take backup wp-login.php file
- Then rename wp-login.php into any namen like mashiur.php
- Then open file mashiur.php in any editor like notepad++
- Then Replace all wp-login.php into mashiur.php (Generally 12 file will replace)
- Finally it is done. Now go to your new URL and login
Process 2: Add the following code to your .htaccess file to change the name of your login URL:
01 RewriteRule ^mynewlogin$ http://www.yoursite.com/wp-login.php [NC,L]
Process 3: Plugin Installation
Prevent PHP direct execution on sensitive directories
Directories such as “wp-content” and “wp-includes” are generally not intended to be accessed by any user, consider hardening them via Sucuri Security -> Settings -> Hardening.
Disable SSH Access
By default it may open. 99% hacker try to login with SSH console. So must disable it
Configure Brute Force Protection
You can protect from WordPress Plugin, cPanel, WHM, VPS, even form dedicated server control panel
Jetpack Security :
User Free feature of Jetpack plugin to protect brute force attack
cPhulk Brute Force Protection Configure
Disable XML-RPC in WordPress
domain.com/xmlrpc.php
XML-RPC file is required to jetpack to work. Without the xmlrpc, Jetpack will not work.
1 Click Staging
Safely test changes to your website before you roll them out to visitors without breaking your site. Staging gives you confidence to test changes before you publish without worry. It creates a copy of your site in a “sandbox” environment where you can experiment & preview changes without it affecting . When you’re ready, push your changes to your live site with a simple click!
- You’ll see a link and login information abccom.stage.site
- When you go here, you’ll be asked for user name / password. Its provided on the same staging tab
- The staging site should be a replication of your live site.You can then login to the staging wp-admin and make the changes there
- Remember, your changes in the staging will not affect the live site.If you like the changes you made on the staging site and want to push to the live site, you can request that on the staging tab
Security Plugin List
(A) Jetpack – WP Security, Backup, Speed, & Growth
(B) Wordfence Security – Firewall & Malware Scan
(C) All In One WP Security & Firewall
(D) Defender Security – Malware Scanner, Login Security & Firewall
(E) Cerber Security, Anti-spam & Malware Scan
(F) Security & Malware scan by CleanTalk
(G) WP Hide & Security Enhancer
(H) NinjaFirewall (WP Edition) – Advanced Security
(I) Shield Security: Powerful All-In-One Protection
(J) Security Ninja – Secure Firewall & Secure Malware Scanner
(K) MalCare Security – Free Malware Scanner, Protection & Security for WordPress
(L) BulletProof Security
(M) Sucuri Security – Auditing, Malware Scanner and Security Hardening
(N) Titan Anti-spam & Security
(O) WP Activity Log
(P) Anti-Malware Security and Brute-Force Firewall
(Q) Hide My WP Ghost – Security Plugin
Free Features
- Block spam comments
- Brute force attacks to hack password
- Brute force attacks to identify account name
- Two-factor authentication (2FA)
- CAPTCHA stops bots from logging in
- Google reCAPTCHA for against spammers.
- Limit Login attempt
- Custom Login URL
- WordPress.com powered login & 2FA for extra protection
- Back up your site automatically and restore
- Set a maximum password age and force users to choose a new password
- Security Protection for WordPress login form
- Security Protection for WordPress backend
- Uptime / downtime monitoring
- Checks core files, themes and plugins for malware
- Activity log and Alert to admin for file editing
- Repair files that have changed by overwriting them with a pristine, original version.
- Checks your content safety by scanning file contents, posts and comments for dangerous URLs and suspicious content
- Block logins for administrators using known compromised passwords.
- Firewall identifies & blocks malicious traffic
- Blocks requests that include malicious code & content.
- Temporary Privilege Access permissoin
Login masking – change the location of WordPress’s default login area
Login lockout – failed login attempts lockout
404 Detection – automated block of bot IPs
Geolocation IP lockout – block users based on location and country (IP blocking)
WordPress Security Firewall – block or whitelist IPs
Disable trackbacks and pingbacks – spam prevention
Change default database prefix – they won’t find this
Disable file editor – if they get in, they won’t get far
Prevent PHP execution – because it’s daaaangerous
Permit or restrict access by White IP Access list and Black IP Access List with a single IP, IP range or subnet.
Cerber anti-spam engine for protecting contact and registration forms.
Protects wp-login.php, wp-signup.php and wp-register.php from attacks.
Hides wp-admin (dashboard) if a visitor isn’t logged in.
Immediately blocks an intruder IP when attempting to log in with non-existent or prohibited username.
Restrict user registration or login with a username matching REGEX patterns.
Block access to XML-RPC (block access to XML-RPC including Pingbacks and Trackbacks).
External Tutorial
| Topic | URL |
|---|---|
| cPHulk Brute Force Protection | docs.cpanel.net/whm/security-center/cphulk-brute-force-protection/#blacklist-management |
| cPHulk Brute Force Protection | youtube.com/watch?v=mmhXVY2eNpM |
| VPS Backup Setup | docs.cpanel.net/whm/backup/backup-configuration |
| WP Login URL Change | themesgrove.com/change-wordpress-login-url-without-plugin |
| WP Login URL Change | elegantthemes.com/blog/resources/how-to-obscure-your-sites-login-page-without-a-plugin |
| 1 click staging | dreamhost.com/features/wordpress-staging |
