This is very important because when your file will be infected you may not clean all infected code, so in this situation you can restore your files
Disable File Edit
WordPress has built in code editor under Appearance menu which allows you to edit your theme and plugin files from your WordPress admin area. You should disable it. You can add code in wp-config.php files
Add below code to WordPress functions.php. This code contains the WordPress action & filter hook and the corresponding callback function. The callback contains code for restricting number of invalid login attempts.
function check_attempted_login( $user, $username, $password ) {
if ( get_transient( 'attempted_login' ) ) {
$datas = get_transient( 'attempted_login' );
if ( $datas['tried'] >= 3 ) {
$until = get_option( '_transient_timeout_' . 'attempted_login' );
$time = time_to_go( $until );
return new WP_Error( 'too_many_tried', sprintf( __( '<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) );
}
}
return $user;
}
add_filter( 'authenticate', 'check_attempted_login', 30, 3 );
function login_failed( $username ) {
if ( get_transient( 'attempted_login' ) ) {
$datas = get_transient( 'attempted_login' );
$datas['tried']++;
if ( $datas['tried'] <= 3 )
set_transient( 'attempted_login', $datas , 300 );
} else {
$datas = array(
'tried' => 1
);
set_transient( 'attempted_login', $datas , 300 );
}
}
add_action( 'wp_login_failed', 'login_failed', 10, 1 );
function time_to_go($timestamp)
{
// converting the mysql timestamp to php time
$periods = array(
"second",
"minute",
"hour",
"day",
"week",
"month",
"year"
);
$lengths = array(
"60",
"60",
"24",
"7",
"4.35",
"12"
);
$current_timestamp = time();
$difference = abs($current_timestamp - $timestamp);
for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) {
$difference /= $lengths[$i];
}
$difference = round($difference);
if (isset($difference)) {
if ($difference != 1)
$periods[$i] .= "s";
$output = "$difference $periods[$i]";
return $output;
}
}
Change Default Admin username if any. If not you are not able to delete user, make him subscriber.
Change WordPress Database wp_ Prefix
We can change it tow ways. One is Plugin Installation and custom SQL mode.
We can change it both custom more or with SQL command. The steps given below –
Step 1 – Change all table prefix in wp-config.php. Edit below prefix from File Manager
$table_prefix = ‘wp_’;
Change as
$table_prefix = ‘wprmg_’;
Now Save the file
Step 2 – Change all table prefix in database
Click on database name > Select all table start with wp_ ; > Click With selected to open drop down > With selected > Type in wp_ in the From-field, and type wprmg_ in To-field, wprmg_ > Click Continue for change
Step 3 – Replace all references into the old prefix
WordPress still contain to the old table prefix. To all changing the prefix, you need to replace these with new prefix.
Now go to SQL command in phpmyadmin and copy and paste the following commands
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_capabilities' where meta_key = 'OLDPREFIX_capabilities';
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_user_level' where meta_key = 'OLDPREFIX_user_level';
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_autosave_draft_ids' where meta_key = 'OLDPREFIX_autosave_draft_ids';
update NEWPREFIX_options set option_name = 'NEWPREFIX_user_roles' where option_name = 'OLDPREFIX_user_roles';
Replace OLDPREFIX and NEWPREFIX, with your own old and new prefix. Like in the example below, where we replace wp_ with david_:
update david_usermeta set meta_key = 'david_capabilities' where meta_key = 'wp_capabilities'; update david_usermeta set meta_key = 'david_user_level' where meta_key = 'wp_user_level'; update david_usermeta set meta_key = 'david_autosave_draft_ids' where meta_key = 'wp_autosave_draft_ids'; update david_options set option_name = 'david_user_roles' where option_name = 'wp_user_roles';
Click on Go to run the commands and complete the change.
Change Default Login URL Without Plugin
Process 1: WordPress default URL: /wp-login.php or /wp-admin
At first go to public_html
Then take backup wp-login.php file
Then rename wp-login.phpinto any namen like mashiur.php
Then open file mashiur.php in any editor like notepad++
Then Replace all wp-login.php into mashiur.php (Generally 12 file will replace)
Finally it is done. Now go to your new URL and login
Process 2: Add the following code to your .htaccess file to change the name of your login URL: 01 RewriteRule ^mynewlogin$ http://www.yoursite.com/wp-login.php [NC,L]
Process 3: Plugin Installation
Prevent PHP direct execution on sensitive directories
Directories such as “wp-content” and “wp-includes” are generally not intended to be accessed by any user, consider hardening them via Sucuri Security -> Settings -> Hardening.
Disable SSH Access
By default it may open. 99% hacker try to login with SSH console. So must disable it
Configure Brute Force Protection
You can protect from WordPress Plugin, cPanel, WHM, VPS, even form dedicated server control panel
Jetpack Security :
User Free feature of Jetpack plugin to protect brute force attack
cPhulk Brute Force Protection Configure
Disable XML-RPC in WordPress
domain.com/xmlrpc.php XML-RPC file is required to jetpack to work. Without the xmlrpc, Jetpack will not work.
1 Click Staging
Safely test changes to your website before you roll them out to visitors without breaking your site. Staging gives you confidence to test changes before you publish without worry. It creates a copy of your site in a “sandbox” environment where you can experiment & preview changes without it affecting . When you’re ready, push your changes to your live site with a simple click!
You’ll see a link and login information abccom.stage.site
When you go here, you’ll be asked for user name / password. Its provided on the same staging tab
The staging site should be a replication of your live site.You can then login to the staging wp-admin and make the changes there
Remember, your changes in the staging will not affect the live site.If you like the changes you made on the staging site and want to push to the live site, you can request that on the staging tab
(M) Sucuri Security – Auditing, Malware Scanner and Security Hardening
(N) Titan Anti-spam & Security
(O) WP Activity Log
(P) Anti-Malware Security and Brute-Force Firewall
(Q) Hide My WP Ghost – Security Plugin
Free Features
Block spam comments
Brute force attacks to hack password
Brute force attacks to identify account name
Two-factor authentication (2FA)
CAPTCHA stops bots from logging in
Google reCAPTCHA for against spammers.
Limit Login attempt
Custom Login URL
WordPress.com powered login & 2FA for extra protection
Back up your site automatically and restore
Set a maximum password age and force users to choose a new password
Security Protection for WordPress login form
Security Protection for WordPress backend
Uptime / downtime monitoring
Checks core files, themes and plugins for malware
Activity log and Alert to admin for file editing
Repair files that have changed by overwriting them with a pristine, original version.
Checks your content safety by scanning file contents, posts and comments for dangerous URLs and suspicious content
Block logins for administrators using known compromised passwords.
Firewall identifies & blocks malicious traffic
Blocks requests that include malicious code & content.
Temporary Privilege Access permissoin
Login masking – change the location of WordPress’s default login area Login lockout – failed login attempts lockout 404 Detection – automated block of bot IPs Geolocation IP lockout – block users based on location and country (IP blocking) WordPress Security Firewall – block or whitelist IPs Disable trackbacks and pingbacks – spam prevention Change default database prefix – they won’t find this Disable file editor – if they get in, they won’t get far Prevent PHP execution – because it’s daaaangerous Permit or restrict access by White IP Access list and Black IP Access List with a single IP, IP range or subnet. Cerber anti-spam engine for protecting contact and registration forms. Protects wp-login.php, wp-signup.php and wp-register.php from attacks. Hides wp-admin (dashboard) if a visitor isn’t logged in. Immediately blocks an intruder IP when attempting to log in with non-existent or prohibited username. Restrict user registration or login with a username matching REGEX patterns. Block access to XML-RPC (block access to XML-RPC including Pingbacks and Trackbacks).
we are introducing you our new software for your business . We provide software that is essential for your business. This software can manage your employee. This software can manage your employee salary, provident fund. This software also will provide your necessary business report . This software is role-permission based application which can manage your users application filter according to authority. This software will provide your users instant necessary notifications. This software will provide instant general messaging. This software will provide your multiple company wise application. We are developing multiple module integrated solutions.
Employee ManagementSmart Live DashboardSmart Live DashboardProper Instant NotificationRecruitment MenuProper Audit Log History Management to track every changes for your business information
Adding necessary information on your employee profiles like fixed allowance, fixed deduction, and tax info
How to create dynamic weekly, bi-weekly, or monthly pay calendars to pay user employees
Using pay runs to get started with salary payments
How you can generate useful reports to take vital business decisions regarding your employee salary
Getting handy copies of salary invoices that you can share and keep as a record.
How you can track, manage & run your pay calendars from a single platform
