Unique and strong password
One of the most common ways of attacking a website is attempting to discover a password through “brute force”. This attack involves quickly trying different combinations of usernames and passwords, one after the other.
You should make sure your password is either a long string of random characters or a long passphrase. A passphrase consists of several random words or names. This makes the phrase easier to remember.
Use less privileged system permission
Do not give all your users ‘administrator’ rights but only give them a role that they can do their daily work.
Keep your computer clean and safe
If someone manages to install a key-logger on your computer, your passwords could be compromised. Make sure to keep your operating system up-to-date, run antivirus software and scan for viruses and malware at least once a week and enable Web Application Firewall (WAF).
Register your website at Google Search Console
By registering your website at Google Search Console you will get notified by Google if they find something suspicious. They will also notify you when your site is blacklisted. After removing the malware, you can request a re-evaluation in order to be removed from the blacklist.
Change your wordpress Admin Login URL
WordPress’ default login URL is /wp-login.php (or you can just type in /wp-admin/ and it’ll redirect you there if not yet logged in). For example: http://www.example.com/wp-login.php.
One of the most common types of hacking on WordPress is a brute force attack. In this kind of attack, a hacker attempts to try various permutations, combinations of usernames, passwords to get inside of your WordPress blog.
Especially when we all know that the common WordPress admin URL is “wp-admin”, any hacker can easily get started with brute force attacking. You can do that easy downloading the WPS Hide Login Plugin.
Once you have installed the plugin activate it by going to Settings > General to configure the options. Scroll down & at the bottom, you will see the option to configure the “WPS Hide Login”
Dont use username ‘ADMIN’
In a brute force attack, the attacker has to guess your username and password. Since ‘admin’ is the default username in WordPress this username will be the first think attackers to try.
Effectively making it much faster to guess the combination correctly. Create a new ‘administrator role’ user with a unique username for yourself and delete the ‘admin user’.
Hiding the WordPress Version
As you can see the wordpress version is another hot point to be exploit by the hackers. Of course there is something you can do to prevent this. Copy the following code below and put it in your theme`s functions.php and enjoy a small taste of security .
remove_action('wp_head', 'wp_generator');
You can check if the code is executed by opening the source code of any page on your website, then press “CTRL + F” to open the search bar and type “generator” it should display you a meta name tag with your wordpress version if you`r not put the code correctly.
Disable XML-RPC
XML-RPC is needed for software clients like the WordPress smartphone apps. If you don’t specifically use XML-RPC it is better to disable this feature.
It is a clear attack vector because one XML-RPC request can contain several login attempts. Perfect for brute forcing passwords. To disable XML-RPC, you can add the following lines to your .htaccess file when running on Apache:
<Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files>
It is also possible to ask your webhost to disable XML-RPC for you.
Block PHP code execution in /wp-content/uploads/
A lot of backdoors (scripts who are specifically made to provide access to attackers) end up in the /wpcontent/uploads/ folder. If you block PHP code execution in this (and deeper) folder and in the / wp-includes folder as well, you prevent backdoor scripts from being executed in these folders. A good Managed WordPress Hoster will do this automatically for you.
If your website runs on Apache, please place a .htaccess file in these folders with the following lines:
<Files *.php> deny from all </Files>
Restrict access to Wp-config.php in /wp-content/uploads/
Your database credentials are stored in the wp-config. php file. It is very important to keep those save by restricting access to your wp-config.php. You can do this by adding the following lines to your .htaccess file (if you are using apache):
<files wp-config.php> order allow,deny deny from all </files>
Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
define( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can do this with 1-click using the Hardening feature in the free security plugin that we mentioned above.
Disable directory Indexing And Browsing
Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.
Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.
After that, you need to add the following line at the end of the .htaccess file:
Options -Indexes
Don’t forget to save and upload .htaccess file back to your site.
Add Security Question to the login screen
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.
Secure your wordpress site with free SSL Certificate or “HTTPS”
The SSL certificate provides you the trust of browsing in a different websites by establishing a secure connection. To ensure visitors their connection is secure, browsers provide visual cues, such as a lock icon before the domain of the current website.
There is a chance instead of lock icon to be a circle with exclamation mark. That means the site is not fully secured and it has “mixed content” that means there are links without SSL certificate coming out from the current page. Making them HTTPS instead of HTTP may solve your problem. More details how to make your site SSL check here Migrate website to free HTTPS with Cloudflare
