1. Hosting
One of the most important elements of any website is choosing the right hosting. Most website owners choose the right server based on price or someone else's recommendation. However, the choice is not that simple. First of all, you need to check if the hosting:
has the latest version of PHP - currently 8.0,
whether copies of the database and files are made and whether we have free access to them,
whether it has protection against DDoS attacks.
In addition to checking things for security, it is also worth checking the parameters (processor, RAM, capacity, limits) that the server offers. You can find more on this topic here: What is Hosting? and What effect does hosting have on SEO?
2. SSL Certificate
An SSL certificate encrypts all information sent between the user's browser and the website. Every professional hosting company offers both paid and free SSL certificates (e.g. Let's Encrypt). You can read more about it here: What is SSL?
3. WordPress Updates
The constantly released WP updates contain not only a number of new functionalities and possibilities, but also contain important fixes related to system security. Add-ons should also be updated. It is plugins and templates that are most vulnerable to virus attacks, so they should always be updated to reduce the risk.
4. Uninstall unnecessary plugins and templates
If you don't use some plugins or you need them occasionally - uninstall!
You have more templates installed - uninstall, you don't need them. For correct operation, you need the one you are currently using.
Risk should be reduced wherever possible. Let's not make life easier for hackers and robots!
5. Hiding WordPress and Plugin Versions
WordPress displays the version in the page source by default by adding a tag in the HEAD section:
<meta name="generator" content="WordPress 5.6.4" />
For WordPress plugins, it adds ?ver=XX to the URL of CSS and JS files
By using information about what versions of individual components we use on the website, we make it easier for attackers to attack our site.
You can block the display of versions by adding the following code to the functions.php file in our template.
remove_action('wp_head', 'wp_generator');
add_filter('the_generator', '__return_empty_string');
function shapeSpace_remove_version_scripts_styles($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
}
return $src;
}
add_filter('style_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);
6. Changing passwords
Assume that you change passwords for all your site administrators every few months. Especially if your login is: adm, admin, administrator or domain name.
7. Changing the administrator login
The most commonly chosen login is admin, so if your login is adm, admin, administrator or domain name you should change it as soon as possible. Thanks to the change you will limit the possibility of breaking into the site using brute-force.
How to change login in WordPress?
Method I:
log in to the database via phpMyAdmin,
look for the wp_users table,
find your account, click edit,
in the user_login column, change the old login to the new one.
Method II:
in the WP panel add a new user with Administrator privileges,
log in to your new account,
delete old account.
8. Changing the login page
By default, we can log in to every WordPress using the URL:
example.com/ wp-login.php
example.com/wp-admin/
Therefore, to reduce the number of brute-force attacks, we can use the Limit Login Attempts plugin to limit the number of logins and block the user for a specified period of time.
However, if we want to completely secure the login form, we can change its location using the WPS Hide Login plugin .
9. Blocking access to files
Using appropriate rules in the .htaccess file, we can protect external access to specific files or folders.
In the main WP folder there is an xmlrpc.php and wp-config.php file that stores data for the MySQL database, so it is worth additionally securing these files by adding the following rule in the .htaccess file , which is located in the same folder.
Additionally, in the /wp-content/uploads/ directory, if it is gambling data usa package not there, create a .htaccess file and add the following rule, which will block the execution of some viruses:
You can find more about the .htaccess file here: What is .htaccess?
10. Disabling unnecessary functionalities
WordPress offers many different functionalities that we usually do not use, so it is worth disabling some of them.
If we use comments on our website, it is worth disabling the first two checkboxes in Settings → Discussion.
Pingbacks are intended to inform the site administrator that someone has placed a link to your post on their site.
If you are not using the built-in WordPress comments, it is worth installing the Disable Comments plugin .
11. Security Plugins
With the constant development of new attacks and viruses on WordPress-based sites, many companies have released add-ons that allow us to defend ourselves against them.
Examples of plugins include: Wordfence Security, All In One WP Security & Firewall, and iThemes Security.
The above plugins will primarily ensure the security of the site, enable malware detection, and block brute-force attacks. The only drawback of these plugins is a possible drop in site speed.
12. Backup copies
Regularly performing backups is essential, even if our hosting provider performs them for us. Sometimes there may be a problem with restoring them or for some reason they were not even performed. That is why it is worth doing them yourself. There are many plugins for WordPress that perform backups, but one worth recommending is UpdraftPlus , thanks to which backups can be performed automatically and can be sent to another server.
Summary
Thanks for reading to the end, and I hope the above advice has shed some light on the issues WordPress users may encounter, and that you've learned how to protect your site from potential attacks.
If you have become a victim of such an attack and you cannot cope with it, call us and we will try to help you.
