If you have a WordPress site, chances are good that your site is constantly being attacked by hackers.
They are constantly looking for weak points that will allow them to enter, whether it is an outdated plugin or theme, or a simple password. Once inside, it is obvious that they can do damage.
To prove what I am talking about, here is what is currently written on my WordPress dashboard.
This is why your WordPress site must be absolutely bulletproof. Here are the best ways to do it based on my consultations with business representatives.
Get the best username and password possible
If I’ve seen it once, I’ve seen it a thousand times. People create WordPress websites with username and password set to “admin” and then wonder why they’ve been hacked.
Your login page is essentially the front door of your website. So it makes sense to make it as difficult as possible for an attacker to penetrate. You wouldn’t leave the front door of your house open, would you?
– /
Many web hosts automate the WordPress setup for you, and when they do, you should provide a username other than “admin”. If you use “admin”, you are making the hacker’s job too easy.
Get a username that no one can guess. Don’t use a username that you use anywhere else on the Internet. Someone only needs to Google you to find these usernames.
As far as the password goes, do yourself a huge favor and get a password manager. I highly recommend KeyPass Next, make your WordPress password at least 30 characters long by adding special characters to it. Yes, it’s right. 30 characters.
Install Brute Force Plug-in
To reinforce this door metaphor, it also makes sense to add some security locks. In my opinion, for WordPress, you have four options: Google Authenticator, Authy, Login Lockdown, or reCAPTCHA
To be clear, Google Authenticator and Authy do the same thing. You receive the code on your smartphone and enter it on the login page. Without it, you will be denied entry.
Login Lockdown is a plugin that limits the number of incorrect login attempts before the user’s IP is locked for a specific period of time that you specify. You can even install it along with Authenticator for maximum security.
I don’t like reCAPTCHA, but it’s better than nothing. It is also not reliable as it has been cracked before. But as I said, it’s better than nothing. reCAPTCHA forces the user to enter a sequence of words or click on certain images.
Make sure all themes and plugins are up to date
The next step is to make sure that all your themes and plugins are updated regularly. Again, any vulnerability – both known and unknown – can be exploited by a hacker to infiltrate the site.
You should follow the Updates page for all available updates. This should be done daily. You can find the Updates page as an additional tab on the Control Panel tab.
Disable any unnecessary features and plugins
Just like you should update all themes and plugins, you should also disable those you don’t need.
There is no reason to leave unused themes and plugins active, and this only increases the risk of discovering a vulnerability sufficient for an attacker to penetrate. Therefore, remove any themes that you are not using. They can always be reinstalled later.
As for the plugins, either uninstall them entirely, or at least disable them.
Do not allow anyone to create user accounts
If a WordPress site is being used by a company or some team, then user accounts will obviously be required. But if you’re the only user of the site, don’t let anyone create user accounts. Especially people you don’t know.
You can prevent people from doing this by going to Settings General. Scroll down to “ Membership ” and uncheck “ Anyone can register “.
Downgrade for all other authorized users
If you really need to grant users accounts, make sure they have the appropriate access role.
For example, the site owner must be an administrator. But if someone has a guest blog for you, they should only be listed as the author. Don’t give someone elevated privileges if they don’t need them.
Just go to Users All Users and select which person you want to change the role for. Then select from the dropdown list.
Turn off all access to directories using the Index.HTML file
You may not know this, but if you create a new directory on your website, add files to it, but don’t add the index.html file to it, all the contents of that directory will be made public.
To avoid this, create an empty text file and name it index.html. Then upload it to a new directory. Any attempts to browse the directory will now return the person back to a blank index page.
Get an SSL Certificate
The best you can do for your site is to get an SSL certificate for it. Google now gives SSL sites a higher priority in search results and of course it protects your site.
SSL quite simply secures the connection between the user’s browser and the web server that hosts the website. Thus, it is very difficult for hackers to crack the connection and steal data.
There are two ways to get an SSL certificate. You can buy it, but you can also get it for free from Let’s Encrypt. Many web hosts now offer Let’s Encrypt as a free automated service.
Back up your WordPress website every day
Finally, if the worst comes to worst and you get hacked, you need a way to get your site up and running as quickly as possible. This is why you need a daily backup of all installation files.
The simplest solution for this is Jetpack, run by the same people who built WordPress. At just $ 3.50 per month per site, this is definitely the most economical option.
Conclusion
There are many other ways to block your website, but many of them involve complex coding or installing plugins with complex parameters. If you are just getting started on this topic, it is best to first cover the basics that I tried to cover here today.
–