When it comes to building a website, security should be a top priority. Unfortunately, even with the popularity and ease of use of WordPress, it is still vulnerable to security threats. That’s why it’s essential to take the necessary steps to ensure your website is secure, both for your own peace of mind and for the safety of your visitors and customers.
In this blog, we will learn;
• How to Secure Your WordPress Site
• Installing Wordfence Security and makings Its Important Settings
• Learning Cleaning of Infected Files
• Protection Measures Against Attacks and Spam
• Securing Your Site and Protecting It From Hackers
If you run a website on WordPress, it is essential to ensure your site is secure. WordPress has many security features built-in, but some users find themselves with many security problems despite their best efforts.
After publishing your WordPress website, you might unexpectedly face a hacker attack at any time. For this reason, it is crucial to know how to take a complete backup and make the necessary security settings. Keeping your website secure is also essential for your visitors’ and customers’ security.
One of the most important things to consider when securing your WordPress website is to take regular backups. This way, if anything unexpected happens, such as a hacker attack, you’ll have a recent backup that you can restore your site from.
Another important step is to use a security plugin. WordPress has many security features built-in, but some users find themselves with many security problems despite their best efforts. Using a security plugin can help you identify and fix any vulnerabilities on your site, as well as protect against common threats like malware and brute-force attacks.
WordPress Security - Wordfence Plugin Settings
One of the best plugins available is Wordfence. Wordfence offers a variety of features including real-time firewall rule updates, malware scanning, and two-factor authentication.
It also provides a detailed security report of your website, which makes it easy to identify potential vulnerabilities.
ACTION TIME:
Go to Plugins – Add New and write “Wordfence Security.”
Wordfence Security – Scan
After installing your plugin, you can scan your website for potential threats.
Depending on your site’s file size, the scan duration changes.
After the scan completes, check for critical errors.
–REPAIR ALL REPAIRABLE FILES
WHEN YOU MAKE A CRITICAL CHANGE ON YOUR WEBSITE, DON’T FORGET TO TAKE A FULL BACK OF YOUR SITE AGAINST ANY POSSIBLE BAD SCENARIOS.
Please keep in mind that if you encounter any .php extension file under your wp-content/uploads files, you can safely go ahead and delete it.
Wordfence Security – Tools – Two-Factor Authentication
- You can set Two Factor Authentication under the first tab. For this feature, you will need the PREMIUM version.
- You can monitor the Live Traffic of your site.
–You can block visitors.
Please remember that depending on your hosting plan, the Live Traffic option might slow your website.
Wordfence Security – Tools – Import/Export Options
You can import your current site setting options and use them on another website. For this, you need to copy and paste the token/code.
Wordfence Security – All Options
Where to Email Alerts: put your email address
Check – Hide the WordPress version (don’t let hackers know your version)
Check – Disable Code Execution for the Uploads directory
Wordfence Security – All Options – Email Alert Preferences
Check any feature that you want to be notified of by Wordfence.
Wordfence Security – All Options – Advanced Firewall Options
Immediately block IPs that access these URLs
Most Common WordPress Attacks
WordPress offers advanced firewall options to help keep your site safe from hackers. One of the key features of Wordfence is the ability to immediately block IPs that access specific URLs. This can be especially useful for blocking known hacking attempts, such as those listed above. By inputting these URLs into Wordfence’s firewall options, you can prevent hackers from accessing your site through these known vulnerabilities.
Below are the URLs that hackers tried to enter into the WordPress admin on my website:
http://yourdomain.com/demo
https://yourdomain.com/.aws/credentials
https://yourdomain.com/.env
https://yourdomain.com/.env.bak
https://yourdomain.com/.well-known/
https://yourdomain.com/?author=1
https://yourdomain.com/?author=2
https://yourdomain.com/?author=3
https://yourdomain.com/_profiler/phpinfo
https://yourdomain.com/1index.php
https://yourdomain.com/2020/wp-login.php
https://yourdomain.com/2index.php
https://yourdomain.com/admin.php
https://yourdomain.com/alfa.php
https://yourdomain.com/alfindex.php
https://yourdomain.com/aws.yml
https://yourdomain.com/backup/wp-login.php
https://yourdomain.com/backup/xmlrpc.php
https://yourdomain.com/blog/wp-login.php
https://yourdomain.com/blog/xmlrpc.php
https://yourdomain.com/boom.php?x=
https://yourdomain.com/cindex.php
https://yourdomain.com/config.bak.php
https://yourdomain.com/config.js
https://yourdomain.com/config.json
https://yourdomain.com/config.php
https://yourdomain.com/config/aws.yml
https://yourdomain.com/demo/xmlrpc.php
https://yourdomain.com/haders.php
https://yourdomain.com/index.php?3x=3x
https://yourdomain.com/info.php
https://yourdomain.com/larva.php?idb=
https://yourdomain.com/legion.php
https://yourdomain.com/moduless.php
https://yourdomain.com/new/wp-login.php
https://yourdomain.com/new/xmlrpc.php
https://yourdomain.com/old/wp-login.php
https://yourdomain.com/old/xmlrpc.php
https://yourdomain.com/old-index.php
https://yourdomain.com/phpinfo
https://yourdomain.com/phpinfo.php
https://yourdomain.com/phpunit/phpunit/src/Util/PHP/eval-stdin.php
https://yourdomain.com/phpunit/src/Util/PHP/eval-stdin.php
https://yourdomain.com/phpunit/Util/PHP/eval-stdin.php
https://yourdomain.com/site/xmlrpc.php
https://yourdomain.com/test.php?Ghost=send
https://yourdomain.com/up.php
https://yourdomain.com/upload.php
https://yourdomain.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
https://yourdomain.com/vendor/phpunit/phpunit/Util/PHP/eval-stdin.php
https://yourdomain.com/vendor/phpunit/Util/PHP/eval-stdin.php
https://yourdomain.com/web/wp-login.php
https://yourdomain.com/web/xmlrpc.php
https://yourdomain.com/wordpress/wp-admin/setup-config.php?step=1
https://yourdomain.com/wordpress/wp-login.php
https://yourdomain.com/wordpress/xmlrpc.php
https://yourdomain.com/wp/wp-login.php
https://yourdomain.com/wp/xmlrpc.php
https://yourdomain.com/wp-1ogin_bak.php
https://yourdomain.com/wp-admin/css/colors/sunrise/%20
https://yourdomain.com/wp-admin/network/
https://yourdomain.com/wp-admin/user/
https://yourdomain.com/wp-booking.php
https://yourdomain.com/wp-content/config.bak.php
https://yourdomain.com/wp-content/db_cache.php
https://yourdomain.com/wp-content/mu-plugins/db-safe-mode.php
https://yourdomain.com/wp-content/plugins/config.bak.php
https://yourdomain.com/wp-content/plugins/fancy-product-designer/inc/custom-image-handler.php
https://yourdomain.com/wp-content/plugins/ioptimization/IOptimize.php?rchk=
https://yourdomain.com/wp-content/plugins/super-forms/uploads/php/?max_file_size=1&accept_file_types=1
https://yourdomain.com/wp-content/plugins/t_file_wp/t_file_wp.php?test=hello
https://yourdomain.com/wp-content/plugins/ubh/up.php
https://yourdomain.com/wp-content/plugins/wpconfig.bak.php?act=sf
https://yourdomain.com/wp-content/plugins/wpdiscuz/themes/default/style-rtl.css
https://yourdomain.com/wp-content/themes/anthology/style.css
https://yourdomain.com/wp-content/themes/config.bak.php
https://yourdomain.com/wp-content/wp-1ogin_bak.php
https://yourdomain.com/wp-dbs.php
https://yourdomain.com/wp-includes/config.bak.php
https://yourdomain.com/wp-includes/css/wp-config.php
https://yourdomain.com/wp-includes/fonts/css.php
https://yourdomain.com/wp-includes/js/%20
https://yourdomain.com/wp-includes/lfx.php
https://yourdomain.com/wp-includes/small.php
https://yourdomain.com/wp-includes/wpconfig.bak.php?act=sf
https://yourdomain.com/wpindex.php?idb=
https://yourdomain.com/wp-json/wp/v2/users/
https://yourdomain.com/wp-login.php
https://yourdomain.com/xmlrpc.php
Wordfence Security – All Options – Brute Force Protection
It is crucial to ENABLE (LEAVE IT ON) this option.
Immediately lock out invalid usernames
Enforce strong passwords
Don’t let WordPress reveal valid users in login errors
Block IPs that send POST requests with blank User-Agent and Referer
iThemes Security
iThemes Security is a powerful and popular WordPress security plugin that is actively used by over 1 million people in the WordPress world. This plugin is a great option for those looking to improve the security of their website, as it offers a variety of features to help protect your site from potential threats. You can review the iThemes Security plugin in detail here.
One of the features of iThemes Security is real-time visitor tracking. This feature allows you to see who is visiting your website in real-time, giving you valuable information about your audience and helping you identify any suspicious activity.
Another feature of iThemes Security is 2-factor authentication for login security. This feature adds an extra layer of security to your login process, making it much more difficult for hackers to gain access to your site.
The plugin also offers regular malware scans, helping you identify and remove any malware that may have infiltrated your system. Additionally, iThemes Security also offers protection against DDoS attacks and brute force attacks, helping to keep your site secure from these common threats.
One of the most important features of iThemes Security is the prevention of file editing from the WordPress clipboard. This feature ensures that no unauthorized changes are made to your site, helping to keep your site safe from hackers and other malicious actors.
Overall, iThemes Security is an excellent option for those looking to improve the security of their WordPress website. With a variety of features including real-time visitor tracking, 2-factor authentication, malware scanning, and DDoS and brute force attack protection, this plugin is a great choice for anyone looking to keep their site safe and secure.
All In One WP Security and Firewall
The All In One WP Security & Firewall plugin is a popular choice among WordPress users and for good reason. It is actively used by over 1 million users, making it one of the most widely used security plugins for WordPress. This is a testament to its effectiveness and popularity among users.
One of the standout features of this plugin is its ability to secure your website’s entrance. It does this by performing regular database backups and ensuring the security of the users on your site. It also has the ability to instantly check your visitor traffic, which can help you detect any suspicious activity.
Another great feature of this plugin is its ability to protect your website against brute force attacks. This is an increasingly common type of attack where hackers use automated scripts to repeatedly try different combinations of username and password in an attempt to gain access to your website. The plugin’s firewall support also allows you to back up and restore some of your important files.
You can review the Sucuri Security add-on in detail here.
Sucuri Security
Sucuri Security is a popular choice among WordPress users and it’s easy to see why. With over 800,000 active users, it’s one of the most widely used security plugins for WordPress.
One of the standout features of this plugin is its ability to constantly monitor the traffic of your website. This can help you detect any suspicious activity and take the necessary steps to protect your website.
The plugin also includes a feature that can help you detect and remove malware. This is a crucial step in protecting your website and your visitors’ information.
Another great feature of Sucuri Security is its ability to protect your website against brute force attacks such as DDoS and brute force. This is an increasingly common type of attack where hackers use automated scripts to repeatedly try different combinations of usernames and passwords in an attempt to gain access to your website.
Sucuri Security also includes website firewall protection, DDoS protection and the ability to block IP addresses that are known to be associated with malicious activity. This can be a great way to prevent hackers from accessing your website and protect it from potential threats.
You can review the Sucuri Security add-on in detail here.
In conclusion, it’s important to take security seriously when building a website on WordPress. By regularly taking backups, making the necessary security settings, and using a security plugin such as Wordfence, iThemes Security, All In One WP Security and Firewall, and Sucuri Security, you can help protect your website from a variety of security threats. Each of these plugins offers a wide range of features, such as malware scanning, firewall protection, and two-factor authentication. It is important to research and compare the features of these plugins to choose the one that best suits your needs, as well as regularly updating them to ensure they are up to date with the latest security measures. Remember, keeping your website secure is not only essential for your own peace of mind but also for the safety of your visitors and customers.