How to protect Wordpress from hacking?

Hi,

I'm pretty much a beginner with Wordpress, but I've been coding sites for years.
Once I made a small Wordpress site and it was hacked in a matter of days, content completely eliminated. Now I want to prevent this from happening.

What can I do?

What I first did when installing Wordpress was to changed the "wp" folder into some strange name. As I know, hackers often go for the "wp" name.

What others tips could you give me?

 

Here are a few tips.

1. don't use a nulled theme
2. use plugins from companies that have been around for some time
3. keep Wordpress updated as well as the plugins
4. Change the user name to something different than admin and use a more secure password
5. use a program like word fence to help block attempt into logging into your site.

Hope this helps.

 

No matter what you do, Turdpress CANNOT be made hack-proof. Too damn much UNTESTED bloated code involved for anyone to plug every hole.

Since you have been coding sites for years, why are you migrating to something like Turdpress? Why not keep coding yourself where YOU have COMPLETE control over security?

 

I am moving to Wordpress to make things easier: post content faster, easier.

I know about some limitations and disadvantages, but I just have to keep up with the trends. I also want to learn to master Wordpress.

 

Good luck. You will need it.

I tried several different site "designers" years ago and finally got so frustrated with them that I went the opposite direction you are going, and have never regretted it. I wrote my own program to build and maintain my website. When I don't like something, or need to add a feature, I simply modify my program. My program will not do what Turdpress does and Turdpress cannot do what I need done.

I typically add/modify 200 pages PER DAY for my website, something that NO off the shelf CMS can nor will ever do. Before I wrote my own program, I seldom could maintain even 5 pages per day. Now I can do 40 times as much in the same time.

Basically I have TOTAL control with my program, so if an issue raises its ugly head, I can swat it, then go back to work taking care of my customers.

If an issue arises in Turdpress, it often means spending HOURS trying to fix the problem, then once that problem is fixed, discovering that the fix created another problem needing to be fixed.

You are a coder. As such I don't understand why you simply do not write your own website manager and leave the Turdpress bugs for others to swat.

 

- disable user registration, if you dont need it.
- put login lockdown to prevent login bruteforce.
- use well known and secure hosting provide or server.

 

Wordfence is a great security plugin for WordPress.

 

Most points are covered, just make sure to use Cloudlinux to help improve server end security

 

I thought similarly, but I was coding every article manually and it was frustrating to write even a single article per day. Let alone, upload it via FTP.

Then, responsive designs became popular and then more and more requirements and features appeared on the market.

I saw amateurs (who had no idea of online marketing or SEO) pass me by with their "install 'n' publish" Wordpress sites. They cosmetized them along the way and they do a heck-of-a-lot more than I did in a lot less time. It took them 3 weeks to do what I needed 3 months for.

Then it became obvious I needed some automatization (yes, I disliked Wordpress a lot and specifically avoided it, therefore I coded).

I need to swap for Wordpress CMS, because:
- I just post 'n' it's up! (no long coding for 6+ hours to publish 3-5 articles per day), an article can be done in 15-45 minutes (mine are rather complex with a bunch of images)
- I can program posts for weeks in advance (the system keeps posting even while I'm away or busy)
- a few modifications can propagate to the entire site...
- creating responsive sites is easier
- etc.

But yes, I know a plethora of limitations apply, it's easier to hack etc. etc. Well, I guess I have to adapt and work something out for that.

The negative aspect of this all is that besides trying Wordpress about 9 years ago, I haven't been on the platform ever since and moving a 500+ page complex site with its own arborescent structure without ruining the original pages/extensions is... well,... not easy.

 

Don't make your config.php world readable

 

Where is that file? What does it do and how do I block it from being readable?

 

The wp-config.php is located in the main directory. Permission can be changed based on your hosting account. More info here (just do a quick search for wp-config.php);

https://codex.wordpress.org/Changing_File_Permissions

 

Below are some tips to prevent your WordPress website from hacking:
Change your username and password: Avoid using "admin" as your username, instead use irrelevant user name or something that you will remember. For password, select a small sentence, pick the initials of the words in that and mix and match those with numbers and symbols.
Create a website lockdown and ban users: You can create a lock for your website which will keep the outsiders away by giving them failed login attempts. In simple manner, if the hacker tries to login to the website with wrong passwords, your site will get locked and you will receive the notification for this.
Use email for log-in: You should use email address for log-in as those can't be easily identified as the usernames.
Protect your wp-admin directory: The wp-admin directory is the main part of your WordPress website. So, make sure you password protect it.
Take website backup regularly: It is important that you take your website backup regularly so that even if there is any issue you will have your backup maintained.

 

1. Never Use Nulled Themes & Plugins
2. Keep Your WordPress Updated
3. Remove the Plugins not updated for a longtime
4. Use the Plugins & Themes after check the Ratings, Reviews & Installation Count
5. Use Different Usernames like A-dmin
6. Use CloudFlare
7. Use Strong Passwords like NAME#web$156% or Generated Passwords
8. Don't use the same username & password on the websites you are going to register as a user

 

Hi mate, the most secure action you should take prior to seeking any other security methods is taking regular backups for your site(better offsite backups). It's also the easiest and cost-efficient way to make sure your site is on the safe side.
Shamefully I would recommend you to give my backup plugin - WPvivid Backup/Restore a try. It's fully featured and is super easy to use. And most importantly, it's completely free(free update and support). You can find it at WordPress plugin repository: https://wordpress.org/plugins/wpvivid-backuprestore/
I hope you'll find it helpful.

 

Everyone covered just about everything. I'll add that vulnerability scanning is another method. If you keep the core and plugins updated with security plugins blocking attackers then scanning will be insurance. For the people that built their own sites, XSS is pretty easy to overlook without constant scanning.

 

There are mentioned lots of security trips.i'm just saying which are still not mentioned.
Disabled wp-login
Disable directory browsing
Use Plugin file change restrictions
Use Security code .htaccess
Security scan and correct error file.

 

I will brief in detail about this..
To protect your site there are two levels
Application Level & Server Level
If a person somehow tries to gain access to wordpress application by content injection or SQL Injection then he can mess with application at application level not at server level. Which mean he cant delete the server data that is wordpress application but he can delete media,post and pages. To counter this level, i have used itheme security because of bruteforceprotection, ipblacklist, 2FA, session hijacking protection and there are many more good features. It can also change login url which can be good for security.
If you implement security at server level, that can be by
implementing SSL that can secure websites from attacks (Cloudflare is doing a great work in this)
Implementing mod security rules that can protect from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts

 

Anyone have experience with either Wordfence or Sucuri Security Plugins? I'm not too savvy on the CPanel/Server Side aspect of hosting, tho I have my own shared hosting account. I'd prefer to have a plug & play security software handle it best, without me resorting to 'Malicious Malware Detected' emails coming thru, and me resorting to a backup (cause how will I know the malware isn't in the backup too?)

Anyway, are they worth it & accurate, even if a paid version, for the peace of mind?

Alternatively, are there any methods via most larger hosting companies (GD, Hostgator etc) or in CPanel that could address this internally, or would a 3rd party plugin be needed?

 

@PASnow I use both free versions of Wordfence and Sucuri. The reason I use multiple free versions is Sucuri doesn't offer a firewall unless you pay. Sucuri also doesn't have a central management feature which is not a deal breaker unless you manage multiple sites. Wordfence does offer a free central management dashboard which is nice. In my case Wordfence covers the firewall while Sucuri covers changes to the file system. They both overlap in many areas, but I just disable the redundancy. I trust both plugins for what I have them setup for such as notifications when a post changes, admin log-ins, or when a core file is changed.

I also started tested WP Cerber which found very clean and useful; however, not ready to replace Sucuri. I'm also working with WPScan which shows plugin vulnerabilities - very nice feature, but you have to register for an API key.

The bottom line is I feel safe with Wordfence, Sucuri, and WPScan. I'm sure there is a speed hit, but I'd rather have full coverage.