1. Update WordPress
2. Update themes and plugins
3. Use unique and strong passwords
4. Securing wp-admin & wp-includes
5. Securing wp-config.php
6. Disable file editing in WordPress admin
7. Use a web application firewall (WAF)
8. Security through obscurity
9. Data backup
10. Block user-enumeration
11. Rest API disabled via functions.php
12. Disable XML-RPC in WordPress using .htaccess file
1. Update WordPress
The latest version of WordPress is always available from the main WordPress website at
https://wordpress.org.
Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the
process of keeping up to date.
2. Update themes and plugins
While updating the WordPress core, don’t forget to update your themes and plugins too. Hackers
are particularly fond of old themes and plugins with known security holes.
Update plugins
Update theme
When we select plugins, normally we should check;
• Plugin reviews
• How many users used that plugin
• Previous vulnerabilities
We can recommend the contact form plugin, WAF, backup plugin, and security plugin for use.
❖ WAF – wordfence plugin
❖ Contact form plugin – wp forms
❖ Backup plugin – updraft
These recommendations can change with time.
When we use a plugin, we should go to https://wpvulndb.com/ and search for checking their
vulnerabilities.
3. Use unique & strong passwords
Many potential vulnerabilities can be avoided with good security habits. A strong password is
an important aspect of this.
Things to avoid when choosing a password:
▪ Any permutation of your own real name, username, company name, or name of your
website.
▪ A word from a dictionary, in any language.
▪ A short password.
▪ Any numeric-only or alphabetic-only password (a mixture of both is best).
How to change a password in a WordPress account.
4. Securing wp-admin and wp-includes
Adding server-side password protection to /wp-admin/ adds a second layer of protection around
your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack
this second layer of protection instead of your actual admin files.
The second layer of protection can be added where scripts are generally not intended to be
accessed by any user.
One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
This
should place above the line # BEGIN WordPress
5. Securing wp-config.php
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to
anyone surfing for it:
6. Disable file editing in WordPress admin
The WordPress dashboard by default allows administrators to edit php files, such as plugin and
theme files.
Plugins ->Plugin Editor
This is often the first tool an attacker will use if able to login, since it allows code execution.
How to disable file editing in WordPress
After entering that line of code
This will not prevent an attacker from uploading malicious files to your site, but might stop some
attacks.
7. Use a web application firewall (WAF)
There are many plugins and services that can act as a firewall for your website.
We recommend wordfence plugin for this because others can have some security issues.
Wordfence plugin installation
When we select the WAF plugin, we should check:
• Features they provide
• Updates frequency Special for something like this
▪ Blacklist (IP range allowed).
▪ Whitelist (IP range allowed).
• Dynamic blacklist.
• Events recording which can be viewed by admins from the back end.
• Alert of strict mode.
• File integrity checker
• Malware scanner
8. Security through obscurity
Rename the administrative account
When creating an administrative account, avoid easily guessed terms such as admin or webmaster as
usernames because they are typically subject to attacks first.
9. Data backups
No matter the size of your WordPress website, finding a way to keep it safe from issues such as updates
gone wrong, hacking, user error, and crashes should be of the utmost importance.
How to backup a WordPress site with an easy-to-use, free backup plugin. we recommend UpdraftPlus
plugin for taking backups.
Step 1
10.Block user-enumeration
• Via functions.php
Add the following code to your theme’s functions file:
// block WP enum scans
// https://m0n.co/enum
if (!is_admin()) {
// default URL
format
if
(preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
add_filter('redirect_canonical',
'shapeSpace_check_enum', 10, 2);
}
function shapeSpace_check_enum($redirect, $request) {
// permalink URL
format
if
(preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();
else return
$redirect;
}
• Via .htaccess
Add
the following code to the site’s root .htaccess file.
# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
RewriteCond
%{QUERY_STRING} ^author=([0-9]*)
RewriteRule .*
http://example.com/? [L,R=302]
</IfModule>
11.Rest API disabled via functions.php
Add the following code to your theme’s functions file (Wp-content/ themes/ functions.php ):
12.Disable XML-RPC in WordPress using .htaccess file
Add the following code to the site’s root .htaccess file.
0 Comments