WordPress Site Protection

If you want to create a website on WordPress, you automatically fall into the category of potential hacking. This happens because the source code of the WordPress engine is open and absolutely anyone can view it, including a hacker who will easily find potential vulnerabilities. To increase the degree of protection of your page, you need to perform just a few simple actions:

• Replacing the login. The first mistake that bots find is admin logins. To fix this, you need to create a new account under a different name, and then delete the admin account.
• “Work magic” with your password. Most often we use the same, or very similar, password to log into all systems. This is what attackers take advantage of. To complicate their work, use complex passwords that will consist of capital and lowercase letters, punctuation marks, and numbers. The more complex it is, the more chances your site has to withstand a mass hacker attack.
• Update WordPress. Using outdated scripts is often the reason for hacking. When logging into the WordPress admin panel, you will constantly receive messages about the release of new updates. This information will be displayed right on the main page of the control panel. This will significantly increase the security level of the site.
• Avoid free themes. We all know that free cheese only comes in a mousetrap, but we can’t resist the temptation. It is free themes that can carry viruses, which will subsequently bring many problems.
• Avoid paid plugins that can be downloaded completely free, as they likely contain a “Trojan horse” that will subsequently provide the hacker access to your site.
• Create backups. Just one “successful” hacker attack is enough to ruin the work of even a protected and stable site. So as not to clutch your head later and think about how to solve the problem, don’t be lazy and create backups. Moreover, most hosting companies provide this service by default.
• Update antivirus on your PC. When uploading files to the site from your own computer, don’t forget that they can also be infected. To avoid this, constantly update your antivirus program and clean your PC.
• Connection via secure protocol. To ensure maximum protection of your site, upload files via SFTP. If your hosting does not allow this procedure, contact a more secure provider.
• Ensuring the security of configuration files. You can increase the level of protection of your site by adding just one .htaccess file. If you don’t have this file, just create a text file with that name. The code below, if you place it in the .htaccess file, will not give the attacker the login to the database in case of PHP malfunctions.

  <Files wp-config.php> order allow, deny deny from all </Files> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule>

  <Files wp-config.php> order allow, deny deny from all </Files> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule>

• Protect your directories. Using the same .htaccess file, you can protect your directories from unwanted viewing. To do this, you need to add the directive:

  Options -Indexes

  Options -Indexes

• Secure the .htaccess file. Of course, many will think that no one will change this file. But it is the foundation of your site’s security, so it’s better to provide it with decent protection. Therefore, “lock all the doors” and enter the code:

  <files .htaccess> order allow, deny deny from all </files>

  <files .htaccess> order allow, deny deny from all </files>

• Set restrictions on accessing the site admin panel only from specific IP addresses. To do this, place this code in the .htaccess file:

  AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny, allow deny from all allow from xx.xxx.xxx.xxx //where xx.xxx.xxx.xxx is the IP address that is allowed access

  AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny, allow deny from all allow from xx.xxx.xxx.xxx //where xx.xxx.xxx.xxx is the IP address that is allowed access

  It should be noted that this method will not work if you have a dynamic IP address.

• Set limits on login attempts. To crack a password, even a not very complex one, it is necessary to make several login attempts. If you configure the system correctly, the hacker will be blocked after the second failed password entry attempt.
• Prohibit the ability to trace the HTTP header. To do this, add the code to the .htaccess file:

  RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

  RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

• Protection from SQL injections. Such attacks are recognized as the most common according to WordPress statistics. To “leave the hacker empty-handed,” enter these lines in the .htaccess file:

  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC, OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0 - 9A-Z]{0, 2}) [OR] RewriteCond %{QUERY_STRING}_REQUEST(=|\[|\%[0 - 9A-Z] {0,2}) RewriteRule ^(.*)$ index.php [F.L]

  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC, OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0 - 9A-Z]{0, 2}) [OR] RewriteCond %{QUERY_STRING}_REQUEST(=|\[|\%[0 - 9A-Z] {0,2}) RewriteRule ^(.*)$ index.php [F.L]

To avoid racking your brain and significantly ease your life, seek help from specialists at UkrHost company, who will quickly and efficiently perform this work!