The importance of strong site security cannot be overemphasized. In order to meet the deadline, ensuring that the WordPress site is properly protected may not be the most important priority, so we created a checklist to avoid missing the necessary content. On more than 2billion websites, you can understand why many people don’t think their websites are in danger of being hacked. And if you’ve never been a victim of an attack, you don’t have to worry about the possibility. However, it is better to have the right protection and unnecessary protection than to have no protection and regret. The
Created a 16 step checklist to take when protecting a site. This makes security easy to configure. 1. select secure hosting 2. Login URL mask 3. Use password manager 4 Enable dual authentication 5. Use login timeout 6. WAF setting 7. Plug in enhanced security 8. Use the plug-in to automate task 9. Take measures to prevent DDoS attacks 10. Regularly confirm non-performing accounts 11. WP config file protection 12. Get web site SSL certificate 13. Prevent hot links 14. Prevent spam messages 15. Visit your website regularly 16. Consider static sites
Choosing secure hosting can enhance the site in all other steps of the article, but using cheap shared hosting is equivalent to an enhanced super titanium front door. Porch mat. Do not make it easy for unwanted visitors (sorry, devman!). Without considering security, shared hosting has enough disadvantages to convince most people to pay attention. But it is the whole subject in itself. To learn more about the advantages and disadvantages of shared hosting, read the article choosing the type of hosting that best suits your needs. The biggest drawback may be the lack of security. The server may be damaged due to vulnerabilities on other sites, and your site may be attacked. It’s not my fault. The
The hosting company has taken all preventive measures to prevent the spread of such malicious attacks. However, since the sites are hosted on the same server, shared hosting is not always feasible. If you do not want to worry about what is happening on the site server, select VPS or dedicated hosting. The hosting of wpmu dev provides dedicated memory, CPU and SSD storage independent of other sites, including other sites you host with us! Main tip: Please select a hosting provider famous for its strong security. Please don’t grudge the price. It is better to spend more money on good hosting than to be attacked by cheap hackers. Take advantage of features provided by the host, such as automatic backup, WAF, or suspicious IP address interception. There is little security on the login page, and there are personal hackers trying. You can only operate a small website for the yacht club in the local village, but this does not mean that it is safe for hackers. The
Malicious robots search for website vulnerabilities, scan the Internet, and do not discriminate against the Internet. If you find a path through the WordPress login page, \
It’s easy to activate within defender. You just need to select a new slug for the login URL. Male security record new URL! Relocate to the page of the person who wants to access the previous WP admin link
You can also choose. Not today, robot! The password manager has two main rules for using passwords. The password must be of appropriate length and contain multiple characters. Do not use the same password for one or more accounts. It is best to use a password manager because it is almost impossible to remember all passwords by following these two rules. The
Lastpass and 1Password are two of the best password managers on the market, helping to create and store complex passwords for all accounts. Just remember a strong and secure master password. I’ll take care of the rest. The dual authentication activation password may look long and complex, but unfortunately, as long as 15 strings between data and a crafty hacker are not always enough. Dual authentication involves connecting a phone or other device to a WordPress administrator so that you cannot log in without entering a unique code. Defender uses Google authenticator, Microsoft authenticator, and authy to do this. The
As long as it is set for each user account, whoever passes through the user name and password screen will be prompted to open the authenticator and enter the code. Password, unable to enter! This makes it almost impossible for hackers to invade the site without accessing the user name, password and mobile devices. In short, for sites that are only used to test plug-ins and topics, robots try to log in an average of 40 times a day. They are robots whose only task is to try any combination of passwords and hope to enter your site. As long as one of these attempts succeeds, you may not be able to fully access the site. The
You can view these attempts in defender’s audit log. Although more attempts fail, the robot will never give up! My website is very vague and not open to the public, but it is still on the radar of malicious robots. And my password is very secure, but if I do not activate dual authentication, I will be more worried. Main tip: for each account, using a unique password may help identify the source of the attack if the password is corrupted. Set the backup e-mail address to prevent the mobile device from losing access to the site. If you forget the marked login URL, you can search in the database. For added security, you can remove the password reset link from the login page using plug-ins such as branda. Log in to protect defender to lock down intruders on your site. There are several additional tools on the belt. The
Login protection can be set to prevent hackers from illegally invading accounts through spam combinations. Select the maximum number of login attempts allowed within a specific time and display a custom message to people who exceed the time limit. You can also choose whether to set temporary locking or permanent prohibition! IP addresses may be immediately banned in defender’s logs. If you want to access the same IP repeatedly, click ban IP. ‹ IP addresses may be banned in large numbers. Please make sure that the IP you prohibit is not your IP, because your website will completely lock yourself (thank your support team for saying this). The
Defender also provides other ways to manage suspicious IP addresses. This document describes this in detail. Main tip: add your own IP to the Allow list to avoid accidental locking. If a large number of login attempts are detected in a specific country \/ region, you can use defender to disable all IP addresses in that country \/ region. For users, things like admin or administrator
Please pay attention to QL. It is recommended that you back up manually on a regular basis and save it locally. For site security, it cannot be too secure! Protect DDoS (distributed denial of service) attack refers to the attack of service interruption due to excessive website traffic. This is performed by computer networks (sometimes computers of ordinary people infected with malware). Attackers form \
Reject order
Deny everyone
Male
Main tips:. You can also block access to htaccess and take it to the next level! Obtain an SSL certificate from the site the SSL certificate checks the credentials of the certificate to determine whether the arriving web site is the intended destination. This helps prevent domain overflow and other similar attacks. The connection with SSL certificate is more reliable and secure, leaving a better impression on customers. This is because SSL certificates convert HTTP connections to HTTPS connections. The added \
Rewritecond%{http\u refer}^$
Rewritecond%{http\u refer}^ HTTP (s)?:\/\/ (www\.)? Example COM [nc]
Rewritecond%{h
Ttp_refer}^ HTTP (s)?:\/\/ (www\.)? Google COM [nc]
Rewritecond%{http\u refer}^ HTTP (s)?:\/\/ (www\.)? Youtube COM [nc]
RewriteRule \ (jpg|jpeg|png|gif) $-[f] this is the code required by the site running on the Apache server. Location ~ (gif|png|jpeg|jpg|svg) ${
Valid_referers none blocked ~ Google. ~ Bing. ~ Yahoo Yourdomain COM * Yourdomain COM;
If ($invalid\u referer){
Return 403;
}The
}The
Use this code if the site is running on an nginx server. Main tip: you can also use a plug-in with hot link protection or CDN to protect images. Add a copyright mark to the subject footnote to prevent people from trying to steal the image. Stopping spam comments on spam blogs is not only depressing, but also brings security risks. Many spam comments contain malicious links that can trick visitors into submitting personal information. Therefore, you may not be the intended object of these attacks, but you have an obligation to protect the safety of site visitors. If you receive a lot of spam, there are two options. Turn off comments or install anti spam plug-ins. If the latter is selected, Akismet may be required. Every comment and form submitted on the site is run through the global spam database to prevent malicious content from flowing into the site. Free running! What’s more, reCAPTCHA is working for defender to protect the default word press features, such as login pages and blog comments. Visit your site regularly, and sometimes the simplest solution can produce amazing results. If your website is attacked by hackers and your content is disturbed, you can see your website at a glance and notify you within a few seconds. Visit your website. From the perspective of customers, it is not only safe, but also accessible and beautiful. So, after coffee, sit in your seat and browse the website like an ordinary visitor. Main tips: don’t forget to view the website in login, logout and secret mode! Consider a static site. If your site requires little user input than an e-commerce store or a busy blog, that is, a site mainly used for information sharing, it may be more advantageous to switch to a static site. To do this, you can create a copy of the file and save it to the server. Must be bundled with a zip file. In other words, the actual word press installation may be safely hidden out of the reach of robots and hackers. Although it is not a suitable path for many sites, for further investigation, please check services such as strattic or simply static. Safer than sorry, we know that implementing too many other steps may seem like boring work. Fortunately, most of the selections from the list will be processed automatically. The plug-in runs quietly in the background and performs heavy tasks. Therefore, after setting all the security of the new site, it does not need too much continuous manual input. If you need to worry about other aspects of the site, security may be pushed to the background, but after the fact inspection is a great thing. I hope that if you take the time to implement appropriate security procedures for your site now, you won’t have to face the frustration that you want your site to be hacked and take preventive measures faster. Are there any dependent plug-ins or prompts when setting security on the new site? Please tell me your opinion!
