1) Never choose your wordpress admin username as "admin" or owner name because hackers can search for you bio and can guess the username that way also. Doing this will give help their 50% of the work done. Keep wordpress generated wordpress and not simple one. You can always check how strong your password is here -> https://www.security.org/how-secure-is-my-password/ . This is the most common attack on website.
2) Another way to guess admin name is "website_url/?author=1". It will redirect to "website_url/author/user-name". Example = https://experiencehouse.co/?author=1 . We are protected here because I beleive Wpengine has already implemented fix here and so this link don't work for us. Also another way hackers try to find out admin user name is from blogs pages. For example on this page -> https://www.rocknarbor.com/blog/ "A.J. Weinel" is admin of website and that can help hackers. If we are using author username it is risky so we should never display username rather we should display firstname and last name.
3) Don't Let Hackers know When they have The Right Username or Password by removing the error message on wordpress login form because error message directly tell us that what is wrong that means it tells user that username is wrong or password.
4) Limit login Attempts. Jetpack plugin has free brute force feature.
5) File Permissions . Lower the numbers, the more secure file is. It should not be 777. wp-config file should be 750. Just use the most restrictive permission that works with your host. Directories should be 750 or 755. files should be 644 or 640. Wpengine takes care of it very well.
6) wp-config files stores site's configuration details, including the database information. This file is main target for many hackers. We can keep this file safe by moving this file one folder above.
EXAMPLE → "/public_html/wordpress/wp-config.php" to "/public_html/wp-config.php"
7) Password protect most vulnerable directories. We don't need it because wpengine restricts users not to access any folder easily.
8) To take more secure step while installing wordpress, we get an option to change table prefix. Default is "wp_" . Hackers always search for tables that way because it is easy to guess and so we should always change it. Remember hackers always create their automated code to look for those tables.
9) Easy to update security keys for authentication. A security key will -
a) help to better encrypt sessions
b) help make your site harder to access and hack
c) add random elements to your password.
10) When To Change Your WordPress Security Keys -- Since WordPress security keys are generated by WordPress, you don’t typically need to worry about them. However, there are some scenarios where it makes sense to change your security keys:
a) A malicious actor may have viewed or accessed your site’s wp-config.php file .
b) Your site has been infected by malware.
c) You prefer regularly changing your passwords to make it harder for hackers to break into your site. You may choose to do this every six months or so. This clears cookies and starts fresh.
11) Make sure your computer is secure and free from malware from which you access your website.
12) Don't Give Hackers Easy Information - Remove This Wordpress core Info From Your Site... By viewing page source, you will see wordpress version of website and then hackers can easily look at the wordpress security logs to see loopholes that have been fixed and take advantage of sites that aren't staying up to date and can do an automated search for our websites running this older versions. First make sure your website is upto date. If for some reason it isn't, then make sure you hide your wordpress version.Wpengine take care of it. To do so go ahead and add following code in functions.php -
// remove wordpress generator meta tag completely
function remove_gen_tag(){
return '';
}
add_filter('the_generator', 'remove_gen_tag');
13) Make sure your site files are not accessbile publically. Example - website_name/wp-includes. It always has to be hidden. Wpengine take care of it.
14) The comments section on website is also vulnerable to attack. Any easy way around this vulnerability is to use a third party like "discus" to handle comments. Disqus acts as a proxy which means that the comments will not come through if they have been filtered as spam or identified as having malicious code. Everything is taken care by discus. Another solution is to use aksimet plugin.
15) Keep minimal admin accounts. More accounts. More chances for hackers.
16) Choose the good hosting company for your website. List of some of them are -
a) Wpengine - very careful for customer websites. fix a hacked website free in worst case.
b) Pagely
c) Site Ground
d) VPS
e) West Host
17) Make sure you are using plugins and themes that are regulary updated and secure. Check the ratings. Download from reputable sources.
18) Make sure you are keeping only required plugins and themes in your site. Hackers try to get into that theme and plugin files in order to inject code so the less you have the fewer chances are that they will be successful in doing so. Delete the plugins that are not active. So as a summary - Use 1 theme, Necessary plugins and keep all themes and plugins upto date.
19) Choosing a reputable company to purchase a theme from is very important to the security of your website. Using the right theme provider means that they will be updating their themes regularly and also providing good support. There are several good companies to use including:
- Elegant Themes
- WooThemes
- Headway Themes
Their Divi theme was actually awarded the Sucuri Seal for it's security.
You can also use a marketplace like ThemeForest. Here you'll want to pay attention to the ratings, reviews and updates as each theme has a different developer so the quality and support can differ. Here there are many good quality, highly rated themes like: Avada
20) To make things more secure just disable theme and plugin editing from wordpress admin panel. To do this just add 1 line of code in wp-config.php file ---
define('DISALLOW_FILE_EDIT', true);
21) Keep wordpress core uptodate.
22) Keep taking backups of your website regularly in case if something goes wrong.
1) Importance of using google tool for web security -> Google console has menu named "Security Issues" and we can see the issue listed there.
2) We can also keep a look on content keywords under "Google Index" menu.
3) 7 signs your website has been infected without realizing it - Maybe you are seeing something unusual on your websites, some popups that you didn't built, your ranking stopped working. etc
4) Google blacklist around 10,000 websites everyday. This happens if you don't take care of your website and it is our responsibility to take care of it. Google has to protect searchers from harmful websites and if your website has malware that hasn't been addressed google can and will blacklist your website. This means your website will be removed from its index and you'll lose your organic rankings and traffic.
a) Check your website on sucuri.
1) Changes all of your users admin passwords and delete the one that you think is suspicious.
2) Change the security keys. Resetting the security keys will log out all users out of site and new password will not let them in.
4) Then scan your computer to make sure nothing is getting uploaded from your system to site files.
5) Now goto google search console and then check for any security issue. Secondly, goto crawl menu and fetch as google. It helps in seeing the malware that user cannot see but google can. If you are using shared hosting make sure to check other sites also that they are not infected.
6) Now goto .htaccess file to check if anything is changed there.
7) Check the server logs to see when files were hacked or if there is any suspicious activity.
8) One quick way to fix site is to restore backup before the site was infected.
9) Now if you feel your site is totally clean then goto google console and goto "crawl" menu and then "fetch as Google".
10) Now if you feel site is good and you want google to know that site is clean and safe for visitors then goto search console and then goto "Security Issues" -> If you had security issues before and you will now be able to select "Request a review". Once they see that everything is fixed then they will go ahead and remove the warnings that searchers are going to see and everything will be back within 24 hours.
11) If however your site has a manual action against it meaning that a human has actually discovered the issue. In that case you have to log into google console -> search traffic -> Manual actions and then from there you will be able to select "Request a review". Once they see that everything is fixed then they will go ahead and remove the warnings that searchers are going to see and everything will be back within 24 hours.
12) Lastly go through step number 1 and 2 again to make sure your site is completely clean and you are starting from clean slate.
1) Clef Two-Factor Authentication
2) WordFence
3) Sucuri Security - Auditing, Malware Scanner, and Security Hardening
4) iThemes Security
5) Anti-Malware and Brute Force Security
6) CloudFlare
1) UpDraftPlus
2) BackUpBuddy
3) BackUpWordPress
4) VaultPress
5) BackWPup