Enhanced WordPress Security

Website security is any action or application taken to ensure website data is not exposed to cybercriminals or to prevent exploitation of websites in any way.
abangELEMENTOR

abangELEMENTOR

SECURITY

Website security is any action or application taken to ensure
website data is not exposed to cybercriminals or to prevent
exploitation of websites in any way.
Source :
https://www.sitelock.com/blog/what-is-website-security/

Website security protects your website from

  • DDoS attacks. These attacks can slow or crash your site entirely, making it inaccessible to visitors.
  • Malware. Short for “malicious software,” malware is a very common threat used to steal sensitive customer data, distribute spam, allow cybercriminals to access your site, and more.
  • Blacklisting. Your site may be removed from search engine results and flagged with a
    warning that turns visitors away if search engines find malware.
  • Vulnerability exploits. Cybercriminals can access a site and data stored on it by exploiting weak areas in a site, like an outdated plugin.
  • Defacement. This attack replaces your website’s content with a cybercriminal’s malicious content.
  • Stolen data. From email addresses to payment information, cybercriminals frequently go after visitor or customer data stored on a site.
  • Phishing schemes. Phishing doesn’t just happen in email – some attacks take the form of web pages that look legitimate but are designed to trick the user into providing sensitive information.
  • Session hijacking. Some cyberattacks can take over a user’s session and force them to take unwanted actions on a site.
  • Malicious redirects. Certain attacks can redirect visitors from the site they intended to visit to a malicious website.
  • SEO Spam. Unusual links, pages, and comments can be put on a site to confuse your visitors and drive traffic to malicious websites.

Always Use the Latest Version of WordPress

WordPress core, Plugins and Themes.
Only download from secure sources. Never use NULL (cracked) themes and
plugins.

  1. Security
  2. Cool New Features
  3. Speed
  4. Bug Fixes
  5. Compatibility (or NOT)

Backup

Attacks, errors or data damage can occur at any time. Anticipate loss or damage of data with backup.

We have several data backup methods :

  1. Offsite backup via FTP (File Transfer Protocol) using Filezilla client.
    Source : https://filezilla-project.org/
  2. Onsite backup using Backup Wizard. As we talking now as example, using cPanel + Apache web server.

Especially for database data backup, export your SQL file from phpMyAdmin

Enhance WordPress security in .htaccess

1. Disable Directory Browsing

To disable directory browsing on your website, you need to add the following line to your .htaccess file

Options -Indexes 

2. Disable PHP Execution in Some WordPress Directories

Sometimes hackers break into a WordPress site and install a backdoor. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders. deny from all

<Files *.php>
deny from all
</Files>

3. Protect Your WordPress Configuration wp-config.php File

Probably the most important file in your WordPress website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it.

To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

Default CHMOD / File permission by WordPress is 666 change to 600.

4. Disable Image Hotlinking in WordPress Using .htaccess

Other websites directly hotlinking images from your site can make your WordPress site slow and exceed your bandwidth limit. This isn’t a big issue for most smaller websites. However, if you run a popular website or a website with lots of photos, then this could become a serious concern.

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

This code blocks hotlinking while still allowing images to be viewed in search results and on your website.

5. Protect .htaccess From Unauthorized Access

Due to the power and control it has on your web server, it is important to protect it from unauthorized access by hackers. Simply add following code to your .htaccess file:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

6. Disable Access to XML-RPC File Using .htaccess

Each WordPress install comes with a file called xmlrpc.php. This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third party apps, then you should disable this feature.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

7. Blocking Author Scans in WordPress

A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.

You can block such scans by adding the following code to your .htaccess file:

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

8. Forced http to https

In order to forced https to https, please use this following code to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

SSL (Secure Socket Layer)

Please use the SQL command below to change your site url from http to https protocol in order to activate the SSL.

UPDATE wp_options SET option_value = replace(option_value,
'http://www.oldurl', 'http://www.newurl') WHERE option_name = 'home' OR
option_name = 'siteurl';
UPDATE wp_posts SET guid = replace(guid,
'http://www.oldurl','http://www.newurl');
UPDATE wp_posts SET post_content = replace(post_content,
'http://www.oldurl', 'http://www.newurl');
UPDATE wp_postmeta SET meta_value =
replace(meta_value,'http://www.oldurl','http://www.newurl');

Additional Plugin:

Google Recaptcha (API Ver.3)

Security Plugin Alternatives:

This article is presented by Satrio Subroto – (+62) 857-1506-9669 – info@technosatmedia.com at Elementor Jakarta Meetup 4

Daftar Isi: