Basic Guide to WordPress Security Settings: Preventing Website Attacks

WordPress is great to use, but it is also so popular that it has become a "quality target" for hackers. Many websites have problems not because of poor technology, but ignore the most basicSecurity settings. Preventing your website from being attacked is not as complicated as you might think. By setting up a few key areas, you can drastically reduce the risk of being compromised.

Do not use admin as the user name

This is the most overlooked vulnerability. Many people install WordPress with the default username of "admin", but this is the first account that hackers try.

Suggest you:

1. Install WordPress with an easy-to-guess username!
2. If you are already using admin, create a new admin account and delete the old one.
3. The user name should not be too similar to the website name, for example, if the domain name is abc.com, the administrator should not be called abcadmin.

Second, set a strong password, do not use 123456

You can hardly imagine how many sites still have passwords like qwerty, 12345678, password. Hackers do not need very advanced technology, just run a "dictionary attack" script, a few minutes to crash a bunch of sites.

Strong Password SettingRecommendation:

• At least 12 or more
• Use a combination of upper and lower case letters, numbers, and symbols
• regular replacement
• Manage passwords saved with a password manager, such as 1Password, Bitwarden

III. Limiting the number of login attempts

WordPress doesn't have it by default.Login LimitThis gives an opportunity for brute force cracking. You can install a plugin to control the number of failed login attempts, for example:

• Limit Login Attempts Reloaded
• Wordfence Security(Login restrictions are also built in)
• WP Limit Login Attempts

Setting a reasonable number of attempts, such as locking the IP for an hour after 3 errors, can effectively prevent brute force cracking.

IV. Enabling dual authentication (2FA)

Even if the account password is compromised, as long as there isdual verificationIt is also very difficult for hackers to log in successfully. You can enable Google Authenticator or SMS verification code for WordPress administrator account.

Recommended Plugins:

• WP 2FA

• Wordfence(built-in)

• MiniOrange 2-Factor Authentication

Once enabled, you will need to enter the one-time verification code provided by the mobile app in addition to your password each time you log in to the backend.

V. Regular backup of the site

backing upIt's not "optional", it's the bottom line of website security. If your website is really attacked or your files are tampered with, a backup is the only medicine you can use to regret it.

Recommended Plugins:

• All-in-One WP Migration: Suitable for whole-site export and import
• BackWPupFlexible configuration, support for Dropbox, S3 and other backup locations
• UpdraftPlus: Supports automatic backup to the cloud

It is recommended to back up at least once a week, and if the website is updated frequently, you can set up automatic backup every day.

VI. Installation of security protection plug-ins

WordPress Security Plug-insIt can do a lot of things for you, such as firewalls, malicious file scanning, login protection, and so on. We recommend a few reputable and full-featured ones:

• iThemes Security: Suitable for newbies, multiple security items turned on with one click
• Sucuri Security: Focus on website firewalls and file integrity checking
• Wordfence Security: Full protection, real-time monitoring

Remember to run regular scans after installation and deal with any problems.

Closing the XML-RPC Interface

Unless you explicitly know you want to use it (e.g., to send a message with external software), it is recommended to simply turn off XML-RPC. it is a hacker-initiated DDoS attack, one of the entrances to the Violence Login.

Manner of operation:

• Turn it off with a security plugin, e.g. turn off XML-RPC in Wordfence's login security settings.

• or in the root directory of the website in the .htaccess file is added:

Order Deny,Allow
    Deny from all
</Files

Eight, timely update WordPress and plug-ins

Outdated plugins, themes are one of the biggest sources of risk. Many attacks come from old versions of theloopholeThe

Operational Recommendations:

• Turn on auto-update (built in WordPress 5.5+)

• Log in to the backend every week to check if any plugins need to be updated manually
• Delete plugins and themes you no longer use, don't keep them as "spare".

IX. Hide the WordPress version number

Some attacks target specific WordPress versions. If you expose the WordPress version in your source code, it's easier for hackers to determine if there is a known vulnerability.

You can:

• exist functions.php Add the following code to remove the version number output:

remove_action('wp_head', 'wp_generator');

• Or use a security plugin to automatically hide the version information

X. Disabling the document editing function

WordPress There is a "theme editor" and "plug-in editor" in the background, in case the account is breached, the hacker can directly modify the files in the background to control the entire site.

It is recommended to disable the background file editing feature and only manage the code via FTP or panel.

Manner of operation:

1. show (a ticket) wp-config.php file
2. Add the following code:

define('DISALLOW_FILE_EDIT', true);

After saving, the "Plugin Editor" and "Theme Editor" will no longer be displayed in the backend.

summarize

WordPress security may seem complicated, but in fact you can already stop most attacks if you start with the following points:

• You don't need admin to be an account.
• Stronger password.
• Don't log in with infinite trial and error
• Install a protection plug-in.
• The backup must be there.
• Plug-ins are always updated

Many attacks target "lazy" websites. Spend some time to clarify these basic settings, the site will have an additional layer of protection. Security to do the basic pass, your site has been more secure than most sites.

Contact Us
Can't read the tutorial? Contact us for a free answer! Free help for personal, small business sites!	Customer Service
① Tel: 020-2206-9892
② QQ咨询：1025174874
(iii) E-mail: info@361sale.com
④ Working hours: Monday to Friday, 9:30-18:30, holidays off