Instead of joining, I will immediately ask you a few questions: Have you ever encountered attacks on your site? Are you sure that it is sufficiently protected? Are you sure that your child will not be a prey to scammers?
I have long met posts like “WordPress Protection”, but I constantly missed them. Why? I’m lazy because I’m not very interested. Moreover, like everyone else, I think “this will not happen to me”. And it’s good if it did not happen. But in early August, the SEO blog of the sectarian began Ddos attack, which I was constantly reminded of by the hoster. I in this sphere did not know anything at all and felt helpless, so I had to learn and act.
So I learned about some unprotected WP sites, and that there are brute force attacks that hack websites. I decided to protect myself from it (which I advise you), even though the attacks on my blog were of a different nature.
I’m not a supporter of using a heap of plug-ins, but there are those that really help. In this article I will review All In One WP Security & Firewall, which will help to take many steps towards protecting the site on WordPress from hacking, spamming, etc. This protection seems more to me as prevention, not emergency help (this will be in the next articles, so subscribe! – >>>)
A small spoiler on what can be done with All In One WP Security & Firewall:
- Replace the login admin
- Protect yourself from selecting a password and login to your site
- Manually activate registered users
- Protect the database
- Blocking IP addresses and user agents
- Put firewall
- Defend against brute force attacks
- Reduce spam in comments
- Learn about changes to system files
- Protecting your content from copying
- turn on maintenance mode
Now go ahead!
Install and activate the plugin All In One WP Security & Firewall. Now you need to configure it.
Change of login admin
By default, the administrator in WordPress has the admin password. In this case, if the attackers try to hack your site, they already have half of the information, they will only have to choose a password. The change of login significantly complicates the task.
We go to the plugin menu: Control Panel> Critical Feature Status and put On on the line Administrator Login .
You will be transferred to a page where you can easily change your login. After that, you will have to go to the site admin area again.
Protection from the selection of the password and login
Next in the same menu as you saw above, turn on Authorization blocking . You will be transferred to the settings panel. By the way, the security level is shown above. Initially, it is 0/20, but setting various parameters will help increase this figure to 20/20.
In principle, everything is clear. I will only stop on a few points.
- Allow Unlock Requests
This option allows users to request the unlocking of their account. I did not include it, because I do not want to give this opportunity.
- Display authorization errors
I do not want to show messages about the failed login, so I did not include this function.
- Instantly Lockout Invalid Usernames
This helps block login attempts if the login is incorrect. Exactly what is needed.
Protection of registration
The User Registration tab is responsible for this, and you need it only if users can register on your WP site. Activating this function will help you manually check each user and only then activate his account.
Changing the database prefix
On the tab Database it is intelligibly written, why change the prefix. So you just have to tick off to generate a new prefix or just invent it.
On the second tab you can enable the automatic backup of the database.
Blocking IP addresses and user agents
If you see in the logs that some IP addresses or user agents send too many requests to your site (especially if these addresses are any Asian and far from the geography of your audience), they need to be blocked. Usually I block unwanted IP addresses through .htaccess, but you can do this here, on the “Black list” tab.
This tab is very interesting. Here I would advise you yourself to carefully examine it and all the tabs on it. Each option has detailed comments.
Here I decided:
- Activate the main functions of the firewall
- Activate the Pingback Defense
- Disable http trace
- Enable 5G Firewall
Protection against brute force attacks
This item is very important. Brute force attack is carried out by a grid of bots and can be strong enough to put the server in a few minutes. The main purpose of the attack is to hack into a site that, after hacking, becomes part of this botnet. Due to poorly protected sites, botnet networks grow in leaps and bounds.
Bots constantly request the page /wp-login.php so the main protection against brute force attacks is to hide the login page to the admin area.
Open the tab Brute Force . There first thing we change the address of the admin on any other.
The old page will return 404 error, which will also load the server when attacking bots. So just redirect this page through a .htaccess file to some third-party powerful server (it’s not good, probably, so I did not tell you about it
Redirect 301 /wp-login.php http://google.com/
In the same paragraph, there is a second tab – Cookie Based Brute Force Prevention . This is similar to the one described above, since it allows you to generate a page address for logging into the admin area. But in addition to this, your browser will throw up a cookie, and only with it you can enter the admin area. It seems to me that this is not very convenient, since you may need to administer the site on another computer or in another browser. So choose for yourself one thing: the first type of hiding the admin (less secure, more convenient) or the second (more secure, less convenient).
Further on in this point you can additionally include cache for logging in to the admin, and also create a list of IP addresses from which you can enter the admin area. The latter is useful, but inconvenient, if you, like me, have a dynamic IP address.
There is one more item – Honeypot – I will stop on it a little, because He is in English. Activating this function allows you to add one more field to the login form that is hidden from the ordinary person. But the bot will fill it. Accordingly, if it is filled – ta-dam! – The bot is not allowed to enter the admin panel.
Spam protection in comments
Blog owners know very well how many spammy and meaningless comments are falling on the site every day. Item Spam Prevention will help a little or a lot to reduce this amount.
First, you can include captcha. I somehow had a CAPTCHA that caused a lot of requests to remove it, now it’s gone
Secondly, there is the possibility to ban a comment if it is attempted not to be posted from your site. In other words, many people post comments without accessing the site, but simply with the help of different services. The prohibition of such comments is what is needed.
You can also create a black list of commentators and block their IP. Unfortunately, they are often dynamic …
Scanning changes to system files
Once upon a time there was something strange on the blog of the SEO sectarian: when the “Share in FB” button was clicked, the user posted on his wall not links to my articles, but links to some incomprehensible site. When I noticed this, I first started panicking (which I do in any incomprehensible situation
Why am I saying this: if I had been configured to scan the latest file changes, I would have learned about changing .htaccess before.
Prevent selection and copying of text from the site
This function is found in Miscellaneous and is useful for those who want to protect their work. But there are a few “buts” (yes, they always are):
- An inconvenience to users if your materials contain ready-made code that users can simply copy and use.
- This measure still does not protect you completely: no one has canceled copying from the source code.
The mode of service
This function is needed rarely, but aptly. For example, I needed it while redesigning the SEO Blog of a sectarian. But then I had to use another plugin.
This feature is enabled in Maintenance mode (unexpectedly, right?). A huge plus is the ability to add any message to users who will visit your site during the “repair” period.
And the last
If you have done all of the above manipulations, you can sleep a little calmer: your site is better protected than most others. Also, you can regularly backup and check the load on the server, logs on the hosting.
Express your thoughts in the comments, subscribe to updates!