We've compiled a list of recommendations to help you protect your [device/product] as much as possible. WordpressAs the most widely used content management system in the world, it's quite common to experience attacks from hackers, brute force, and bots. If you have all the default options selected, you might encounter some problems. to maximise security and your enjoyment. that could take down your website or include malicious code. See which of these actions you can take to be much more protected.

1. Do not use the wp_ prefix for the database

From the very first moment of installing WordPress, you have to specify a series of information that you have to enter so that WordPress can communicate with the database.

Most of that information is provided by your hosting provider, such as the database name, username, and password. But there is one decision to make: choosing the prefix for the tables that will be created for WordPress.

By default, the prefix offered on this screen is wp_so that your tables will look like this: wp_options, wp_comments, wp_posts, etc.

And, of course, this is something every hacker knows, and it is free information that we give to any potential attacker, which knows that if you don't do a secure installation, the WordPress tables – which are standard – will have those full names if you don't change the prefix.

So The first place you should start securing WordPress is even before you install it., in this step: change the prefix for the default tables (wp_) by another of your choice, for example wptabla_ o X1jM_ or whatever you want. The important thing is not how long or complicated it is, but at least don't leave the default prefix.

2. Do not use the admin user to access WordPress

Another decision we have to make during the WordPress installation This is the name of the first user to access the administration of our website, user who by default will have full management permissions.

For years, WordPress has offered a default username that, of course, you shouldn't use. So when choosing your first username to log in to WordPress, don't choose common names for this purpose, such as admin, admin, rootetc., since these are the first things a hacker who wants to take over your website will check.

3. Use a strong password

I know it's hard to get you to listen to me with this very basic trick, but it's crucial that you understand that the easier a password is to remember (for you), the easier it will be for attackers' automated brute-force access systems to crack it.

WordPress, in its latest versions, includes a secure password generator and "suggests" you use it. This will always be the best option. You can, however, ignore this recommendation and use a simple, insecure password, but you would be committing a breach of trust. the main and most important security flaw of all the possible ones.

It's currently unnecessary to use easy passwords, as all browsers offer the option to remember them for you on your computer. So Always use strong passwordsthat contain lowercase letters, uppercase letters, numbers, and special characters.

If you have many registered users, you can even force password changes to ensure all passwords are secure, including the administrator password. For example:

• Forcing password changes every 30 days
• Resetting all passwords

4. Always use the latest version of WordPress

If there is anything dangerous, it is working on a network with outdated or insufficiently updated software. Hackers typically target sites with older, outdated versions.because they tend to be more vulnerable as they do not incorporate sufficient protection against known types of attacks.

Fortunately, WordPress offers an automatic update system, both for the WordPress core itself and for plugins and themes.

By default, you don't need to worry about WordPress maintenance and security updates, as they are performed automatically. It will simply notify you when an update is complete. However, you will need to perform updates to major versions, even if it only requires a single click.

For example, you don't need to intervene to update from version 4.3.1 to 4.3.2; WordPress updates it automatically. However, you do need to intervene when updating from 4.3.xa to 4.4, even though the process is as quick and easy as clicking a button.

[Tweet "Hackers primarily target websites with outdated versions because they are more vulnerable"]

5. Update installed plugins

WordPress is secure, and that's normal because there's a large community that takes care of its maintenance, development, and growth, but the same cannot be said for plugins.

However popular a plugin may be, many times behind it there is a single programmer who, for obvious reasons, does not have the resources or time to always keep their plugin up to date.

It is for that reason that The main entry point for attacks on a WordPress installation is mostly through outdated plugins.

WordPress offers a system for notifying and automatically updating installed plugins, so when you see that one needs updating, don't hesitate.

If you're not using plugins from the official directory, WordPress might not automatically detect available updates. In that case, you'll need to keep an eye on the developer's website.

6. Update the active theme

It is equally important to always use an updated version of the active theme, because Hackers know that they don't usually change very oftenThis gives them time to learn from your code and invent ways to make your life more complicated and even get you into trouble.

If you're using a theme from the official WordPress directory, WordPress will notify you of updates. And if you're using a plugin you purchased elsewhere, you'll need to keep an eye on its creator's announcements and update it when new features are available.

7. Do not use outdated plugins or themes

One of the most significant sources of vulnerability is outdated or abandoned plugins and themes. Frequently check the developer's page for your theme and plugins to see if they have recently updated their product, and if not, Look for an alternative that offers the same features.

If you use themes and plugins from the official WordPress directory, you will find all the available information, such as the date of the last update and compatibility with the latest versions of WordPress.

In addition, the official WordPress directory automatically removes plugins and themes that have not been updated for more than two years, providing an additional guarantee.

If you use themes and plugins downloaded from other sites, you should check their own website and manually install any updates.

8. Delete any plugins and themes you don't use

In line with the previous action, Having inactive plugins and themes installed is dangerous.For the simple reason that we'll pay less attention to them since they're not active. They not only take up space on your hosting but also represent an entry point for potential vulnerabilities on your website.

The only active theme you should leave installed is the latest available default WordPress theme (right now). Twenty Fifteen), which implies an additional protection rule for your website, Because if WordPress detects a problem with your active theme and cannot load it, it will try to automatically activate the default theme if it finds it installed.

9. Download plugins and themes for secure websites

The safest place to download plugins and themes is the official directory, where you'll find updated, tested, and secure versions of the latest releases. These are the themes and plugins you can install using the installer included with your WordPress site, and which you can also access at the following addresses:

https://es.wordpress.org/plugins/

https://es.wordpress.org/themes/

Additionally, there are marketplaces for themes and plugins such as Envato, Woothemes o Elegant themes, of high quality and care for its products.

Of course, Never download plugins and themes from P2P networks like Torrent or eMule.They are usually all infected with viruses and malware.

10. Protect the WordPress configuration file

The WordPress configuration file, the file wp-config.php, It contains highly sensitive information about your server:

• Database name
• Database user
• Database password
• Database table prefix.

For this reason It is vital to protect it from prying eyes and, of course, from unwanted modifications..

To do this, you can perform the following actions:

1. Move it to a higher folder, so that if it's located in the path …/public_html/mydomain.es/ move it to the folder …/public_html/.
2. Protect it from writing by changing the permissions to 444.
3. Add the following rules to your Apache .htaccess file to prevent unauthorized access:

   order allow,deny deny from all

11. Protect the uploaded files folder

Folder Uploads, located on the route yoursite.com/wp-content/uploads where you upload the images and documents that you attach to your WordPress posts, It is the most susceptible to attacks. So It is extremely important to protect it to prevent viruses or malicious scripts from running from it.

WordPress does not allow uploading executable files to this folder by default, but hackers use techniques to bypass this rule. So We must apply extra protection, expressly defining which file extensions can be uploaded to it.

To do this, we will add the following lines of code to the hidden Apache configuration file .htaccess, located in the folder where you installed WordPress:

Order Allow,Deny Deny from all  Order Deny,Allow Allow from all

12. Make backups

If there's one fixed rule in security, it's that no matter what measures you implement, there will always be some new vulnerability we're not protected against; we'll always be one step behind malicious attacks. So, in the event of a disaster, The only thing that can save us from the potential loss of all our content is having backups..

Check that your web hosting provider It offers full automatic backups. And, in addition, it installs a backup plugin like BackWPupwhich allows you to schedule different backup tasks, letting you save your backups on another server, send them by email, or even automate its saving to Cloud services such as Dropbox, Amazon S3, or Google Drive, among others.

[Tweet "To prevent attacks from strangers on your WordPress site, rule number 1 is to have backups"]

13. Limit access attempts

Most current attacks against WordPress sites are carried out through massive login attempts through the login screenTherefore, it is essential to protect internal access to your WordPress site.

To do this, we can apply different security measures:

1. Disable user registration, thus preventing malicious users from exploiting potential vulnerabilities to gain extra permissions on your installation and the ability to make changes to it.
2. Add a human verification system like reCaptcha, which prevents unwanted access by automated machines trying to gain access to your site.
3. Install a plugin to prevent mass login attempts, such as Limit login attempts, the module Protect by JetPack or the utilities of this type found in most security plugins, to block these types of attacks.

14. Install a security plugin

Many of the security measures we can apply to our WordPress installation are included in plugins specialized in securing WordPress.

Most of them contain Adjustments to prevent brute-force attacks, code injections, and system file modificationsincluding warning systems to keep you informed of any potential ongoing attacks.

The most recommended ones are the following:

• WordFence
• IThemes Security
• Bulletproof

15. Use secure file and folder permissions

By default, WordPress applies read and write permissions to files and folders which, on occasion, can be modified, either automatically by some plugins, or manually when you upload files yourself from the utilities of cPanel or even via FTP clients.

The  default permissions that files and folders should have In WordPress they are as follows:

• Files: 644
• Folders: 755

Any file or folder with excessive permissions could be a source of vulnerability. You'll need to change them back to the default permissions using the cPanel file manager or your preferred FTP client.

16. Use a reverse proxy like CloudFlare

One measure that will not only improve security but also the security of WordPress is use a CDN service,  content delivery network remote places like CloudFlarewith a very complete free plan and plugins that facilitate its integration with WordPress.

In addition to offering fertilizers for the field, correctors, biostimulants, and specialized products, we provide agronomic technical advice to support solution selection based on the crop, the soil, and production goals. We guide professional customers toward the most suitable option, with direct support focused on efficiency, performance, and field application. a very powerful cache system, It also incorporates protective measures such as the following:

• Email obfuscation, preventing the capture of email addresses displayed on your website
• Blocking IPs of visitors with behavior suspected of being attackers
• Always online, to display a cached version of your website even when you are under attack.

17. Create an account in Google Search Console

The old ones Google webmaster tools, now known as Google Search ConsoleIn addition to essential analytics and analysis tools for your website, it offers extra protection for your WordPress site.

In short, it is essential that Register your site in Search Console so that Google can inform you about:

• WordPress Updates
• Code injections
• Notices of usability issues
• Speed ​​issues

Plugins like Yoast SEO or All in one SEO pack They allow for easy integration of WordPress with Search Console.

18. Prevents access to sploggers

If for any reason you allow user registration on your WordPress site, you must protect yourself against what are known as... sploggers, users who register en masse on websites for try to access their settings, add spam comments, or even inject malware.

The ultimate solution for these types of users is, of course, to disable user registration (WordPress' default behavior). However, if you have enabled registration for loyalty or marketing purposes, you should install the best plugin available for this purpose. detect and eliminate this threat: WangGuard.

19. Protect the .htaccess file

We have seen several actions that we can perform from the Apache file. .htaccess, But for the same reason, it is equally important to protect this same file.

The .htaccess file is an Apache server file that applies rules to any application installed on your hosting, in our case WordPress, allowing you to apply security and safety measures, among others.

To also protect the .htaccess file from unwanted access, you can include the following lines in the same file:

order allow,deny deny from all

20. Protect yourself from spam

One of the regular tasks of any administrator of a content management system, such as WordPress, is Control spam in comments. First, because it's a source of distractions and unwanted links in comment forms. And second, because Some hackers use these forms to inject code which could compromise the security of your WordPress installation.

To achieve this, we can, and should, apply different strategies:

• Add a Captcha human verification system using plugins Really Simple CAPTCHA or the previously mentioned WangGuard.
• Activate a spam checking plugin like Akismet.
• Protect the forms of the injection of special characters.

And, of course, without needing to install anything, apply spam control rules from Settings -> Comments in your WordPress installation:

• Manually approving all comments.

• Adding rules to automatically mark unwanted comments as spam.

21. Avoid the pingback vulnerability

There is a specific vulnerability, called pingback vulnerability, which deserves special mention because, although easily solved, it would leave important WordPress functions inactive such as remote management, the use of mobile applications or even the pingbacks and trackbacks system.

It is related to the XML-RPC protocolThis protocol allows WordPress to connect, for example, with the WordPress app for iOS or Android, as well as offline editors and some content syndication systems, so in principle, disabling this protocol does not seem advisable.

The bad thing is It is an open avenue for potential code injections by attackers..

However, if you are certain that you will never use this type of application, the solution is as simple as deleting the WordPress installation file called xml-rpc.php.

The only problem is that when you update WordPress, it will be recreated, so a more precise measure would be to add these lines to the already familiar .htaccess file:

# protect xmlrpc Order Deny,Allow Deny from all

22. Check for changes to your WordPress installation files

You should keep in mind that security must be a constant and active concern. But fortunately, WordPress helps us automate many of these tasks, almost always completely free of charge.

And a great way to monitor our WordPress installation This is achieved by using plugins like iThemes Security or WordFence, discussed earlier. These plugins will monitor the integrity and potential changes to the files in our WordPress installation, attempting to prevent modifications and, when that's not possible, notifying us of these changes so we can reverse them and stay safe.

Do you know any other tricks to improve security?

I hope these tips and tricks for protecting WordPress are helpful. They're not exhaustive, but they are the most important.

[hover_color align=»center» background=»» background_hover=»» border=»» border_hover=»» border_width=»0px» padding=»60px 60px» link=»https://selfish.com.mx/servicios/» target=»» class=»cta-blog themecolorbg» style=»»]Don't risk it, with Selfish Protect all your web projects!