WordPress is the most widely used content management system in the world, making it a common target for hackers, brute-force attacks, and bots. Leaving the default settings can lead to serious security issues, such as losing access to your site or having malicious code injected. Here are 22 recommendations to protect your WordPress site and strengthen its security.
1. Change the Prefix wp_ from the Database
When you install WordPress, a default prefix is generated. wp_ This applies to database tables, which is known to hackers. Modify this prefix to a custom one to prevent attacks targeting standard WordPress tables.
2. Avoid using the 'Admin' user
Do not use common usernames like admin o root For the primary WordPress user, since they are the first ones an attacker will try. Choose a unique and difficult-to-guess name.
3. Use Strong Passwords
Use strong passwords with uppercase letters, lowercase letters, numbers, and special characters. This reduces the likelihood of falling victim to brute-force attacks.
4. Keep WordPress Updated
Hackers often target older versions because they may have known vulnerabilities. Make sure you have the latest version of Wordpress to maintain optimal protection.
5. Update the Plugins
Plugins are a common target for attackers. Update them frequently, especially those that aren't part of the official WordPress directory.
6. Update the Active Theme
Themes can also be an entry point for hackers if they're outdated. If you use third-party themes, keep up to date with their developers' updates.
7. Avoid Outdated Plugins and Themes
Outdated plugins and themes pose a risk. Regularly check that they are up to date or replace them with safe and active alternatives.
8. Delete Inactive Plugins and Themes
Inactive plugins and themes can become vulnerabilities if they aren't updated. Delete everything you don't use, leaving only your WordPress backup theme.
9. Download Plugins and Themes from Trusted Sites
Avoid downloading from unknown sites or P2P networks like Torrent, as they may contain malware. Always use the official repository or trusted sites like Envato.
10. Protect the Configuration File wp-config.php
The file wp-config.php It contains sensitive data. Move it to a secure folder and change its permissions to 444 and restricts access with rules in .htaccess.
11. Protect the Uploads Folder
Folder uploads It is vulnerable to attacks. Limit the allowed file extensions by adding rules in .htaccess for added security
12. Make Backups
Backups are essential. Make sure your hosting provider performs them automatically and consider using a plugin like BackWPup to schedule them in the cloud.
13. Limit Login Attempts
Install plugins like Limit Login Attempts to protect the login screen and prevent unwanted users from registering with additional security measures like reCaptcha.
14. Install a Security Plugin
Plugins like WordFence or iThemes Security help protect your site against brute-force attacks and other malicious methods, notifying you in case of risks.
15. Use Secure Permissions on Files and Folders
Make sure the files have the necessary permissions 644 and the folders 755 to avoid vulnerabilities.
16. Implement a Reverse Proxy like Cloudflare
Cloudflare not only offers caching, but also security measures such as email obfuscation and blocking of suspicious IPs.
17. Register your site in Google Search Console
In addition to traffic analysis, Google Search Console offers alerts about usability issues, speed problems, and potential code injections on your site.
18. Avoid Splogger Registration
If you allow user registration, use a plugin like WangGuard to detect fake or malicious users trying to inject spam or malware.
19. Protect the File .htaccess
Add rules in .htaccess to prevent third parties from accessing this file, as it controls important settings on your site.
20. Control Spam in Comments
Protect your comment forms from spam with a plugin like Akismet and check your comment settings to improve security.
21. Disable the Pingback Vulnerability
Disable the protocol xmlrpc.php en .htaccess to prevent attacks via pingbacks if you do not use remote administration applications.
22. Monitor Changes in Files
Plugins like WordFence can alert you to unexpected changes in your site's files, allowing you to detect and reverse potential threats.
Original article by Fernando Tellado | November 20 Published in 2023 Classroom CM
