Search Our Database
WordPress Attacks Prevention and Content Protection
Introduction
This guide provides key strategies to prevent common attacks on WordPress sites and protect content from unauthorized access. WordPress, being a widely-used content management system, is often targeted by hackers attempting to exploit vulnerabilities for malware injection, data theft, or denial-of-service attacks. This article offers practical steps to safeguard your WordPress site from brute force attacks, malware, and unauthorized content access. It is intended for WordPress administrators and website owners looking to improve the security of their sites.
Prerequisites
Before proceeding, ensure you have the following:
- Administrative access to your WordPress dashboard.
- Access to your web hosting control panel for server-side configurations.
- Basic knowledge of FTP or file manager access.
Attacks Prevention
1. Keep WordPress, Themes, and Plugins Updated
- Regular updates are crucial for protecting against newly discovered vulnerabilities. To ensure your WordPress site remains secure:
- Go to your WordPress dashboard.
- Navigate to Dashboard > Updates.
- Update WordPress core, themes, and plugins to their latest versions.
- You can also enable automatic updates by adding the following code in your wp-config.php file:
define('WP_AUTO_UPDATE_CORE', true);
There are many plugins out there, but one of the most preferred plugins is the iThemes Security, which can be downloaded from here: https://wordpress.org/plugins/better-wp-security/
iThemes Security is one of the most user-friendly security plugins in the market. It does more than most others on the application layer (jQuery, hide backend, etc) and is better paired with a network protection plugin like CloudFlare than a plugin(s) that is trying to do the same thing.
Alternatively, you can choose to use Wordfence as the comprehensive security plugin for your WordPress.
**Note: It is crucial for you to use only one comprehensive security plugin for your WordPress. Using two or more will most likely cause conflicts between one another.
These comprehensive tools require periodical charges unless you are using the basic version.
2. Install a Security Plugin
- Security plugins offer various features like malware scanning, firewall protection, and login security. Some recommended security plugins include:
- Wordfence security: Provides a comprehensive firewall and malware scanner.
- iThemes Security : Offers brute force protection, two-factor authentication, and file change detection.
- Sucuri Security : Protects against malware, brute force, and other attacks.
- To install a plugin:
- Go to Plugins > Add New in your WordPress dashboard.
- Search for the desired security plugin (e.g., Wordfence).
- Click Install and then Activate the plugin.
3. Enable Two-Factor Authentication (2FA)
- Two-factor authentication adds an extra layer of security by requiring a second form of verification in addition to the password.
- Install and activate a security plugin that supports 2FA (e.g., iThemes Security or Wordfence).
- Configure the 2FA settings in the plugin, choosing between methods such as a mobile app (Google Authenticator) or email verification.
4. Change Default Login URL
- By default, the WordPress login page can be accessed at yoursite.com/wp-admin or yoursite.com/wp-login.php. Changing the login URL can prevent automated brute force attacks.
- Install a plugin like WPS Hide Login.
- Go to Settings > WPS Hide Login and set a custom login URL.
- Update your bookmarks and inform users of the new login URL.
5. Limit Login Attempts
- To prevent brute force attacks, it’s essential to limit the number of logins attempts a user can make.
- Install plugin Limit Login Attempts Reloaded.
- Go to Settings > Limit Login Attempts and configure the number of allowed attempts, lockout time, and other settings.
6. Use Strong Passwords and User Roles
- Ensure that all user accounts, especially administrators, use strong, unique passwords. Enforce password strength by using a plugin like Password Policy Manager.
- Also, assign the correct user roles to each account. Only give users the privileges they need to perform their tasks. For example:
- Administrators should have full control.
- Editors should manage content, but not plugins or settings.
7. Disable File Editing in WordPress Dashboard
- Disabling the ability to edit theme and plugin files from within the WordPress dashboard prevents attackers from inserting malicious code if they gain access to your admin panel.
- Add the following line to your wp-config.php file to disable file editing:
define('DISALLOW_FILE_EDIT', true);
8. Secure wp-config.php and .htaccess Files
- The wp-config.php file contains sensitive information, including database credentials. To protect it:
- Use an FTP client or File Manager to add the following code to your .htaccess file, which prevents unauthorized access:
<files wp-config.php> order allow,deny deny from all </files>
- Additionally, you can secure the .htaccess file itself by adding the following:
<files .htaccess> order allow,deny deny from all </files>
- Use an FTP client or File Manager to add the following code to your .htaccess file, which prevents unauthorized access:
9. Regular Backups
- Regular backups ensure that you can restore your site in case of an attack or data loss. Use a reliable backup plugin such as UpdraftPlus or BackupBuddy.
- Install and configure the plugin.
- Set automated backups on a daily or weekly basis.
- Store backups securely in cloud storage or an offsite location.
10. Protect Against DDoS Attacks
- Distributed Denial of Service (DDoS) attacks can overwhelm your server with traffic, making your site unavailable. Use a Content Delivery Network (CDN) like Cloudflare to help mitigate these attacks.
- Sign up for Cloudflare and follow the setup process to point your DNS to Cloudflare’s servers.
- Enable DDoS protection features within Cloudflare’s dashboard.
11. Monitor Activity Logs
- Keeping track of user activity on your site helps identify suspicious behavior early. You can monitor changes made by users, especially administrators, using plugins like WP Activity Log.
- Install and activate plugin WP Activity Log.
- Go to Activity Log in your WordPress dashboard to view user actions and detect potential security threats.
Content Protection
Besides those security measures to be taken to secure your WordPress, it is also very important to protect your contents of your webpages. These are some precautions to take to protect your content:
1. Hotlinking Prevention
- Hotlinking prevention is to prevent anonymous visitors to your website to link images, stylesheets (CSS), javascript files and any resources from your website. For instance, the anonymous visitor links your image to his/her site to save his/her bandwidth. We want to prevent this because it will hog your bandwidth instead (bandwidth stealing) every time their websites load. This is how to do it:
- Access your .htaccess file which will be within your “public_html” folder (if not found, the file could be in one of the subfolders in “public_html” such as “blog“)
- Edit the .htaccess file by adding these lines of codes into your .htaccess file as below
#Prevent Hotlinking RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(WWW\.)?yourwordpressdomain.com/.*$ [NC] RewriteRule \.(gif|jpg|png|css|js)$ - [F]
*Replace yourwordpressdomain.com to your own WordPress domain.
*If you want to add more file types to be restricted, you can continue adding within the RewriteRule as highlighted in red, e.g.RewriteRule \.(gif|jpg|png|css|js|bmp|mp3)$ - [F]
2. Video and Images and DMCA Protection
- You most probably want to prevent visitors from downloading your images and videos from your website. This is how you do it:
- For video:
- You can download the plugin: https://wordpress.org/plugins/secure-html5-video-player/
- This is a plugin to secure your HTML5 videos from getting downloaded by visitors without revealing the link of your videos is your own video or a YouTube/Vimeo video.
- For images and texts (DMCA protection):
- If you have an image on your site, designed by your graphic designer, and you do not want to affect your search engine ranking by having someone to copy your texts, you would not want your images everywhere and texts to be just copied and pasted to other sites.
- You can download and install the WP Content Copy Protection & No Right Click plugin here: https://wordpress.org/plugins/wp-content-copy-protector/
- This is to prevent visitors to right-click on your content specifically images to download them and copy your text content.
Conclusion
By following these strategies, you can significantly improve the security of your WordPress site and protect it against common attacks. Regular updates, secure passwords, two-factor authentication, and robust security plugins are essential tools in safeguarding your content and ensuring your site remains secure.
For additional assistance or if you encounter any issues, please contact our support team at support@ipserverone.com.
Article posted on 18 April 2020 by ips1