WordPress Security – A Complete Guide for Beginners

The first time we think about protecting a WordPress site, we are not yet fully aware that there are many different steps we can take as a preventative measure to protect a site, an online store, or just a blog.

The last thing you need is to wake up one morning and find your site in ruins. Today we’re going to share lots of tips, strategies and techniques that you can apply and thereby improve the security of your WordPress site, and just sleep soundly.

Is WordPress secure by default?

The first question you’re probably wondering is, is WordPress itself secure? Generally, yes. However, WordPress site owners often experience hacks, crashes, and data leaks. More often than not, this happens because users continue to follow the worst security practices.

The use of outdated WordPress core, nulled plugins, poor system administration, credential management, and lack of necessary Internet and security knowledge keep hackers on their toes, so to speak? Even industry leaders do not always pay enough attention, such an important component as the security of their WordPress site.

According to Sucuri’s 2019 survey, WordPress as a platform continues to lead all infected websites they worked on (94%). And the increase from 2018 was 4%. We’re waiting for the 2020 report, but fundamentally the picture won’t change.

CMS usage statistics for 2018-2019 – WordPress Security

WordPress, as a CMS, is used by more than 35% of all websites and it’s no wonder that there are hundreds of thousands of combinations of different, both free and premium themes and plugins and that vulnerabilities exist and are constantly being discovered.

But fortunately, there is a large community around the WordPress platform, which ensures that newly discovered vulnerabilities will be fixed as soon as possible. As of 2020, the WordPress security team includes 50 experts, including leading developers and researchers in digital security – about half of whom are Automattic employees.

Vulnerabilities in WordPress

Here’s a list of some of the most common types of vulnerabilities/methods used by attackers targeting WordPress:

  • Backdoors.
  • Pharma Hacks.
  • Brute-force.
  • Malicious redirects.
  • Crossite scripting (XSS).
  • Denial of Service (DoS).

1. Backdoors

Backdoor – vulnerability, which provides attackers with backdoors, bypassing security protocols to access web sites in WordPress via non-standard methods: wp-admin, SFTP, FTP and so on. Using this vulnerability allows hackers to damage hosting servers with a subsequent “cross-site” infection – compromising multiple sites hosted on the same server.

In the fourth quarter of 2019, Sucuri reported that backdoors are still one of the most, frequently used actions taken by attackers to break in, with nearly 47% of infected sites having some form of backdoor.

Malware Distribution Graph – WordPress Security

Backdoors often disguise themselves as legitimate WordPress core or theme/plugin files, giving access to both the file system and the database, exploiting weaknesses and bugs in outdated (not updated in time) versions. The TimThumb (a PHP script often used by theme authors to manipulate images) failure, better known as the Zero Day Vulnerability, was a prime example of this. The backdoor used hidden scripts and outdated software that compromised millions of websites, back in 2013.

Preventing and treating this type of vulnerability is quite simple. You can run a check on your WordPress site with SiteCheck, which will easily detect this and other backdoors.

Two-factor authentication, IP address blocking, administrator access restriction, and prevention of unauthorized PHP file execution easily eliminate common backdoor threats, which we’ll talk more about below.

2. Pharma Hacks

The “Pharma Hack” exploit is used as a method for inserting malicious code into outdated versions of websites and WordPress plugins, and as a consequence, meta tags are substituted. In the SERP (search engine results) instead of your site, users see advertisements for pharmaceutical companies. The vulnerability is more of a spam threat than traditional malware, but gives search engines enough reason to block the site.

The driving force behind “Pharma Hack” are backdoors in plugins, themes and databases, which can be cleaned by following the instructions in this, an old but useful post from Sucuri. You can easily prevent “Pharma Hacks” by regularly updating your WordPress core, themes, and plugins.

3. Brute-force

Brute-force is primarily a brute-force authorization attempt. Scripts are used to brute-force passwords, and if successful, attackers gain access to your site. Limiting the number of possible authorization attempts, two-step authentication, logging, using white and black lists of IP addresses and strong passwords are some of the easiest and most highly effective methods of preventing this type of attack.

But unfortunately, some WordPress website owners fail to implement these security measures, while hackers can easily compromise up to 30,000 websites in one day using brute-force attacks.

4. Redirects

Redirects are created thanks to backdoors and embed code in site files. On infected subjects, the scripts for redirects are often located in the .htaccess file, but can also often be found in both the WordPress core and theme files (such as index.php). Acting covertly and directing your traffic to malicious or advertising sites. We’ll cover some ways to prevent them in our WordPress security steps below.

5. Cross-site scripting (XSS)

XSS is a technique in which a script is injected into the body of a website or application. These are usually JS scripts that run on the end user’s browser side without their knowledge and without the site owner’s knowledge. The purpose is usually to retrieve cookies or session data, or perhaps even to overwrite HTML on the page.

6. Denial of Service (DoS).

One of the most dangerous vulnerabilities that causes Denial of Service (Denial of Service or simply DoS) is using bugs in the code to simply eat up the RAM of the OS the site is running on. Millions of sites, day in and day out, are attacked, causing a complete server shutdown. In broad terms, this method is called – DDos (Distributed Denial-of-Service).

Even current versions of WordPress can not comprehensively protect against major DDoS-attacks. But at least they can help you avoid getting caught in the crossfire of financial institutions and botnet owners.

October 21, 2016 was the day Europe and North America simply shut down their internet due to a DNS DDoS attack. If interested and as a “libation” you can read more about this significant event more commonly known as the Dyn Cyberattack.

WordPress Site Security. The Complete Guide 2023

According to Internet statistics, more than 100,000 websites get hacked every day. That’s why it’s so important to take some time and read the following tips below on how to better strengthen your WordPress website security.

We will try to update this post and keep the information up to date as the world changes and WordPress is no exception.

1. Secure hosting for a website on WordPress

When it comes to overall network security or, as in our case, organizing the protection of a WordPress website, it’s important to understand that one of the key factors here is server-level security.

By choosing this or that hosting company, you are, first of all, trusting them with your business. Definitely, the trifle here is not worth it and if there is a fin. possibility to choose “VPS” rather than “Shared”. Typically, each hosting company has a line of so-called “Shared” rates, buying that for $3-30 per month, your site will run on the same server, along with a dozen other sites. The threat level is multiplied by multiples!

You should also pay attention to the OS and security software offered by the company.

2. Use PHP 7.4+

PHP is the backbone of any WordPress site. It’s hard to overestimate the importance of using the current version! Each major release of PHP is fully supported by the developers of the language for the next 2 years. That is, there is a guarantee that during this period, all bugs will be fixed. At this point, anyone running PHP version 7.1 or lower is no longer supported in terms of WordPress security and is at risk.

The current version of PHP as a factor in the security of the site on WordPress

And guess what? According to official WordPress statistics and as of this writing, over 24% of WordPress sites use PHP version 5.6 and below, and the number of users who use PHP 7.2, which is not actively supported (security will be supported until December 1, 2020) and below is over 67%. That’s scary!

More than 67% of WordPress sites are running on an outdated version of PHP!

Yes, it does take time for developers and companies to debug and ensure that the current version of PHP is fully compatible with their code, but there is no excuse for running something without security support. Not to mention the huge performance impact that older versions have.

Don’t know what version of PHP your site is running on? A quick way to check it is Pingdom. It will start checking as soon as you type the URL in the search bar. When it’s done, scroll down to the “File requests” block. Click on the first request and look for the option “X-Powered-By”. Normally, this will show the version of PHP your web server is using. However, some web hosting companies remove this header for security reasons.

Checking the PHP version via Pingdom

Be sure to upgrade your server to PHP 7.4+ as soon as possible!

3. Usernames and passwords

One of the best and easiest ways to strengthen the security of your WordPress site is to take a non-standard approach to choosing your usernames and passwords. Check out the annual list of the most popular passwords of the year. Here, Privacy Hub published a statistic list of worst passwords. Here are the top 5:

  • 123456
  • password
  • 12345
  • 12345678
  • qwerty

Wow! ? The most popular password is “123456”, followed by the amazing “password”.

The basic WordPress function wp_hash_password uses MD5-based hashing. Some of the best security measures start with the basics. Google has some great recommendations for creating a strong password.

It’s also important to use different passwords for each site. The best way to store them is locally in an encrypted database on your computer. Even if your data is stored securely in the cloud, it’s usually more secure because you’re not using the same password across multiple sites. It will also keep you away from stickers on the corners of your monitor.

And speaking of WordPress, the worst thing you can do is use the username “admin” for authorization. If that’s what you have, then take immediate action. Create a new user by clicking on the “Add New” link in the “Users” menu and set him the role of “Administrator”!

Adding a new WordPress user

Login, you can also change using phpMyAdmin, but be sure to make a backup copy of your database before you start.

UPDATE wp_users SET user_login = 'UserThatCanDoThings' WHERE user_login = 'admin';

4. Always use the latest version of the WordPress core, plugins, and your theme

Another way to strengthen the security of your WordPress site is to keep it up to date. This includes the WordPress core, plugins, and themes (both from the WordPress repository and premium). Authors update their creations for a reason; there’s a reason for everything. Often updates go hand in hand with bug fixes and overall security improvements.

Unfortunately, millions of companies are using outdated versions of WordPress plugins, themes and core and still believe they’re on the right track to success. They give reasons for not upgrading, such as “their site will break” or “modifications will go away” or “plugin X won’t work” or they supposedly “don’t need the new features”.

And in fact, sites break mostly because of bugs in older versions of WordPress. WordPress core modifications are initially not recommended by the WordPress team and experienced developers who understand the risks involved. And WordPress updates mostly include mandatory security patches and extra features needed to run the latest versions of plugins.

Did you know that plugin vulnerabilities represent more than 60% of the entry points for hackers? By updating your plugins, you can better make sure you’re not one of those victims. If you’re a beginner, we suggest reading our plugin manual – of course it’s basic knowledge, but what if it is?

5. Protecting the admin panel in WordPress

Often, security in WordPress as a “stealth” strategy is appropriate for an online store as well as for an ordinary website or blog. If hackers have a harder time finding certain backdoors, you have less chance of an attack. Blocking your WordPress admin panel from logging into the styme is a good way to increase your security.

The stealth strategy is a simple and effective way to improve the security of WordPress.

Two ways to do this are to change the default wp-admin login URL and then limit the number of possible login attempts.

How to change the login URL of your WordPress admin panel

If no one has not climbed into the code of your site, the URL for login looks like this – domain.ru/wp-admin. The problem is that everyone knows about it. By changing the URL, you can make yourself a less attractive target and better protect yourself from Brute-force attacks. It’s not the solution to all problems, it’s just one little trick that can definitely help protect you.

To change your WordPress login URL, we recommend using the free WPS Hide login plugin. The plugin adds a simple field to enter a new URL. Just remember to select something unique that won’t already be on the list that the bot or script might try to scan.

How to limit the number of possible authorization attempts

Although the above solution to change the login URL for the administrator can help reduce most unauthorized login attempts, limiting the number can also be very effective. The free Cerber Limit Login Attempts plugin is a great way to easily adjust the duration of blocking, login attempts, and IP whitelists and blacklists.

If you’re looking for a more elegant solution for securing your WordPress site, check out the Login Lockdown plugin and it’s compatible with WPS Hide, which we wrote about earlier.

Basic HTTP Authentication (htpasswd)

Another way to secure the login to the admin area is to add HTTP authentication. You will need to authenticate before you can access the standard login page of your WordPress dashboard. I.e. it turns out that you will need to log in twice.

This method should not be used on online stores or sites with paid subscriptions. But it can be a very effective way to counteract intruders.

Apache

On servers with cPanel installed, you can enable this additional method of authentication through the panel itself. And for manual configuration you need to create a file .htpasswd and put it in the folder /wp-admin/

home/user/.htpasswds/public_html/wp-admin/htpasswd/

Then, you will need to create or edit a .htaccess file with the lines you see below and also put it in /wp-admin/. Make sure you update the directory path and “username” the username.

AuthName "Admins Only"
AuthUserFile /home/somefolder/.htpasswds/public_html/wp-admin/htpasswd
AuthType basic
require user username

It is important to do it right, otherwise AJAX (admin-ajax) will break on the external interface of your site. If something went wrong, then add the code you see below to .htaccess.

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>

Nginx

On Nginx servers, you can also add basic HTTP authentication. To do this, simply follow the official manual.

6. Take advantage of two-factor authentication

No matter how strong your password is, there’s always the risk that someone will discover it. Two-factor authentication is a kind of two-step process in which you need not only a username/password bundle, but also something extra. Usually it’s an SMS, a phone call or a time-based one-time password (TOTP). In most cases, this is 100% effective in preventing brute-force attacks on your WordPress site because it’s almost impossible for an attacker to have both your password and your smartphone at the same time.

As for two-factor authorization plugins for WordPress, there are quite a few, but one of the easiest and most straightforward is 2FAS Light – Google Authenticator. It’s enough to install the application from Google for smartphones on Andriod or iOS, and following the simplest instructions in the plugin – scan the QR-code and confirm the authorization. That’s all, now even if your password goes into free meltdown, attackers will need access to your smartphone to authorize on the site.

This method can easily be combined with all of the above methods. So not only is the URL of the login to the WordPress panel itself something that only you know, but now additional authentication is required to log in.

7. Using HTTPS for encrypted connections – SSL certificate

Perhaps one of the most underrated methods to increase the security of your WordPress site is to install an SSL certificate and run your site over HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) is a protocol that allows your browser or Web application to connect to a Web site securely.

Let’s explain a few reasons why HTTPS is important for more than just e-commerce.

Security

Of course, the main reason to use HTTPS is for extra security, and yes, this is primarily true for online stores. But think about it, how much do you value your users’ private information? When you register or log in to sites with HTTP, all personal information is sent to the server as a simple text message. HTTPS is absolutely necessary to maintain a secure connection between the website and your browser. This way, you can prevent hackers or their intermediaries from accessing the personal data of your website users.

So, whether you have a blog, news site, agency, etc., you can always benefit from HTTPS because it ensures that nothing is ever transmitted as plain text.

SEO

Google, back in 2014, officially stated that HTTPS is a ranking factor. While it’s only a small ranking factor, most of you will probably take any advantage you can get in search engine results to beat your competitors.

Trust

According to a GlobalSign survey, about 77% of users are concerned that their data may be intercepted or misused online. Seeing a lock in the browser bar immediately makes customers feel safer, knowing their data is more secure.

Referral Data

Many people don’t realize that HTTPS to HTTP referral data is blocked in Google Analytics. So what happens to the data? Well, most of it is just mixed in with the “direct traffic” section. If someone goes from HTTP to HTTPS, the referrer is still transferred.

Browser warnings

As of July 2018, the Google Chrome browser version 68 and higher began marking all sites without HTTPS as “Unprotected”. Regardless of whether they collect data or not. That’s since that floor HTTPS has become more important than ever!

Google makes it clear to visitors that your WordPress site may not work over a secure connection. In the wake of Google this example was followed by other browsers.

Performance

Because of the HTTP/2 protocol, often those who work with properly optimized sites over HTTPS may even see speed improvements. HTTP/2 requires HTTPS. There are many reasons for the performance improvement, so for example HTTP/2, is able to support better multiplexing, parallelism, HPACK compression with Huffman coding, ALPN extension.

And with TLS 1.3 HTTPS connections are even faster.

Installation instructions, as well as the SSL certificate itself, can be obtained from your hosting provider, and after everything is installed you will need to add the following code to wp-config.php

define('FORCE_SSL_ADMIN', true);

8. Protecting the wp-config.php file

wp-config.php is the heart and soul of WordPress and also, the most important file on your site when it comes to WordPress security. It contains the database login information and, so pun intended, the security keys that provide encryption in cookies.

Moving wp-config.php.

After installation, the wp-config.php file is stored in the root folder. But it is possible to move it to a directory that will be structurally above the www directory.

To do this, copy the contents of the file wp-config.php in a new file. Then in wp-config.php you will need to connect your new file:

<?php
include('/home/somefolder/onemorefolder/wp-config.php');

Updating WordPress security keys

The KB in WordPress is like a cipher, a set of different, randomly generated, characters that are used when encrypting user cookies.

When you install WordPress, the keys are generated automatically. Sometimes, however, it’s worth updating them.

The official site has a free tool that you can use to create new KBs and replace them in the wp-config.php file.

Updating salt keys – WordPress security

Permissions

Typically, files in the root directory of a WordPress site are set to 644 permissions, which means that the files are read-writeable by the owner of the file and readable by users in the group that owns the file and readable by everyone else. According to WordPress documentation, the permissions for the wp-config.php file should be set to 440 or 400 so that other users on the server can’t read it. You can easily change the permissions using an FTP client, ISP Manger or cPanel (depending on your hosting type).

On some hosting platforms, the permissions may be different because the user working with the web server does not have permissions to write files. If you are unsure about this, contact your hosting provider.

9. Disabling XML-RPC

In recent years, XML-RPC has become an increasingly common target for brute-force attacks. One of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple procedures within a single request. This is very useful because it allows the application to pass multiple commands in a single HTTP request. But also, this is a feature that is used by attackers.

There are several WordPress plugins, such as Jetpack, that use XML-RPC, but most people don’t need it, and it may be useful to simply disable access to it.

Not sure if XML-RPC works on your site? Use the free XML-RPC Validator tool from “Automattic”.

To disable XML-RPC entirely, you can use plugins from the official repository. It’s worth noting that most performance optimization plugins also include the ability to disable XML-RPC in their free versions. We have a separate article about the history of xmlrpc.php in WordPress and how to disable this protocol.

10. Hiding the WordPress Version

Hiding the WordPress version of your site also touches on the topic of WordPress security. The less other people know about your site’s configuration, the better. If they see that you’re using an outdated version, that can be a great signal to attackers. By default, the version of WordPress is displayed in the header of your site’s source code.

<meta name="generator" content="WordPress 5.4.2" />

Again, we recommend that you always update your WordPress core to the latest version.

You can use the following code to hide your WordPress version. Simply add it to the functions.php file of your WordPress theme:

function wp_version_remove_version() {
	return '';
}
add_filter( 'the_generator', 'wp_version_remove_version' );

Редактирование исходного кода темы WordPress может привести к поломке сайта, если это сделано неправильно. Обратитесь к разработчикам если вы сомневаетесь в своих силах!

11. HTTP security headers

Another step you can take to bolster WordPress security is to take advantage of HTTP security headers. These are usually configured at the web server level and tell the browser how to behave when dealing with your site’s content. There are many different HTTP security headers, but below are the most important ones:

  • Content-Security Policy
  • X-XSS-Protection
  • Strict-Transport-Security
  • X-Frame-Options
  • Public-Key-Pins
  • X-Content-Type

You can check which headers are currently running on your WordPress site by running the inspector in your Chrome browser and looking at “Headers” under the “Network” tab in the initial response of your site.

You can also scan the website with the free securityheaders.io tool. You can always ask your host if they can help you with headers.

12. Using plugins to increase the security of your WordPress site

Of course we have to mention some WordPress security plugins. There are many great developers and companies that offer great solutions to help better protect your WordPress site.

Here are some typical features that go into the plugins listed above:

  • Generating and applying strong passwords when creating user profiles.
  • Forced expiration of passwords and their regular resetting.
  • Logging of user actions.
  • Updating WordPress security keys.
  • Scanning for malware.
  • Two-factor authentication.
  • reCAPTCHA
  • WordPress security firewalls.
  • IP whitelists and blacklists.
  • Change logging (Сhangelog).
  • Track DNS changes.
  • Block malicious networks.
  • View WHOIS information about visitors.

A very important feature – many security plugins include a checksum utility. This means they check your WordPress installation and look for changes to the master files provided by WordPress.org (via the API). Any changes or modifications to these files could indicate a hack. You can also use WP-CLI to create your own checksum.

13. WordPress Database Security

There are several ways to increase the security of your WordPress database. The first is to use a clever database name. Changing your database name to a more obscure name helps protect your site by making it harder for hackers to identify and access the details of your database.

The second recommendation is to use a different database table prefix than what WordPress recommends by default. By default, WordPress uses wp_. Changing the prefix to something like m09_xp_ will help secure the WordPress database considerably.

14. Secure connection to the server

Make sure that your host takes precautions such as SFTP or SSH. SFTP or Secure File Transfer Protocol (also known as SSH) is a network protocol used to transfer files. It is a more secure method than standard FTP.

It is also important to make sure that your home router is set up correctly. If someone hacks into your home network, they can access all kinds of information, including possibly where your important information about your WordPress sites is stored. Here are some simple tips:

  • Don’t enable remote control (VPN). Normal users never use this feature, and by turning it off, you can keep your network from being exposed to the outside world.
  • Default routers use IP addresses in a range such as 192.168.1.1. Use a different range, such as 11.5.3.8.
  • Turn on the highest level of encryption on your Wi-Fi.
  • Use an IP whitelist for Wi-Fi so that only people with a password and a specific IP address can access your network.
  • Keep the firmware on your router up to date.

And always be careful when accessing your WordPress site in public places. Take precautions, such as checking your network SSID before you hit “Connect”. You can also use a third-party VPN service to encrypt your Internet traffic and hide your IP address from hackers.

15. Files and server permissions

File permissions are critical to increasing WordPress security. If your restrictions are too weak, someone could easily access your site and cause damage. On the other hand, if your restrictions are too strict, it could compromise the functionality of your site. That’s why it’s important to have the right settings.

File and directory access rights

  • Read permissions are assigned if the user has permissions to read a file or view the contents of a directory.
  • Write permissions are assigned if the user has write permissions to modify a file or write or delete anything in the target directory.
  • Execute permissions are assigned if the user has permissions to start the file and/or execute it in script form.
  • Here are some typical recommendations for file and folder permissions in WordPress:

All files should be at 644 or 640 permissions. Exception: wp-config.php should be 440 or 400 so that other users on the server can’t read it. All directories must have 755 or 750 permissions. It is not necessary to give rights 777, even for the directory /uploads/.

16. Disabling the ability to edit files from the WordPress admin panel

Many WordPress sites have multiple users and administrators at the same time, which can complicate WordPress security. It’s bad practice to give authors or editors admin access, but unfortunately it happens all the time. It’s important to give users the right roles so they don’t break anything. That’s why it can be helpful to simply disable the “Theme File Editor” in WordPress.

Most of you have probably used the editor. You go to quickly edit something in the appearance editor, and suddenly you’re left with a white screen of death. It’s much better to edit the file locally and upload it via FTP. And, of course, in best practice, you should test such things on the development site first.

Theme File Editor WordPress

In addition, if your site is compromised, the very first thing attackers can do is try to edit PHP files or a theme with this editor. This is a quick way for them to inject malicious code. Put the following code in your wp-config.php file to enable Front-End file editing:

define( 'DISALLOW_FILE_EDIT', true );

17. Hotlinking

The concept of hotlinking is very simple. You find an image somewhere on the Internet and use the URL of the image directly on your site. Yes, the image will be displayed on your site, but it will be downloaded directly from the source. Basically, this is considered theft, because displaying this image on your site uses the bandwidth of the donor site. It may not seem like such a big deal, but it can lead to a lot of additional costs.

Well, as for the security of your WordPress site – just know that if today a file with the *.JPG extension, today, really is, then not the fact that tomorrow it will not be laced with malicious code. The same may be the opposite situation when the *.PHP file shows the picture today and tomorrow executes another PHP code on your site.

Disabling Hotlinking on Apache servers

To prevent hotlinking in Apache, simply add the following code to your .htaccess file.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://dropbox.com/placeholder.jpg [NC,R,L]

where domain.com is the name of your domain and placeholder.jpg is the image that will be displayed by default instead of the externally inserted image.

Disabling Hotlinking on NGINX servers

To prevent hotlinking on NGINX, simply add the following code to your configuration file.

location ~ .( gif|png|jpe?g )$ {
	valid_referers none blocked ~.google. ~.bing. ~.yahoo domain.ru *.domain.ru;
	if ( $invalid_referer ) {
		return 403;
	}
}

18. Backup

Backups are something that everyone should do as a matter of course. Most of the above recommendations are security measures you can take to better protect yourself. But no matter how secure your site is, it can still get hacked, well, or just broken.

So, create and keep backups in case the worst happens. We won’t describe the process in more detail within this guide, since backups in WordPress are worthy of a separate topic. It’s only worth noting that creating backups is not an anti-intruder measure, but a safety measure in terms of dealing with the consequences?

19. Defending against DDoS

DDoS is a type of DOS attack where multiple systems are used to target one, causing a denial-of-service attack. DDoS attacks are nothing new-the first documented case dates back to early 2000. Unlike those that hack your site, these types of attacks usually do not harm your site, but simply “shut it down” for a few hours or days.

What can you do to protect yourself? One of the best recommendations is to use a reputable third-party security service such as Cloudflare or Sucuri. If you run a business, it makes sense to invest in their premium plans.

Advanced DDoS protection can be used to mitigate DDoS attacks of all shapes and sizes, including those that target UDP and ICMP protocols as well as SYN/ACK.

Conclusion

As you can see, there are many ways to improve WordPress security. Using smart passwords, keeping your core and plugins up to date, and choosing a reliable hosting service are just a few that will keep your WordPress site secure. For many of you, your WordPress site is both your business and your income, so it’s important to take some time and implement some of the security recommendations mentioned above sooner rather than later.

How useful is the publication?

Click on a star to rate it!

Average score 5 / 5. Number of grades: 1

No ratings yet. Rate it first.

Similar posts

  • 1452

WordPress Template Hierarchy full guide

A guide to the template hierarchy in WordPress All modern WordPress themes consist of templates, style sheets, javascript, and images. Together, these files determine how your site will look to users. Templates with specific names affect certain areas of your website. Generally, a WordPress theme should contain templates for displaying categories, dates, archives, individual posts,…
Read more
  • 1213

What are plugins in WordPress and how do they work?

If you’re new to WordPress, you’re probably asking yourself: “What are plugins in WordPress?” This is a fairly common question because, in addition to introducing one of many new terms into your vocabulary, WordPress plugins are also an important building block of every single WordPress site. This article will answer your question, and then we’ll…
Read more
  • 1264

How to install a plugin on WordPress – a step-by-step guide for beginners

Installing plugins on WordPress using the admin panel is so easy that you’ll probably never need the skills to manually install plugins via FTP/SFT or using WP-CLI. But the technical part can be useful if the WordPress plugin directory is overloaded or not available at all. Installing plugins on WordPress from a repository The easiest…
Read more