• Home
  • Categories
    • WordPress Troubleshooting
    • WordPress Tips and Tricks
    • SSH (Secure Shell)
    • WordPress Insights
    • WordPress Common Facts
    • Securing WordPress
  • Series Tutorials
    • Advanced WordPress Topic
  • Privacy Policy
  • Terms of Use
  • Contact Me
  • About WP Tuts Hub
Home  /  Securing WordPress • WordPress Tips and Tricks • WordPress Troubleshooting  /  How to Secure WordPress Site From Hacking, DDoS and Brute Force Attack
Securing WordPress
December 5, 2016

How to Secure WordPress Site From Hacking, DDoS and Brute Force Attack

zubaer Prevent DDoS and Brute Force Attack, Securing WordPress Leave a Comment
Share on Facebook Share on Twitter Share on Pinterest Share on StumbleUpon Share on Reddit Share on LinkedIn Share on tumblr
Email this article!
Secure WordPress site from hacking, DDoS and Brute force attack

WordPress is undoubtedly an amazing Platform to run business, create beautiful blogs and websites. But the main issue we face with using WordPress is ‘it frequent becomes hacked.’ Also, MySQL server frequently goes down due to DDoS and Brute Force Attack if proper precautionary steps aren’t taken. Though WordPress core is very secure, we need to use many third party plugins or themes to achieve our needs which make it vulnerable.

In this article I am going to show you an incremental process of fully securing your WordPress site according to my personal working experience with WordPress in my day to day work.

How to Secure WordPress Site From Hacking, DDoS and Brute Force Attack:

Step by Step Process of Securing Your WordPress Site:

Hardening WordPress:

The first step comes with ‘Harding Your WordPress Site.’ Make sure to give your WordPress files correct permissions. Here are WordPress.org recommended file permissions for directories and files. Login to your server with SSH and run the following commands.

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
Change WordPress File Permissions

Securing wp-includes:

Adding this piece of codes in your .htaccess file will prevent hackers from accessing files within your wp-includes directory. (Paste it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file as WordPress can overwrite codes within these two tags.

# Block the include-only files.
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress

 

Securing wp-config.php file:

You can secure your wp-config.php file by denying everyone surfing for it.

<files wp-config.php>
  order allow,deny
  deny from all
</files>

Disable File Editing:

Disabling file editing via wp-admin dashboard ‘Editor’ (‘Appearance’ >> ‘Editor’) is an effective way to protect your WordPress file from being modified by hackers even if they manage to get an administrator password. Add this piece of code in your wp-config.php

define('DISALLOW_FILE_EDIT', true);

Disable Remote Access for the ‘root’ User:

It’s important to disable remote access for the root user to secure your database. Login to your server with SSH and run the following commands:

mysql -u root -p

Then enter your MySQL root password and run the following commands:

DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');  and then FLUSH PRIVILEGES;

Disable All Remote Connections:

Open your MySQL config file (usually it’s my.cnf) and add the following codes:

[mysqld]
port=3306
sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"
skip-networking

Changing Important File Permissions in WordPress:

According to WordPress.org file permission suggestions these important files should have such permissions for enhancing security (I have shown with commands you should run for it).

.htaccess file: chmod -v 604 .htaccess
wp-config.php: chmod -v 644 .wp-config.php

Disable XML-RPC if not required:

XML-RPC is used to interact with your WordPress site remotely. Such as if you use a Mobile App for your WordPress site or use remote service like IFTTT or create or delete a post remotely, then you will need XML-RPC enabled. If you are not using such things, then I highly recommend to disable it. It is important to prevent MySQL server from being shut down due to too many requests by hackers.

Method 1 of disabling XML-RPC: There is a plugin available for it or you can put this piece of code in your functions.php:

add_filter('xmlrpc_enabled', '__return_false');

Method 2 with of disabling XML-RPC with .htaccess: Simple paste the following piece of codes at the top of your .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
  order deny,allow
  deny from all
  allow from 123.123.123.123
</Files>

 CloudFlare to Prevent DDoS and Brute force attack:

You can protect your website from numerous DDoS and Brute force for free using CloudFlare. You can go ahead with creating a free account and add your site there in CloudFlare. Here is an easy and illustrative tutorial on how to enable CloudFlare DDoS and Brute force protection for your website.

If you need any help with securing your WordPress site feel free to contact me directly at zubaerahammed223 [at] gmail.com or via this contact form.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related

Previous Article WordPress Replace Old URL After Domain Change
Next Article Using Cron Job in WordPress – Schedule Events With WP-Cron: Part 1

About Author

zubaer

Hi, My name is Zubaer and I am a Web Devloper. Besides, I am Hybrid Mobile App Developer. My fields of proficiency are WordPress, Laravel, HTML, CSS, JavaScript, AngularJS and PHP. You can visit www.zubaer.com to know more about me.

Related Posts

  • Top WordPress Plugins to Secure Your Website in 2023

    Top WordPress Plugins to Secure Your Website in 2023

  • WP Cron - All scheduled cron jobs

    Using Cron Job in WordPress – Schedule Events With WP-Cron: Part 2

Leave a Reply

Cancel reply




Popular Posts

  • Using Cron Job in WordPress - - Schedule Events With WP-Cron
    Using Cron Job in WordPress – Schedule Events With WP-Cron: Part 1 December 20, 2016
  • C Program to Store Multiple Student Records Using Structure and Pointer May 27, 2023
  • SSH Secure Shell Commands
    Frequently Used SSH (Secure Shell) Commands for a Web Developer September 7, 2016
  • Update WordPress site URL via PHPmyadmin
    WordPress Replace Old URL After Domain Change September 27, 2016

Categories

  • Advanced WordPress Topic2
  • C Programming2
  • Computer Programming2
  • Securing WordPress2
  • Series Tutorials2
  • SSH (Secure Shell1
  • WordPress Common Facts1
  • WordPress Insights2
  • WordPress Tips and Tricks4
  • WordPress Troubleshooting3

Calorie Calculator Pro

  • US Units
  • Metric Units
Please enter your age
Please enter your gender
Please enter your height
Please enter your weight (Pounds)
Please select an activity level
Your body fat percentage (optional)
Please enter your First Name
Please enter your Last Name
Please enter your best email address
Please enter your age
Please enter your gender
Please enter your height
Please enter your weight (Kg)
Please select an activity level
Your body fat percentage (optional)
Please enter your First Name
Please enter your Last Name
Please enter your best email address
Please enter your best email address
Problem? Try Another

Archives

  • May 20233
  • July 20171
  • December 20162
  • September 20162
  • July 20162

Tags

File Upload Error HTTP Error Prevent DDoS and Brute Force Attack Schedule Events Secure Shell Securing WordPress SSH SSH Commands Structure and Pointers in C Structures in C Programming Using Cron Job WordPress Administrator WordPress Common Facts WordPress Cron Job WordPress Error WordPress Insights WordPress Tips WordPress Tricks WP-Cron

My Services and Products

  • Hire Me or Contact Me
  • My WordPress Plugins and Themes
  • WeboCoder
  • Privacy Policy
  • Terms of Use
  • About Us

Subscribe

    Your Name (required)

    Your Email (required)

    Random Posts

    • Top WordPress Plugins to Secure Your Website in 2023 May 27, 2023
    • WP Cron - All scheduled cron jobs
      Using Cron Job in WordPress – Schedule Events With WP-Cron: Part 2 July 10, 2017
    • Secure WordPress site from hacking, DDoS and Brute force attack
      How to Secure WordPress Site From Hacking, DDoS and Brute Force Attack December 5, 2016
    © WP Tuts Hub 2023.
     

    Loading Comments...