What are some meaningful and not-so-meaningful security measures in WordPress?

Our thoughts on meaningful and not-so-meaningful security measures in WordPress will be explained.

What are the most important security measures that can be derived from the causes of WordPress hacking and tampering?

60% of the causes of WordPress being hacked are vulnerabilities in plugins and WordPress core, followed by weak passwords for admin rights around 20% of the time.

https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/
Adapted from (WordFence research)

For this reason, the most important security measures are
1 Adapt security updates for vulnerable WordPress core files and plugins.
2 Make sure that the password for administrator privileges is at least 12 characters long, including random, meaningless alphanumeric symbols.

We recommend that you remove all deactivated plugins, as vulnerability 1 can be exploited even if the plugin is deactivated.

We believe that the above two measures alone will almost eliminate hacking.
(Hackers look for sites that can be hacked easily, which is why sites that are even slightly difficult to hack are less likely to be targeted by mass-attack hacking methods).

You can check for vulnerable WordPress core files and plugins here.

You can also check for vulnerabilities from the inside with the [Free] WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]. You can also use this service if you wish.

We recommend that the above security measures be taken for all sites on the server.

In addition, malware today has the ability to spread itself to all sites on the server under the same account.
We recommend that you take the above basic security measures not only for important sites, but also for all sites on the server (including abandoned sites).

If possible, we recommend that you delete files from abandoned sites.

What other vulnerability countermeasures are important?

There are other moderately important vulnerability measures that can be expected to reduce the likelihood of hacking by a few percent.
These are listed below.

1 Stop the function to display a folder list when there is no index. file in the server
→1 Stop the ability to display a folder list if there is no index. file on the server.

2 Login lockdown
→ Countermeasures to repel brute force attacks that repeatedly enforce login are effective in the initial stage in terms of delaying hackers from seizing administrative privileges.

3 Prevent WordPress and plugin versions from being leaked.
→(There is a way to find out if a particular vulnerable version of a plugin is installed by using a special query in Google search, which can be prevented).

*All of the above measures are available for free with the [Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Aren’t the other measures important?

Many WordPress operators often think that changing the URL of the login screen and implementing captcha is very important, but only around 15 percent of all hacks break through the login screen, and also the password for admin rights is cracked by brute force Brute force attack attacks also have methods that do not use the login screen.

Also, as mentioned above, if a strong password is set for administrative privileges, it logically cannot be broken even if it takes tens of thousands of years to do so.

For this reason, changing the URL of the login screen or installing captchas is not really a high priority in terms of security measures. (Of course, it is possible to control some of the hackers’ hacking methods, especially for sites with a large number of users, so it is not necessarily better not to do so.)

Many sites are infected with malware because they think they are safe because they have changed the URL of the login screen or installed captcha, and neglect other really important security measures.

We recommend that you start with basic security measures according to the level of importance.