Here are five free WordPress security measures you can take.
1 Use the password generated by WordPress
If you use the password automatically generated by WordPress, this is the only way to logically and completely prevent brute force attacks that repeatedly take login enforcement of the administration screen to seize administrative privileges.
Logically, this password is so strong that it would take hundreds of years to break it. The most important security measure is to make the password strong before hiding or capturing the login screen URL.
You can change the password for a user by going to the WordPress admin page > User List > Edit Profile.
2 Plug-ins and theme operations
If you take the following precautions when using plug-ins and themes, it is almost impossible for WordPress to be tampered with through program vulnerabilities.
Hackers often take advantage of publicly available vulnerabilities, and in many cases, the plugin creators have covered the vulnerabilities with the latest versions of their plugins.
Deactivate and remove plugins and themes that are not in use.
Use as few plug-ins as possible, and try to avoid plug-ins that have not been updated in several years.
(However, minor plug-ins are less likely to be vulnerable to exploitation even if they are no longer updated. Plug-ins that are popular are often the ones that are constantly updated)
∙ Update plugins every few months.
(If you want to see if an update will cause problems, create a test site and update it there, then back up the site and update it in the production environment.)
3. Do not leave unnecessary files or sites on the server.
Do you have unused WordPress sites on your server?
If this abandoned WordPress site is outdated, this site may be hacked and tampered with by other sites on the server.
This is because a malicious program can jump through folders and access and rewrite any file on the server.
Having PHPMYADMIN in the same folder as wordpress also increases the chances of hackers being able to log into the database (if wp-config.php is pulled).
If they can log in to the database, hackers can rewrite the login password of a user with administrative privileges, for example, to log in as an administrator.
4 SSL-enable the site
SSL (HTTPS) is available for free on many servers these days.
When a site is SSL-enabled, all data exchanged between WordPress and the user, including user IDs and passwords, are encrypted and logically cannot be viewed by other servers.
5 Security measures with plug-ins
The following 5 security features of plug-ins are particularly important.
Login Lockdown
Detects a brute force attack by hackers who repeatedly and mechanically enforce login, and disables access to the login screen for a certain period of time.
This reduces the load caused by unauthorized access to the site and can greatly improve site speed.
Prevent WordPress version leakage
WordPress versions were listed in readme.html up to version 4, and the versions of plug-ins and the main body of WordPress are output in the HTML code.
Hackers enter special search queries into search engines to find vulnerable sites, so the ability to prevent this information from being output is especially important.
Prohibit the display of Index Lists
The Index List is a server feature that displays a list of files contained in a folder on the server when there is no index.html in that folder.
This feature can cause inspection engines to pick up folders of vulnerable plugins, which are then trapped by search engines.
Hackers use search engines to find these vulnerabilities, so it is necessary to restrict the functionality so that the Index list is not displayed.
Write Permissions on Files
If you set WordPress file permissions to the lowest possible level, hackers can easily rewrite (tamper with) files to take advantage of vulnerabilities.
Setting file write permissions to an appropriate strength will make it more difficult to tamper with files.
Prohibit spambots from posting comments
In order to prevent spam comments from being mechanically written in the comment section of WordPress, this function blocks such comments in advance.
The WordPress comment section may be contaminated with spam and also used to send spam emails using email notifications.
The following is a free plugin that provides this functionality.
All In One WP Security & Firewall
Wordfence Security – Firewall & Malware Scan
WordPress : Malware Scan & Security Plugin [Malware & Virus Detection and Removal] allows you to easily apply free security measures to your WordPress site with a single click to make it harder for hackers to infiltrate your WordPress site.
It also includes a function that automatically scans and notifies you of malware late at night, so you can detect malware infections immediately and operate your site with peace of mind.