Here are five free WordPress security measures you can take.

1 Use the password generated by WordPress

If you use the password automatically generated by WordPress, this is the only way to logically and completely prevent brute force attacks that repeatedly take login enforcement of the administration screen to seize administrative privileges.

Logically, this password is so strong that it would take hundreds of years to break it. The most important security measure is to make the password strong before hiding or capturing the login screen URL.

You can change the password for a user by going to the WordPress admin page > User List > Edit Profile.

2 Plug-ins and theme operations

If you take the following precautions when using plug-ins and themes, it is almost impossible for WordPress to be tampered with through program vulnerabilities.

Hackers often take advantage of publicly available vulnerabilities, and in many cases, the plugin creators have covered the vulnerabilities with the latest versions of their plugins.

Deactivate and remove plugins and themes that are not in use.
Use as few plug-ins as possible, and try to avoid plug-ins that have not been updated in several years.

(However, minor plug-ins are less likely to be vulnerable to exploitation even if they are no longer updated. Plug-ins that are popular are often the ones that are constantly updated)

∙ Update plugins every few months.

(If you want to see if an update will cause problems, create a test site and update it there, then back up the site and update it in the production environment.)

3. Do not leave unnecessary files or sites on the server.

Do you have unused WordPress sites on your server?

If this abandoned WordPress site is outdated, this site may be hacked and tampered with by other sites on the server.

This is because a malicious program can jump through folders and access and rewrite any file on the server.

Having PHPMYADMIN in the same folder as wordpress also increases the chances of hackers being able to log into the database (if wp-config.php is pulled).

If they can log in to the database, hackers can rewrite the login password of a user with administrative privileges, for example, to log in as an administrator.

4 SSL-enable the site

SSL (HTTPS) is available for free on many servers these days.

When a site is SSL-enabled, all data exchanged between WordPress and the user, including user IDs and passwords, are encrypted and logically cannot be viewed by other servers.

5 Security measures with plug-ins

The following 5 security features of plug-ins are particularly important.

Login Lockdown
Detects a brute force attack by hackers who repeatedly and mechanically enforce login, and disables access to the login screen for a certain period of time.
This reduces the load caused by unauthorized access to the site and can greatly improve site speed.

Prevent WordPress version leakage
WordPress versions were listed in readme.html up to version 4, and the versions of plug-ins and the main body of WordPress are output in the HTML code.
Hackers enter special search queries into search engines to find vulnerable sites, so the ability to prevent this information from being output is especially important.

Prohibit the display of Index Lists
The Index List is a server feature that displays a list of files contained in a folder on the server when there is no index.html in that folder.
This feature can cause inspection engines to pick up folders of vulnerable plugins, which are then trapped by search engines.
Hackers use search engines to find these vulnerabilities, so it is necessary to restrict the functionality so that the Index list is not displayed.

Write Permissions on Files
If you set WordPress file permissions to the lowest possible level, hackers can easily rewrite (tamper with) files to take advantage of vulnerabilities.
Setting file write permissions to an appropriate strength will make it more difficult to tamper with files.

Prohibit spambots from posting comments
In order to prevent spam comments from being mechanically written in the comment section of WordPress, this function blocks such comments in advance.
The WordPress comment section may be contaminated with spam and also used to send spam emails using email notifications.

The following is a free plugin that provides this functionality.

All In One WP Security & Firewall

Wordfence Security – Firewall & Malware Scan

WordPress : Malware Scan & Security Plugin [Malware & Virus Detection and Removal] allows you to easily apply free security measures to your WordPress site with a single click to make it harder for hackers to infiltrate your WordPress site.

It also includes a function that automatically scans and notifies you of malware late at night, so you can detect malware infections immediately and operate your site with peace of mind.

Related Posts:

  1. 5 characteristics of sites that are subject to WordPress hacking, hijacking, or defacement.
    At WordPress Doctor, we perform malware removal and security measures on behalf of more than several hundred sites per year. Based on this experience, we would like to share with you the characteristics of sites that have been hacked, hijacked, or defaced....
  2. Checklist for Improving WordPress Security
    WordPress Doctor helps hundreds of sites a year clean up malware and create secure sites. Based on this experience, we have created a checklist for running WordPress securely according to its level of importance. We hope you find it helpful....
  3. How Hackers Discover Your WordPress Site Dork
    It is dangerous to run a WordPress site and think that it will not be targeted because of low traffic. We will explain why low traffic does not necessarily mean that your site will not be hacked....
  4. 5 operations that are at high risk of WordPress sites being hacked and tampered with.
    We will explain the five most dangerous ways to operate a WordPress site that can lead to it being hacked, defaced, sent to another site, or in the form of embedded malware. We hope that you will use this information as a lesson to the contrary....
  5. What many people misunderstand about WordPress security.
    We have summarized some of the security measures taken by WordPress, which are often misunderstood by many people and often result in tampering and malware embedding!...
  6. Security Concerns When Automatic WordPress Updates Fail
    The automatic update of WordPress has failed. Please try updating again.” This page explains what kind of security concerns there are and how to deal with them....