1, Work only with good hosts
You should only work with reliable, high-quality
and safe hosting. This piece of recommendation seems
More or less, everyone thinks their hosting is
great until something breaks for the primary time.
In the world , not all hosting companies
and hosting offerings are created equal.
If you’re taking a glance into one among our hosting
surveys, you’ll see how different people’s
experiences are in terms of overall hosting
quality and also individual aspects of their
hosting setups, like security, reliability, speed,
Some hosts are simply sub-par and don’t do
well under stress.
The bad news here is that the majority of the time you
don’t even know that your host isn’t taking your
website security seriously enough. Things like
increased hacker attacks, frequent downtime,
low performance, might all be a results of
inadequate security mechanisms in situ .
The reality is that you’re not really getting to “fix
your host.” the simplest and therefore the best solution
is to modify to a special host that’s more
Generally, the more you pay, the higher your
new host are going to be , but there also are some
budget options you’ll consider.
If you would like to urge to rock bottom of the subject ,
we have comparisons of the simplest hosting
options out there, plus the aforementioned
surveys where you’ll see what people
Here’s a brief recommendation if you’re during a
Best power setup. Kinsta . For $100 /
month, you’ll host up to five websites and
welcome ~100,000 visitors.
Entry-level managed host. Flywheel .
For $13.00 / month, you’ll host one
website and welcome ~5,000 visitors.
Budget pick. SiteGround . For as low
as $3.95 / month, you’ll host one
2, Protect the wp-config.php file
The wp-config.php file holds crucial information
about your WordPress installation, and it’s the
most important enter your site’s root
directory. Protecting it means securing the core
of your WordPress blog.
This tactic makes things difficult for hackers to
breach the safety of your site, since the wp-
config.php file becomes inaccessible to them.
As a bonus, the protection process is basically
easy. Just take your wp-config.php file and
move it to a better level than your root
Now, the question is, if you store it elsewhere,
how does the server access it? within the
current WordPress architecture, the
configuration file settings are set to the very best
on the priority list. So, albeit it’s stored one
folder above the basis directory, WordPress can
still see it.
3, Disallow file editing
If a user has admin access to your WordPress
dashboard they will edit any files that are part
of your WordPress installation. This includes
all plugins and themes.
If you disallow file editing, nobody are going to be able
to modify any of the files – albeit a hacker
obtains admin access to your WordPress
To make this work, add the subsequent to the
wp-config.php file (at the very end):
4, Set directory permissions carefully
Wrong directory permissions are often fatal,
especially if you’re working during a shared hosting
In such a case, changing files and
directory permissions may be a good move to
secure the web site at the hosting level. Setting
the directory permissions to “755” and files to
“644” protects the entire filing system –
directories, subdirectories, and individual files.
This can be done either manually via the File
Manager inside your hosting instrument panel , or
through the terminal (connected with SSH) –
use the “chmod” command.
For more, you’ll examine the right
permission scheme for WordPress or install
the iThemes Security plugin to see your
current permission settings.
5, Disable directory listing with .htaccess
If you create a replacement directory as a part of your
website and don’t put an index.html enter it,
you may be surprised to seek out that your visitors
can get a full directory listing of everything
that’s therein directory.
For example, if you create a directory called
“data”, you’ll see everything therein directory
simply by typing http://www.example.com/
data/ in your browser. No password or anything
You can prevent this by adding the subsequent
line of code in your .htaccess file:
Options All -Indexes
6, Block all hotlinking
Let’s say you find a picture online and
would like to share it on your website. First of
all, you would like permission or to buy that
image, otherwise there’s an honest chance it’s
illegal to try to to so. But if you are doing get permission,
you might directly pull the image’s URL and
use that to put the photo in your post. The
main problem here is that the image is shown
on your site, but being hosted on another site’s
From this attitude , you don’t have any
control over whether or not the photo remains
on the server. But it’s also important to understand
that people might do that to your website.
If you’re trying to secure your WordPress
website, hotlinking is essentially another person
taking your photo and stealing your server
bandwidth to point out the image on their own
website. within the end, you’ll see slower loading
speeds and therefore the potential for top server costs.
Although there are some manual techniques for
preventing hotlinking, the simplest method is to
find a WordPress security plugin for the work .
For instance, the beat One WP Security and
Firewall plugin includes built-in tools for
blocking all hotlinking.
7, Understand, and protect, against DDoS
A DDoS attack may be a common sort of strike
against your server bandwidth, where the
attacker uses multiple programs and systems
to overload your server. Although an attack like
this doesn’t jeopardize your site files, it’s
meant to crash your site for an extended period of
time if not resolved. Usually, you simply hear
about DDoS attacks when it happens to large
companies like GitHub or Target. They’re
conducted by what many ask as cyber-
terrorists, therefore the motive might simply be to
That said, you don’t got to be a Fortune 500
company to be in danger .
If this worries you, we recommend signing up
for the Sucuri or Cloudflare premium plans.
These solutions have web application firewalls
to analyze the bandwidth getting used and block
out DDoS attacks entirely.
Go to top
Part (b): Secure your WordPress website
by protecting the login page and
preventing brute force attacks
Everyone knows the quality WordPress login
page URL. The backend of the web site is
accessed from there, which is that the reason
why people attempt to brute force their way in. Just
add /wp-login.php or /wp-admin/ at the
end of your name and there you go.
What i like to recommend is to customize the login
page URL and even the page’s interaction.
That’s the primary thing I do once I start securing
Why? Because it’s usually the user’s fault
that their site got hacked. There are some
responsibilities that you simply need to lookout of as
a website owner. therefore the key question is, what
are you doing to save lots of your site from being
hacked? Protecting the login page and
preventing brute force attacks is one among the
best belongings you can do.
Here are some suggestions for securing your
WordPress website login page:
found out an internet site lockdown feature and ban
A lockdown feature for failed login attempts
can solve the large problem of continuous
brute force attempts. Whenever there’s a
hacking attempt with repetitive wrong
passwords, the location gets locked, and you get
notified of this unauthorized activity.
I acknowledged that the iThemes Security plugin is
one of the simplest such plugins out there, and I’ve
been using it for quite a while . The plugin
has a lot to supply during this respect. along side
over 30 other awesome WordPress security
measures, you’ll specify a particular number of
failed login attempts before the plugin bans the
attacker’s IP address.