Website security is that many WordPress newbies are easy to overlook an important problem. How to ensure WordPress site security, but also many just contacts the WordPress experts when they face problems. This is a series of tutorials to teach you the introduction to a series of steps to protect your WordPress website security. Here are the 32 steps to WordPress website security ultimate checklist Step 18 ~ 22. Today we will see 18 to 22 step.
WordPress website security ultimate checklist Step 18 ~ 22
18. Limit login attempts of behavior
We already mentioned the password brute force; the hackers, using a computer program to brute force the password, the cost is very low. Therefore, you should set up a mechanism to prevent any attempts to brute force your website of the password behavior.
This can be done using WordPress limit login WordPress plugin and All In One WP Security & Firewall plug-in. If it is monitored to a certain number of login when the password is wrong, it will prohibit the user for a certain period of time to try again to log in. Obviously, this would it makes brute force attacks very difficult to implement, you can significantly increase your website’s security factor.
19. Enable two-factor authentication
There is a shortcut to quickly enhance your WordPress website log in security initiatives that enable Two Factor Authentication, many people refer as 2FA.
2FA create a login to the WordPress backend of the mechanism, in addition to entering your regular password, you also need to enter a time-based security password, this password for each user is not the same. Typically, this password every 60 seconds change at once.
Security password for each user is unique, and soon to be expired. so that even if someone gets your login account and password also can’t log in to your site because they can not obtain your current security password. This can significantly increase the login with your site’s security, at the same time also can prevent hackers from brute forcing your login information.
20. Ensure that the file permissions are set correctly
This paragraph will appear with some of the technical terms, but not difficult.
PHP and WordPress to files and folders have a permission to set the rules. We try not to involve too much detail, generally includes the following three permissions:
- Allow public writable files and directories;
- Can only be a web server write to the file;
- Can only read the file;
Generally speaking, your own web server to be able to write to a file, and never want to public internet public network to feel free to write to your file.
Some novice and some of the lazier of the developers might suggest you set file permission to the maximum. For example, they will suggest you that all the files and folders permissions to set public like（777）. This will bring serious security risk because it means that anyone can to your files and folders to write any program. You might find your folder under a lot of garbage content. Inside this program, there may be out of the current directory to infect you on the same server with other websites.
Generally speaking, the file permissions should be set to 644, and the folder directory permissions should be set to 755. And for the wp-config.php file, you can set their permissions set to 400 or 440’s.
If someone told you differently, then be careful. We recommend that you do not listen to other suggestions.
How to view your folder permissions correctly? You can via the host management system, cPanel, or other to view if your hosting provider; it can also be through the FTP client software to view it.
If you still don’t understand, you can choose a WordPress network to provide you with the professional hosting services, these servers are doing professional security settings, folder permissions to 755, file permissions to 644, the important directories forbade to set 777 permissions, otherwise it will appear 500 error; of course, a special directory, you can set your own.
21. Modify the default database table prefix
This is also WordPress earlier version of a problem. In the earlier, the WordPress data in the database table, the default prefix is wp_ it.
Although now there is no default setting, users can set their own; however, some users do not modify these default settings, it does not modify the installed WordPress site database.
The default database table prefix wp_ modified for other string of letters can effectively block some web site attacks.
However, this operation requires professional WordPress developers to complete, not familiar with the user please do not self-modify.
22. Make sure to set the WordPress secret authentication key
Some users may know that WordPress configuration file wp-config.php eight of security and the authentication key, but does not know what to do with; some users may never have heard of them.
This eight authentication key looks like this:
Simply put this eight randomly generated variables so that your WordPress passwords become more difficult to crack. This is because it increases the storage in the database password of randomness, making the password more difficult to brute force.
The WordPress random generator generates these keys at the time you install WordPress. If you are using a WordPress version is 2.6 or earlier, or your hosting is unable to connect on the WordPress random code generator, then you need to set the keys yourself.
You can follow these steps to set up:
- You can randomize the settings, you can also use the automatic WordPress salt key generator.
- Open your wp-config.php file, the above random string added to the appropriate position.
Don’t tell someone you are of these authentication keys, this is to ensure your website security.
(Unfinished, continue reading…）