How To Secure WordPress Website From Hackers

in this turorial i will teach you How To Secure WordPress Website From Hackers the easy way ,all what you have to do is following this simple how to secure a wordpress site tutorial.

Before we start you have to understand you have to keep your website backup on a home computer or hard drive.

How To Secure WordPress Site in 2022

First of all you have to install one of the best secure wordpress themes 2022 .

You must update your php from you cpanel PHP under 7.2.31 are vulnerable.

Always update WordPress to the last update,  WordPress under 5.4.2/5.3.4/5.2.7 are outdated and very easy to be hacked .

Always Install Security Updates .

Also always update your plugins.

Avoid installing upload script and test page always remove them after you finish testing becose hackers can find them easy .

Always use redirect your visitors to the HTTPS version to avoid the “Not Secure” browser warning you can get a free ssl 2022 from here https://s-educatetools.com/free-ssl-certificate-2022/.

Dont give info about your site like your PHP version with expose_php = on to fix that go to your  php.ini and change it to off

expose_php = off

Fix missing security header and Use a protection against ClickJacking :

You can enable it by modifying your Apache settings or your using .htaccess file:

<IfModule mod_headers.c>
	Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

For Nginx Users

add_header X-Content-Type-Options "nosniff"

For Apache Users

Header set X-Content-Type-Options "nosniff"

Also you can add a X-XSS-Protection .

add a Referrer-Policy Protection .

Prevent the use of misissued certificates for that site from going unnoticed.

Secure wp-config.php and xmlrpc.php .

Secure all directory access . ( Access forbidden! Error 403 ) secure and hide documents and files in all directory .

You can add this to your .htaccess file :

<ifModule mod_headers.c>
Header set Connection keep-alive
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>

# X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

# Referrer-Policy
<IfModule mod_headers.c>
Header set Referrer-Policy "same-origin"
</IfModule>

<IfModule mod_headers.c>
Header set Expect-CT enforce,max-age=2592000,report-uri="https://remplace-with-yoursite.com/report"
</IfModule>

# This code is compatible with Apache 2.4
# See the Apache docs for access control for 2.2
# @link https://httpd.apache.org/docs/current/howto/auth.html

# Disable `xmlrpc.php` to limit hacker login attempts
# `xmlprc.php` is used for Jetpack, to blog by email, and pingbacks
# If you're not doing any of this, disable it, it is a security hazard

<Files xmlrpc.php>
Require all denied
</Files>

# Protect `wp-config.php` from HTTP access

<Files wp-config.php>
Require all denied
</Files>

# Prevent directory access (i.e. example.com/wp-content/uploads/)
# The `options` directive does not use a module and requires no if statement
# @link https://httpd.apache.org/docs/2.4/mod/core.html#options

Options -Indexes

Also you can install a cloud-based WAF to prevent ddos attacks using SUCURI ,Wordfence or Cloudflare .

A Free Bonus Website for a security check & malware scanner

This website will informe you if you have any issue like

if your site have any malwares and viruses .

You site if blacklisted and status from  :

Google Safe Browsing

Also he will show you your website errors, out-of-date software, and malicious code.

VISITE https://sitecheck.sucuri.net/