How To Secure WordPress Website From Hackers
in this turorial i will teach you How To Secure WordPress Website From Hackers the easy way ,all what you have to do is following this simple how to secure a wordpress site tutorial.
Before we start you have to understand you have to keep your website backup on a home computer or hard drive.
How To Secure WordPress Site in 2022
First of all you have to install one of the best secure wordpress themes 2022 .
You must update your php from you cpanel PHP under 7.2.31 are vulnerable.
Always update WordPress to the last update, WordPress under 5.4.2/5.3.4/5.2.7 are outdated and very easy to be hacked .
Always Install Security Updates .
Also always update your plugins.
Avoid installing upload script and test page always remove them after you finish testing becose hackers can find them easy .
Always use redirect your visitors to the HTTPS version to avoid the “Not Secure” browser warning you can get a free ssl 2022 from here https://s-educatetools.com/free-ssl-certificate-2022/.
Dont give info about your site like your PHP version with expose_php = on to fix that go to your php.ini and change it to off
expose_php = off
Fix missing security header and Use a protection against ClickJacking :
You can enable it by modifying your Apache settings or your using .htaccess file:
<IfModule mod_headers.c> Header set X-Frame-Options "SAMEORIGIN" </IfModule>
For Nginx Users
add_header X-Content-Type-Options "nosniff"
For Apache Users
Header set X-Content-Type-Options "nosniff"
Also you can add a X-XSS-Protection .
add a Referrer-Policy Protection .
Prevent the use of misissued certificates for that site from going unnoticed.
Secure wp-config.php and xmlrpc.php .
Secure all directory access . ( Access forbidden! Error 403 ) secure and hide documents and files in all directory .
You can add this to your .htaccess file :
<ifModule mod_headers.c> Header set Connection keep-alive Header always set Content-Security-Policy "upgrade-insecure-requests;" </IfModule> # X-XSS-Protection <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" </IfModule> # Referrer-Policy <IfModule mod_headers.c> Header set Referrer-Policy "same-origin" </IfModule> <IfModule mod_headers.c> Header set Expect-CT enforce,max-age=2592000,report-uri="https://remplace-with-yoursite.com/report" </IfModule> # This code is compatible with Apache 2.4 # See the Apache docs for access control for 2.2 # @link https://httpd.apache.org/docs/current/howto/auth.html # Disable `xmlrpc.php` to limit hacker login attempts # `xmlprc.php` is used for Jetpack, to blog by email, and pingbacks # If you're not doing any of this, disable it, it is a security hazard <Files xmlrpc.php> Require all denied </Files> # Protect `wp-config.php` from HTTP access <Files wp-config.php> Require all denied </Files> # Prevent directory access (i.e. example.com/wp-content/uploads/) # The `options` directive does not use a module and requires no if statement # @link https://httpd.apache.org/docs/2.4/mod/core.html#options Options -Indexes
Also you can install a cloud-based WAF to prevent ddos attacks using SUCURI ,Wordfence or Cloudflare .