How to protect your wordpress website 2020? Currently wordpress has quite a lot of vulnerabilities exploited by many hackers. So security is the key I put on top.
My experience later. Who can share more to learn dentist.
+ Change admin path
+ Install captcha in admin and comment
+ Set folder permissions 755, files are 644
+ Install security scanning plugins: Wordfence, Itheme pro …
+ Backup website regularly: manual and auto
+ Turn on the firewall
+ Pointing DNS to cloudflare
+ 1 server / shared hosting only runs 1 web or divided into non-parent folder to avoid being hijacked from other web.
+ Disable upload php file to avoid uploading shell, turn off rename mode from other files to .php
+ Backup website first, then download the entire code + sql, use Find / Find in files in the sublime text to find malicious code with common functions: eval, base64_decode (whoever knows, please add me)
+ Use online scanning tools: Unmask Parasites, Norton Safe Web, Quttera, VirusTotal, Web Inspector …
+ Turn off CURL to avoid having shell request another file, calculated separately in vps, turn it on when used.
+ Change the path phpmyadmin
+ Create another mysl user, not root. Pass was messy
+ Set htacess to ban execution
+ In config, connect csdl using code_disk (string to decode db name …) or encrypt the file again (php obfuscator)
+ Browse comments manually
+ Disable all mail functions, smtp protocol when not needed.
+ All plugins / themes should scan the code before using the sublime text above. Special rows nulled, avoided absolutely.
+ Check for sticking with SQL Injection, XSS, CSRF, brute forece … with a tool
+ Avoid running bash unknown files, eg vps scripts. Should set up manually a-z.
+ Connect to VPS with ssh: private key file. Don’t use tk root + pass (always use this)
+ Backup and update core wordpress, plugin.. often
+ Use nginx instead of apache
+ Go to network chrome / Save preserve, see if the log sends strange requests. If so immediately
– Can use CloudFlare if no money. More valuable is the service of StackPath (famous for CDN, formerly MaxCDN).
– Using Hurricane Electric’s DNS In addition to being free, there are two different points that are better than many other DNS services: One is wide and dense network, so the application of updates to a record only takes a few seconds. . The other is to support CAA records (determined to only receive SSL certificates from some vendors).
– Regularly update the PHP version.
– Equip Suhosin (if using PHP5), or Snuffleupagus (if using PHP7 or later). → https://snuffleupagus.readthedocs.io/
– Use ModSecurity at the web server level to actively block filtering before it is PHP’s turn to process the request. If you cannot use it, you can install NinjaFirewall instead.
– A relative number of spam bots can be prevented by the honeypot method.