Posted on Leave a comment

WordPress Security Guide – Step by Step

Защита wordpress

Step-by-step instructions for configuring the security of WordPress version 5.6 and above.

Step 0 – Choosing a hosting provider

If you are reading this article – then you have hosting. And it’s too late to recommend anything:) Remember for the future hosting choose not by price.

Step 1 – Remove all unnecessary plugins, themes

Boldly remove all unused plugins and themes. Hackers often use disabled and outdated templates and plugins (even official WordPress plugins) to gain access to your control panel, or upload malicious content to your server. By removing plugins and templates that you no longer use, you reduce your risks and make your WordPress site more secure.

For example, you installed plugins to test and choose the one you will use. After selecting, don’t forget to delete any unnecessary ones.

  1. Remove unused plug-ins.
  2. Remove unused themes. You should have maximum 3 themes: the first one you use on your site, its child theme and Twenty One theme (the last official WordPress theme for 2021). Twenty One should be kept, that in case of failure (white screen often appears because of PHP errors, the more so if you have custom theme or plugins) your main theme, you can switch to Twenty One and fix problems.

Step 2 – Enable auto-update engine, plugins, themes

Vulnerabilities of past versions of software are in the public domain, so the latest version – of any software – is the safest.

If you don’t want to update WordPress because you made changes to the files, it’s better to create a child theme, transfer the changes to it, and still enable updates.

Since version 5.5 in WordPress is a built-in feature to automatically update themes and plugins.

  1. Turn on theme auto-update: Go to “Appearance” -> “Themes”, hover your mouse over the desired theme, click “Theme info” -> Enable automatic updates.
  2. Turning on plugin auto-update: Go to the “Plugins” section and turn on auto-update against the desired one.

If you have software on your site that is not compatible with new versions of WordPress, a plugin or a theme, you can enable selective automatic updates of plugins or themes.

Step 3 – Remove the admin or use non-standard login credentials

Do not use a username such as admin. It is strongly recommended that you change your admin username to something else.

The easiest way to set up a login when you install WordPress. But if you already have it installed – create a new administrator account with different data.

  1. Log in to your WordPress control panel
  2. Find the “Users” section and click “Add New”.
  3. Create a new user and give him administrator rights.
  4. Re-enter WordPress with your new data.
  5. Go back to “Users” and delete the default Admin account.
A good password plays a key role in WordPress security. A password consisting of numbers, upper and lower case letters, and special characters is much harder to crack.

I recommend using specialized tools to create and securely store passwords.

Step 4 – Back up your data as often as possible

Even the biggest sites get hacked every day, despite the fact that their owners spend thousands to improve WordPress security.

Not all attacks can be prevented, but just one successful attack can destroy all efforts to work on your site. We recommend that you make regular backups of your site.

Many hosting companies provide the option of server backups for FREE and everything seems to be fine! But, at the moment I don’t know any hosting provider where the backup service would work correctly, even more so for FREE! Maybe I’m being overly demanding, but if you’ve had any experience with actually restoring a site from a backup provider – write me in the comments. TIP: Do not believe the marketers of your chosen hosting, and conduct the test to restore the site yourself!

There are several ways to create backups. You can manually download the site files and export the database, or as I wrote above, use the tools offered by your hosting plan(I did not use the word tariff for nothing – hello to the marketers). Another way, use WordPress plugins. The most popular ones are:

  • VaultPress
  • BackUpWordPress
  • BackupGuard
  • UpdraftPlus
  • or find the plugin at the link
  • WordPress Database Backup – plugin settings allow you to set the option to send a daily database backup to your contact mailbox.
My experience for VPS / VDS/ Dedicated
If I have to administer a server, I usually set up a AutoMySQLBackup and BackupPC.

Step 5 – Disable WP JSON

WP JSON is short for WordPress JSON REST API. WP JSON is used to write applications on different platforms and in different languages that can manage your site: add, change and delete content, customize themes, menus, widgets and more. As you have already guessed it allows you to do unsafe things!

Search engines often index /wp-json/ as a subsection of the site. From the point of view of SEO in the index should be only pages that bring traffic, not technical (garbage) pages /wp-json/.

When disabling WordPress REST API, keep in mind that some popular plugins use it, such as Contact Form 7. So if your feedback form suddenly stops working, see if the REST API is disabled.

We have at least two reasons to disable wp-json – security and SEO. To disable wp-json I use Clearfy Pro pluginor you can use the code below.

// Disable REST API
 add_filter('rest_enabled', '__return_false');
 // Disable REST API Filters
 remove_action( 'xmlrpc_rsd_apis', 'rest_output_rsd' );
 remove_action( 'wp_head', 'rest_output_link_wp_head', 10, 0 );
 remove_action( 'template_redirect', 'rest_output_link_header', 11, 0 );
 remove_action( 'auth_cookie_malformed', 'rest_cookie_collect_status' );
 remove_action( 'auth_cookie_expired', 'rest_cookie_collect_status' );
 remove_action( 'auth_cookie_bad_username', 'rest_cookie_collect_status' );
 remove_action( 'auth_cookie_bad_hash', 'rest_cookie_collect_status' );
 remove_action( 'auth_cookie_valid', 'rest_cookie_collect_status' );
 remove_filter( 'rest_authentication_errors', 'rest_cookie_check_errors', 100 );
 // Disable REST API Events
 remove_action( 'init', 'rest_api_init' );
 remove_action( 'rest_api_init', 'rest_api_default_filters', 10, 1 );
 remove_action( 'parse_request', 'rest_api_loaded' );
 // Disable Embeds related REST API
 remove_action( 'rest_api_init', 'wp_oembed_register_route');
 remove_filter( 'rest_pre_serve_request', '_oembed_rest_pre_serve_request', 10, 4 );
 remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );

Insert this code in functions.php of your topic, if the last line is ?>, then insert the code before it.

Leave a Reply

Your email address will not be published. Required fields are marked *