All You Need to Know About a Secure WordPress Site| Take2 Technologies

We all have come around the term “Secure WordPress site”.

For instance, we come across many websites or know about website development. With the launch of the WordPress site, things for developers become easier.

WordPress provides many features, few mentioned are such as –

Better theme options.

Managing the content of the website with ease.

Providing plugins to add functionality.

Helping in creating a website without prior needed logical skills.

With many advantages of WordPress-

There arises a question: “How to secure a WordPress site?”

1. The threats regarding the term “Secure WordPress site”

WordPress is getting more popular due to its powerful content management system.

It is growing and getting popular among the community of developers.

However, with the advantages comes security and vulnerability issues.

Hackers from all around the world are mainly targeting the WordPress site.

When it comes to Secure WordPress sites, one must take the issues seriously as threats rise and hackers are active.

Recently, the famous web hosting company GoDaddy uncovered the issue that around more than its 1.2 million WordPress accounts became victims of phishing attacks.

Meanwhile, the customers had their numbers and email addresses exposed to unauthorized third-party.

Hence, it created havoc and fear among WordPress users about the security of their site and regular attacks by hackers.

2. Our story regarding the Secure WordPress site

Showing the increase of attacks on WordPress sites, we faced similar issues, too, where our website, which was hosted on Amazon EC2, was attacked by hackers and malicious codes were found.

After that, the site started showing unwanted content that was inappropriate and irrelevant.

Now, the question arises how do we fix it?

Yes, we were able to provide security and resolve the issue of threats.

The few pointers that we followed while fixing the WordPress site are as follows-

Targeted the issue and tried to look for the best plugins that we will describe more in detail as we proceed.
Tried to make our URL login fixed again as it was changed.
Compared the sources and found the malicious stacks of codes that required fixing.
Removed the unnecessary code and fixed the issue.
Use of the plugin “All In One WordPress Security and Firewall Plugin” to take the security of our WordPress site to a new extent.
In addition, in the below image, the source code on the left is from the official WordPress website and the source code on the right was present on our server. We compared and removed unnecessary code from core WordPress files.

On the whole, the hacker inserted the below-shown code in wp-login.php, which was the ultimate reason they screwed up and put down the domain’s reputation on search results.

3. “All In One WordPress Security and Firewall Plugin” to “Secure WordPress site”

We have various plugins when it comes to WordPress sites.

When it comes to the security of WordPress sites, “All In One WordPress Security and Firewall Plugin” comes to the rescue by providing ultimate protection to the WordPress site.In other words,

it reduces the risk of attacks by checking for vulnerabilities.
It works with WordPress,
It can be translated into any language.

In addition, the plugin is free to use.

It is easy, comprehensive, provides additional security, and is well supported in WordPress Security Plugin.

4. A detailed step-by-step guide to detect malicious codes and to Secure the WordPress site

In this paragraph, we will discuss in detail the steps which can be helpful to secure a WordPress site.

4.1 Download the plugin

(Process to Secure WordPress site)

The first step requires the download of the plugin, “All In One WordPress Security and Firewall Plugin”, which can be downloaded using the following link –

https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

In addition, in this situation, you must not need to give written permission of wp core files to www-data because hackers keep trying to log in with admin accounts to play with file systems.

Follow installation process mentioned below –

4.2 Installation process

The steps that are needed to follow while installing the plugin are as follows-
Upload the ‘all-in-one-wp-security.zip’ file from the Plugins->Add New page in the WordPress administration panel.
Activate the plugin through the ‘Plugins’ menu in WordPress.
Go to the Settings menu under ‘WP Security’ and start activating the security features of the plugin.

4.3 Creating a Github Repository

The next step that we used was creating a repository on Github.

After downloading the “All In One WordPress Security and Firewall plugin”, we have extracted the plugin under the wp-content/plugins folder.
Once the first step is done, the next move is s to commit and push the latest code to Github https://github.com/
Following the completion of the above steps, we deployed the latest code to the EC2 Linux server.

4.4 Account security of the user

The next feature we have used from the plugin was “user account security” to secure our account, and here is how we have done it.

The first step involved user account review. This feature helped in detecting the user account with the default “admin” username and helped in quickly changing the user name to the value of our choice.
This plugin feature also helped detect the identical login and display names for our other WordPress accounts, as it’s easier for hackers to find the identical login names and hence the bad practice for security to keep identical names.
We created a strong password using online services which provide a password manager tool to strengthen the security of our “WordPress” site.
The tool that we used for generating strong passwords was the “LastPass” password manager tool.

4.5 “LastPass” password manager tool

LastPass is an online password manager tool that provides secure, random, and strong passwords, the link for this tool is https://www.lastpass.com/

Hackers can easily target weak passwords ,and hence it’s crucial to strengthen the password, especially when life is happening in the new digital world. In other words, the user’s password must be strong enough to be protected from attackers. Tools like LastPass make our work accessible by keeping the information secure.

The features of the LastPass password manager tool and tips to be followed when generating a password are-

It helps in login into accounts efficiently and securely.
It generates strong passwords as we sign up and remember all the information for the user.
To create a password that is impossible to crack, your password must include multiple types of characters, such as the use of numbers, uppercase letters, lowercase letters, and special symbols.
This tool provides different types of passwords for each app or website and hence helps defend against the attackers.
The tool runs locally on all devices Windows, Mac, Linux, or iOS and Android devices.
It provides a unique password as if our one site can get hacked; then it’s easy for hackers to create a combination of passwords and attack our other sites . By providing uniqueness, the LastPass tool comes to our rescue of security.
Whenever you create a password, try to avoid using your personal information such as name, birth date, address, etc., as personal information can be easily found online. Therefore, the hackers can trace the information, which can be threatful.
The password must be at least 12 characters long.
Try to avoid sharing your password via emails and texts. One should use tools like “LastPass”, which has a feature to share a hidden password and provide access when the time is required.

4.6 Login security of the user

To Secure the WordPress site, for login dissolve, we used the “user login security” feature of the plugin where the “Login Lockdown feature” was enabled. It provided a maximum of two attempts of login. If both the attempts fail, it gives the notification and blocks the attempt for 24 hours when someone gets locked out due to too many login attempts. This feature keeps track of the activity of accounts of all users, such as username, IP address, login date/time, and logout date/time. Still it can also automatically lockout IP address ranges that try to attempt to login with an invalid username.

4.7 Registration security of the user

Using the feature “user registration security” feature of the plugin “All In One WP Security & Firewall” our WordPress site was more secure as this feature allows manual approval of WordPress user accounts.

By the time your site allows people to create their accounts with the WordPress registration form, you can cut down SPAM registrations by manually approving each registration.

4.8 HTACCESS and WP-CONFIG.PHP file backup and restore

With this feature, it is now easy to get the backup of your original .htaccess and wp-config.php files if you have to use them to bring back broken functionality. Also, can reform the contents of the presently active .htaccess or wp-config.php files from the admin dashboard, and that’s possible with only a few clicks.

4.9 Blacklist manager

To provide security to the WordPress site, we have used the blacklist functionality feature of the plugin that reviewed the IP address on the server and blacklisted such users by identifying the IP addresses. As a result, it helped in improving the Search Engine optimization results.

4.10 XML-RPC file was removed from source code

Do it carefully as this file may need if you’re connecting to third-party systems.

4.11 Firewall functionality

The “Firewall functionality” feature helps stop malicious script(s) before it tries to reach the WordPress code on your site.

In addition, this feature provides:

A control facility
Prohibiting proxy comments
Disabling trace and track
Forbidding malicious queries
Blocking access to debug log files

In addition, “firewall functionality” blocks bots and fake Google bots as well.

5. Google Search Console tool

“Google Search Console tool” helps index status and provides optimization results of visibility of the websites.

Moreover, with the help of this tool, the best security is assured as it notifies about the malicious codes for already registered sites.

In general, google crawls the websites over the internet every 3-4 days, but this tool allows us to add a specific page for indexing at priority, and google crawls them in 24-48 hours.