Secure WordPress is an everyday work, I’ll always say this to you, I already told you in the first part.
I wanted to share you 4 other easy rules, 4 points to work on to secure more your WordPress Website.
4 easy rules to do once
Limit the Number of Bad Login Attempts
When attackers and bots want to log into your account, they will have to try many many times on
wp-login.php. A brute-force is not always detected on your website, because they’re doing it manually or the brute-force is light.
But you have to protect you against these attempts to avoid intruders in your administration area, nobody wants that right?
Disallow Plugin & Themes Zip Uploads
WordPress allows by default to add a plugin or theme by simply uploading a zip file. This is not secure since the file can contain any custom php code. This is not because someone is administrator for a website that he also got rights to edit PHP files, this is not linked.
By removing this possibility you ensure that plugins could only be added using a SFTP (your administrators don’t have the FTP password right?) or came from the official repository.
Only use clean WordPress themes and avoid to download premium themes for free on search engines.
Remove Comments Feature if You Don’t Use It
Comments are great for your website, but bot traffic represent about 60 % of the internet. Spams are done by these bots, and they just want to add their content in your website. Don’t let them do that!
Did you know that you can totally disable and remove the comment feature from WordPress core?
Refuse Connections From Foreign Countries
Country Management is an effective way to stop attacks of any types and stop malicious activities that originates from a specific region of the world.
If you know that some countries are not your market target, and these countries are known for being an attacker nest, you can block it.
Same if you known that someone or bot from a specific country is hitting hard on your website, block the country for a while!
If you don’t do that, your website will just return a
500 internal server error and nobody wants that.
With these 4 new security points, you’ll secure WordPress a little more, do you have some others simple rules to share with everyone?