Festinger Vault Exclusive: How To Stop Hackers Breaking Into Your Website [Part 2/2]

Support
1

Read Part 1 Here

Chapter 9 – The Dashboard

If you click on Dashboard in the WP Security menu, the Dashboard screen loads. Across the top, as with many of these settings pages, you’ll see a few tabs:

Here we have the Dashboard tab selected. From this tab, you can see the two graphical representations of your current security strength.

The first one is a dial, from zero to 515.

515 is the maximum achievable score, though you won’t get that high. At the 6 o’clock position, you can see my current score of 25.

The other graphic on this page is a pie chart. This includes a few segments that represent the security measures currently in force.

This pie chart gets more cluttered as you add extra security measures to your site.

Before you start, I recommend you record your security strength meter score. You can then compare it to your score at the end of this tutorial.

Have a look down at the other information on this Dashboard screen. An interesting item is the Critical Feature Status . This shows the enabled status for a few of the more critical features:

In my case, there’s no login lockdown, file permissions need work, and I need to enable a basic firewall. These are three highly recommended security features.

You have two ways to activate these. The first is to use the sub- menus on the WP Security sidebar to access the correct settings page. For example, you’ll find the basic firewall on the Firewall settings page.

A quicker way, though, is to simply click the “switch” on the

Critical Feature Status panel. Do that now.

By clicking the Login Lockdown switch, the system automatically takes you to the settings page that contains the login lockdown feature.

As you can see, this is on the User Login settings page, which you can also access from the main WP Security menu.

This screen also has tabs across the top, and we were taken to the Login Lockdown tab. This tab has a section called Login Lockdown Options . Currently, we score 0 out of a possible 20 points.

OK, let’s set up the login lockdown.

The badge tells you this is a ‘Basic’ security measure. It means there’s almost zero chance of it causing any issues. To activate the login lockdown, simply check the Enable Login Lockdown Feature box.

There are a few other options you can set up with this. I recommend you leave most of the other settings at their default values. There are helpful hints next to each checkbox if you want to know what each one does.

However, one setting I do recommend you edit is the Instantly Lockout Specific Username . Hackers often try the default “admin” username when they attempt to get access to your site. You should not be using that as a username. If you are, create a new admin user with a more secure username, then login with the new username and delete that “admin” username account. You won’t lose any content created by that user because WordPress will ask you which user you want to move the content to.

OK, so you are not using admin as a username. Enter “admin” into the settings box:

If a hacker now attempts to get access using that username, they’ll get blacklisted immediately.

Another item on that list you might want to think about is the Max Login Attempts . Ask yourself whether you frequently mistype the wrong username or password. If no, then you may want to reduce this from 3 to 2. Or set it to 1 if you use a password tool for entering passwords as there won’t be any accidental login attempts. This setting tells the plugin when to lock a user out of your login page. If it’s set to 1, when a visitor or hacker tries once and fails, the system automatically blocks their IP.

You can also specify how long you want to lock someone out before they can try again. Here, 60 minutes is the default and is probably a good time to use. This is plenty long enough to deter hackers. But it’s short enough so that you don’t lose a whole day of work if the system accidentally locks you out.

You can set up auto email notifications to inform you of any failed login attempts. Just enter an email address at the end of the form, and you’re set.

At the bottom of the settings page, you can see a Whitelist . This is useful if you want to make sure a certain IP address always gets to login without issues. You can enter an IP address or range of IPs into the box. My advice is to only do this if you know what your IP will be every time you turn on your computer.

When you’re happy with the settings, click the Save Settings

button.

The User Login screen will reload, and you’ll see you’ve scored 20 out of 20 for the login lockdown feature. Click on the Dashboard link to go back to the Dashboard.

Now recheck your security strength:

You can see how mine has increased by 20 points to 45. You can also see a new segment in the pie chart. I now have three security measures in place.

The next “critical” issue I need to fix is the File Permission

feature.

Clicking that switch takes me to this screen:

There are two issues that can be fixed by clicking the Set Recommended Permissions button next to each item. This should then give you the all-clear!

Let’s go back and see our security rating:

That has now gone up to 65 points, and the pie diagram has another slice.

The final “critical issue” from the Critical Feature Status we need to resolve is the Basic Firewall :

Click on the Basic Firewall switch to open the firewall settings:

This screen has a few tabs across the top, and we’ll come back to look at these later. For now, you can see my score for Basic Firewall Settings is 0 out of 15.

You can also see the “Basic” badge, so this setting is safe to use.

Check the box to enable the basic firewall. Now scroll to the bottom and click the Save Basic Firewall Settings button.

Return to the Dashboard again to check your new security score:

As you can see, with every new security measure you enable, the security on the site gets stronger.

There is one more thing I want to show you on the Dashboard tab. Look for the Maintenance Mode Status panel.

The current status is set to OFF, and you want to keep it off. Switching it “On” enables WordPress maintenance mode, and your site becomes unavailable to visitors.

Note: If you are logged in as an admin, you will still see your site as normal.

Visitors will get a message — something you can define yourself (we’ll look at this again later in the tutorial).

There may be times when you want to enable this, e.g., when you’re doing work you don’t want others to see. It’s not something I’ve ever used, but you may find it useful.

OK, that’s the Dashboard tab covered. You’ll also see a few other tabs across the top. I won’t go into details on these as we don’t need them to set up your security. You can click on each one just to see what’s there.

  1. System Info

This provides some information about your website, server, and any software running on the server. For example, you may want to

know what version of PHP your host is running. This screen gives you the information you need.

  1. Locked IP Addresses

As the name suggests, this lists any current and temporarily locked out IP addresses. These would include any IP addresses locked out because of invalid login attempts.

  1. Permanent Block list

This shows a list of all the permanently blocked IPs from your site.

  1. AIOWPS Logs

AIOWPS stands for ‘All In One WordPress Security.’ This screen gives you access to any log files used by the plugin. You can examine them if you need to troubleshoot, for example. Most users won’t ever need to look at these.

This concludes our Dashboard settings.

Chapter 10 – Settin gs

Click on Settings in the WP Security menu.

Earlier in the tutorial, we created backups of important files. We created these backups using the Settings options. If you look at the tabs across the top of the Settings screen, you probably recognize them.

The General Settings tab provides links to back up the following:

  1. Database
  2. .htaccess file
  3. Wp-config.php file

A useful feature on this screen is one we’ve not looked at yet. It’s the Disable All Security Features button.

This button turns off all security measures enabled in the plugin. It’s useful if you have problems with your site and can still log into the Dashboard. The killer switch resets all security measures back to their default settings. In my case, my security score would return to 25.

Another option you have here is to Disable All Firewall Rules . It’s a less extreme measure to use if you think the issue relates to your firewall settings. It will delete all firewall settings from your site’s

.htaccess file and thus disable the firewall.

Finally, at the bottom of the screen is the Debug Settings . It turns on the debug mode and creates a log file, which can then help you to debug difficult situations. If your site is having stability issues, or you keep getting logged (or locked) out, enable the debug mode. This will store debug files in a “logs” folder inside the plugin folder on your server, so you can get access to these via FTP or cPanel.

The second tab on the Settings screen is the .htaccess file tab. This screen lets you back up your .htaccess file and restore one if you need to. If you can’t log in to the Dashboard to restore the file, you can log in via FTP or File Manager in cPanel. It’s then just a case of uploading the one you want to restore.

The wp-config.php tab allows you to backup and restore this file if necessary.

Now click on the WP Version Info tab.

One of the things hackers like to know is the version of WordPress you use for your site. If they know you’re using version 5.1, for example, they can check what vulnerabilities exist with that particular version. They can then get to work and exploit those vulnerabilities. For some reason, WordPress likes to give this information out to anyone who wants it. They do this by including the info in the source code for every page on your site.

This plugin lets you remove that info by disabling the WP Generator Meta Info :

It’s a “Basic” feature, so it’s safe to implement. Check the box and click Save Settings . Your security score will go up by another 5 points.

The next tab is Import/Export . This allows you to export and import your security plugin settings. This is useful if you are setting up several sites and want to replicate the same security settings on all sites. Simply export from the site that is configured correctly, and then import those settings into all other sites. Of course, I do recommend you check any site that has imported settings, just to make sure everything is working as it should.

The final tab is for Advanced Settings .

This is an advanced feature that I don’t recommend you change unless you know what you are doing. Essentially the plugin retrieves the IP addresses of your visitors - it needs to if it is going to block a hacker. This advanced settings tab allows you to define the method the plugin uses to retrieve those IP addresses. If you find that IP addresses are not being retrieved properly, you can switch to another method and test for reliability.

Chapter 11 – User Accounts

Click on the User Accounts link in the WP Security menu. You’ll see three tabs.

The first tab is WP Username . This is a simple check to make sure you’re not using “admin” as your username. If you are, you shouldn’t be.

In my case, I’m not using “admin,” but I’ve created a second user who does, just so I can show you what to expect. You can skip this setting if you already have 15 points for a non-admin username.

You can see two users in my demo (one blurred out).

I’ve logged in as the admin user, and further down the page I see this message:

I get 0 out of 15 because my username is admin .

It’s easy to change. I simply need to enter a new username in the box provided and then click Change Username .

The Dashboard then logs you out once you’ve changed your username.

Now you can log back in with your new username and old password.

You now get the 15 points allocated for a non-admin username.

The second tab on the User Accounts settings is Display Name . When you publish content on your site, WordPress displays your “nickname.” Your nickname is your login name by default. This is a bad idea for security reasons because hackers know your username

– one part of the login puzzle.

This setting in the plugin allows you to change your nickname (display name).

If your display name and username are the same, you get a warning:

You can also see it’s a “Basic” security measure, so it’s safe to implement. At the moment, I’ve got a 0 score for this.

To change a display name, click the link of the username. The system then takes you to the profile page of the user. This is where you can select a different name in the Display name publicly as section:

The display name options you have come from the fields: username, first name, last name, and nickname.

Select a name and then click Update Profile .

When you go back to the User Accounts settings, Display Name

tab, you’ll see 5/5:

The final tab in the User Account settings is Password .

The password setting is not for changing your password but to check its strength. Use this tool to see if your password needs to be stronger (see image):

424×539 20.9 KB

That’s the User Accounts settings complete.

Back in the Dashboard, my security score has now gone up to 90, and the pie chart is starting to look a little more impressive.

There’s still a long way to go, though.

Chapter 12 – User Login

The next settings page is the User Login screen. This comes with a few useful tabs across the top:

The first tab is one we visited earlier – Login Lockdown . We’ve already configured those settings. There’s another option I want to highlight, and that’s the ability to lock out usernames.

It’s interesting when you start to get information about who’s trying to hack into your website. You can see how hackers attempt all manner of usernames to gain access. A lot of them will try “admin,” but they’ll try a lot of other educated guesses too. The best defense here is to lock out invalid usernames.

This plugin gives us that opportunity.

Check the box to Instantly Lockout Invalid Usernames . Then, if someone tries to login with a username that doesn’t correspond to a real user, they’re blocked.

We saw earlier how we could lock out hackers that try to use the “admin” username. However, with a tick in the above checkbox, you don’t need to worry about individual usernames, so you can delete “admin” from that box.

The next tab is the Failed Login Records screen. This one shows you a list of all failed logins on your site (mostly hacking attempts). Here are the failed login records for one of my other WordPress websites:

The screenshot here shows 5,000 failed login attempts.

With each record, you can see the IP address of the user who tried to access my site. If the same IP crops up a lot, you can permanently block it if you want to.

You can also see the username exploited by the would-be hacker. In those three instances, they tried to use my first name, and in two others, the name of my site. See how important it’s to change it?"

The next tab is Force Logout . It’s a “Basic” security measure so we can enable it right away:

Force Logout logs out an admin user after they’ve been in the Dashboard for X minutes (60 minutes is the default). This can be useful because if a hacker gets in by chance, the system logs them out after the set period. If you don’t usually spend long in your Dashboard, you can reduce the 60-minute limit still further. It’s handy because it reduces the time a hacker has to wreak havoc on your site.

Remember, the system logs you out after this time too. If it becomes a nuisance, you may want to leave the feature disabled.

If you do enable it, make sure you click the Save Settings button.

The Account Activity Logs screen displays the activity of registered accounts in your Dashboard. It shows you the last 50 logins, with username, IP, and timestamp. You should be able to recognize all of these users.

The final tab is the Logged in Users . It simply shows you the users logged into your Dashboard right now. You can see the login name and IP address. It’s for information only.

Chapter 13 – User Registration

The User Registration settings are only important if you allow visitors to register on the site. If that is the case, make sure you manually approve all new users. This is a basic security measure.

On the User Registration screen:

Go to the Manual Approval tab and check the Enable manual approval of new registrations checkbox. Now click Save Settings .

You can also enable a Captcha on the user registration form. This helps to cut down on automated bot registrations. To activate the Captcha (another basic setting), click on the Registration Captcha tab. Check the box to Enable Captcha on Registration Page :

Click the Save Settings button.

Finally, there’s an “Intermediate” security measure on the

Registration Honeypot tab.

This feature adds a hidden field (honeypot) on the registration page that is not seen by real humans but is visible to bots. When a bot comes along and fills in the form, including the honeypot field, the plugin knows it is not a real human and blocks the attempt.

Since this is an “Intermediate” feature, you need to be careful when implementing it. As I mentioned earlier in the tutorial, I recommend you only activate basic features the first time around. Once you’re certain they’re working properly, go back and activate the “Intermediate” features.

When you’re done, make sure you Save Settings .

Chapter 14 – Database Security

The Database Security screen has two tabs: the DB Prefix and DB Backup screens.

On the DB Prefix screen, you can make sure your database doesn’t use the old default wp_ as a prefix on your databases. If you’ve installed WordPress recently, you should be fine. An automated installer like Softaculous will create a random prefix at the install stage.

This is an “Intermediate” feature. That means it could cause some issues. If you use the plugin to change the prefix (and only do it if your prefix is wp_), there’s a slim chance it might corrupt your database. I’ve never had a problem with this, and I suspect you won’t either, but it’s potentially problematic. As you can see, my prefix is a random one, so I don’t need to change this.

To be safe, there’s a link for the DB Backup feature. I recommend you backup now, even if you only intend to activate basic features at this point. It’s a good habit to get into, and backing up healthy files never hurt any site.

Once done, check the box to Generate New DB Table Prefix and click the Change DB Prefix button.

You should see a confirmation message to inform you everything went smoothly:

The other tab on the Database Security settings has the tools for backing up the database. At the top, you can see an option to manually back up the database:

Below is something really useful—an automated backup tool. This is a “Basic” security measure and adds 20 points to your score. If you have already set up Updraft Plus to take backups, you don’t need this, though you may still enable it if you want.

Check the box to Enable Automated Scheduled Backups .

You can choose how often to create backups. If you work a lot on your site, you might want weekly backups. The default is every four weeks, and that’s fine for a site that doesn’t add much new content each month.

You can specify how many backups to keep. The default is two, but I’d push that up to three.

Finally, if you want the backups emailed to you, check the box at the bottom and enter the email address you want to use.

Click Save Settings when you’re done.

Now go back and check your security strength. Mine is now up to 155.

Chapter 15 – Filesystem Security

The Filesystem Security settings check to make sure the files and folders use the correct permissions. Remember, it’s important to restrict access to your files and folders to only those systems and people who need access.

There are four tabs on the Filesystem Security screen.

File Permissions is the first tab. Here you’ll see a table of files and folders, together with their current and recommended permissions.

We saw this earlier when we fixed Critical Feature Status items (remember those “switches”?).

In the table above, you can see the root directory of the site has permissions of 0750, but the plugin recommends 0755. You can check what this means by referring to the section earlier in the tutorial where we discussed these numbers.

This permission setting is not a big security threat (you can see we already have 20 out of 20), but we’ll fix it anyway. We can do this by clicking the Set Recommended Permissions button next to that entry in the table. This is what I get:

AIOWPS has corrected the permissions for me with a single click.

Once you’ve corrected permissions on your site, click the PHP File Editing tab.

When a hacker breaks into your Dashboard, one of the first places they go is the PHP file editor. With this tool, they can hack into the plugin and theme files. They can then change them or inject malicious code into the files.

A simple way to prevent this is to disable the PHP editor. If you — as a webmaster — want to edit the PHP files at any time, you still can. All you do is access the files via FTP or File Manager in cPanel, so it’s no big deal.

This is a “Basic” security measure, so it’s safe to do now.

Simply check the box to Disable Ability to Edit PHP Files and click

Save Settings.

Now click on the WP File Access tab. This tab allows you to hide other files that a hacker might use to gain information about your site.

Again, it’s a “Basic” security measure and, therefore, safe to implement right away.

Check the box to Prevent Access to WP Default Install Files. C lick

Save Settings .

The final tab in these settings is the Host System Logs . This tab allows you to view your hosting error log files. You’ll need to know the name of the files produced by your hosting server to make use of this feature.

Chapter 16 – Blacklist Manager

This is a really useful tool because it allows you to block IP addresses from accessing your site.

Click on the Blacklist Manager on the sidebar menu. At the top of the page, you’ll see something like this:

The plugin can block specific IP addresses, but that’s not all. The Country Blocking Addon allows you to block entire countries if you need to. That plugin is a paid upgrade, though, and I don’t cover it in this tutorial.

You’ll also notice that this security feature is an “Advanced” one. You need to use it with some caution. I recommend you activate this at a later date once you’re sure everything else is working fine. If you misuse this feature, you could find yourself locked out of your site.

To activate the blacklist, check the Enable IP or User Agent Blacklisting box.

You can now enter the IP address(es) you want to block. You can use a wildcard to specify a range, e.g., 31.184.238.* This blocks out all IP addresses that start with 31.184.238.

You can also enter full IP addresses:

When you enter a new IP address, make sure you put each one on a separate line.

You can also block user agents. This includes all kinds of bots that roam the internet, e.g., baiduspider, SurveyBot, and so on.

You block these by entering their names in the second box.

Chapter 17 – Firewall

We activated the basic firewall when we first installed the plugin. There’re a lot more firewall settings you can activate. Some are Basic, and others are Intermediate or Advanced. Let’s go through each of these.

Click on the Firewall menu in the left sidebar.

You’ll see the firewall screen has a few tabs across the top. For now, you should be on the Basic Firewall Rules tab.

At the top, you can see the basic firewall enabled (we did that earlier).

Below this is another “Basic” feature:

Point to note: Before you activate this feature, you need to read a little further.

The first option is to Completely Block Access to XMLRPC . The thing is, you may need XMLRPC functionality, so disabling it could cause you problems. On the other side of the coin, XMLRPC is a common gateway for hackers. If you’re not using it, I suggest you disable it.

Example: I use Open Live Writer (previously Windows Live Writer) to manage my blog content. It’s a tool I use for writing content offline. When I’m ready, I then publish the post direct from within

Open Live Writer. This tool requires XMLRPC to function. To disable it would stop Open Live Writer from working. In short, I wouldn’t be able to publish content to the site because the program would no longer connect.

Another example is the Jetpack plugin. This requires XMLRPC as well. Fortunately, the plugin gives you an easy way around this problem. You can tell it that you use Jetpack or any other apps that need XMLRPC to work.

You have two options.

If you want to completely block XMLRPC, check the Completely Block Access to XMLRPC box. This overwrites the Disable Pingback Functionality From XMLRPC feature, so it doesn’t matter what you do with that checkbox, it’ll be ignored.

The second option is to allow software and plugins that need XMLRPC but to block anything else. To achieve this, check the Disable Pingback Functionality From XMLRPC. M ake sure the Completely Block Access to XMLRPC box is UNCHECKED:

The final feature on the basic firewall rules tab is Block Access to Debug Log File .

This is an “Intermediate” feature that prevents access to a debug log file. This file can contain sensitive information, so I recommend you eventually enable it.

When you’re done with the basic rules, click on the Additional Firewall Rules tab.

These features are all “Intermediate” or “Advanced.” I suggest you come back and activate these once you’re sure your basic settings

are behaving well.

The first option is to Listing of Directory Content . Some web servers allow the listing of files and folders in the webspace. This isn’t a great idea as it gives hackers more information about your site. My advice is to enable this feature:

The next option lets you disable trace and track. This will prevent what’s called an HTTP Trace attack.

I recommend you enable it—eventually—but it’s an “Advanced” security measure, so leave it for the time being.

Next up is another “Advanced” option, but it’s an important one that helps to cut down on spam. The Proxy Comment Posting option allows you to block comments coming in from a proxy server (used by people trying to hide their true IP address). I recommend you enable this option—eventually.

The next option is Bad Query Strings . You need to be careful with this one, though. Activating it may cause conflicts with certain plugins or themes. Make sure you backup your .htaccess file before you implement it. This way, you can quickly revert if there’s an issue.

The final option on this screen is the Advanced Character String Filter . This feature can help prevent Cross-Site Scripting attacks (XSS). Once again, it’s an “advanced” feature and can break your site. Take a backup of your .htaccess file before you implement it.

When you’re done, click on the Save Additional Firewall Settings

button.

You can now go over to the 6G Blacklist Firewall Rules tab.

When you decide to activate “Advanced” measures, I recommend you activate the 6G firewall protection on this screen:

Don’t bother with the 5G. That’s an older form of protection that the 6G firewall has since replaced.

The next tab in the Firewall settings is the Internet Bots tab.

This is an “Advanced” feature that aims to block malicious bots masquerading as Googlebot:

I recommend you eventually activate it. The plugin will then perform verification tests on any bot claiming to come from Google and block those that fail the tests.

OK, now save your settings and move onto the Prevent Hotlinks

tab.

If you have images on your site, each one will have its own URL. Anyone can grab the URLs of your images and embed them into their own site. It’s a problem not least because YOUR server serves the image wherever they are. So, every time the rogue site loads one of your stolen images, it uses YOUR bandwidth.

For this reason, I recommend you activate this “Basic” feature:

Save the settings, then click on the 4O4 Detection tab.

When a visitor tries to view a page on your site that no longer exists, they’ll likely see a 404 error. The message explains that the page they’re looking for is no longer available. It’s correct, and the way websites should function. Real visitors can innocently get to 404 pages via broken links. For example, a link that points to a page the webmaster has since moved or deleted.

The difference with hackers is that they try lots of web pages in a short space of time as they search for a download page. They’ll likely come across a series of 404 errors in a matter of minutes or seconds even. This identifies them as hackers, and it’s what this feature aims to do. Identify hackers and then block them.

This is an “Intermediate” feature, but I recommend you enable it— eventually.

To enable, check the Enable 4O4 IP Detection and Lockout box and leave the other settings as they are. When the plugin identifies a hacker, it sends them to the 404 Lockout Redirect URL. You can enter anything you want in that box or just leave it at the default. It’s completely up to you.

When you do eventually enable it, remember that it is enabled in case you keep getting directed to the 4O4 Lockout Redirect URL .

If the system locks someone out with this security measure, you’ll see the details of these events in the 4O4 Event Logs on this screen.

Here are the logs for one of my sites:

If you find any repeat IP addresses in the list, especially if the events are within seconds of each other, you know you’ve found a bot. Any repeat IP addresses are good candidates to add to the blacklist!

To block an IP, you can mouse-over the event ID to bring up a menu:

Here you get the option for a temporary block or to blacklist the IP address.

The final tab on the Firewall screen is for Custom Rules .

This is for anyone who wants to add custom rules to the .htaccess file. These advanced techniques are beyond the scope of this tutorial and can easily break a site.

Chapter 18 – Brute Force Protection

The Brute Force settings will help prevent “brute force attacks” on your website.

In my experience, these settings cause website owners the biggest problems. They’ll often lock the webmaster out of their Dashboard. If you get them to work well, though, they provide a serious and powerful layer of protection.

There are a couple of really useful options. The first one is to rename the WordPress login page so that scripts and bots can’t find it.

The Rename Login Page Settings panel is where you can rename this page. It’s an “Intermediate” feature, so take care.

Read the warning box at the top, and click the link to read the message. If your web host uses server caching, this feature could easily break your site.

To activate it, check the Enable Rename Login Page Feature . Next, enter a string of characters that are hard to guess in the Login Page URL box.

Save Settings once done. You must remember your new login page URL.

I don’t activate this feature. Instead, I use the Cookie Based Brute Force Prevention method—your second option to prevent brute force attacks.

Click on the tab of the Brute Force settings.

This Cookie Based Brute Force Prevention method is an “Advanced” feature. If you run into problems, I suggest you deactivate it and use the login page renaming method instead.

Before you activate the cookie-based method, scroll to the bottom of the screen and click on the Perform Cookie Test button. It will check to make sure your system is capable of using this method of protection.

Hopefully, you should receive the following confirmation:

To enable this method, check the Enable Brute Force Attacks Prevention box. Now enter a secret word into the Secret Word box. It should be difficult to guess and will become part of your new login URL.

Does your website have any posts or pages that are password protected? If it does, make sure you check the My Site Has Posts or Pages which are Password Protected box.

If your WordPress theme or plugins use Ajax, check the My Site Has a Theme or Plugins Which Use Ajax box.

Now click on the Save Feature Settings box.

At the top of the screen, you’ll see confirmation that your new login page is ready, and you’ll see the URL. It should look something like the one below:

You MUST copy and save that URL to a safe place. If you lose it, you won’t be able to log into your Dashboard.

The way the protection works is to write a cookie to your computer when you visit that URL. That URL then redirects you to your login page. But if the cookie’s not on your computer, you won’t be able to log in, not even with the correct username and password.

Imagine a hacker comes to your login page. Even if they know your username and password, they still can’t access your site if they haven’t visited your secret URL first to pick up the cookie. That’s pretty cool.

The next tab on the Brute Force settings is the Login Captcha screen.

You’ll find three “Basic” features on this screen that you can activate if you want.

These put a captcha on the login form, custom login form, and lost password form, respectively.

Captchas can help reduce brute force attacks because logins require a mathematical problem to be solved.

Check all three boxes and save the settings. The next tab is the Login Whitelist screen.

This screen lets you specify which IP addresses (or range of addresses) you allow logging into your Dashboard. If you use this feature, it’ll block all other unspecified IP addresses. It’s an “Intermediate” feature, so use it with caution. It works by writing directly to your .htaccess file, so back that up before you enable it.

I don’t use this feature, and nor do I recommend you use it either unless you know what you’re doing.

The last tab in the Brute Force settings is the Honeypot . This is a clever protection method that shows a hidden “honeypot” field on the login page to all bots. Human visitors don’t see it, but bots do. They then fill in the “honeypot” field, and the plugin knows it’s a bot.

This is an “Intermediate” measure, but I do recommend you enable it—eventually.

Chapter 19 – SPAM Prevention

Everybody hates comment spam. Fortunately, the All in One plugin includes a few features to help combat comment spam.

Click on SPAM Prevention in the WP Security sidebar menu. There are four tabs across the top.

The first one is the Comment Spam settings.

One way to cut down on spam comments is to add a Captcha to the comment form. Captchas don’t stop spammers from leaving comments, but they do make life more difficult and inconvenient for them, and that’s a good thing. The Add Captcha to Comments Form option is a “Basic” feature, so it’s safe to implement right away. For this, you’ll get 20 more points towards your security score.

Once saved, your comment form will have something like this above the Post Comment button:

This means a human will need to enter the answer for the comment to arrive in your pending list.

On the Comment Spam settings, there is also the option to Block Spambots from Posting Comments . Spambots are pieces of software that allow mass submission of comments to hundreds or thousands of sites in a very short space of time. This plugin can tell if it’s a spambot trying to post because, unlike a real visitor, the request to post a comment won’t originate from your domain. We can, therefore, block spambots from posting by checking the Block Spambots from Posting Comments checkbox.

Save settings before continuing.

The second tab on the SPAM Prevention settings is the Comment SPAM IP Monitoring settings.

When spam comments get into your site, you can approve them, send them to trash, or mark them as spam (get familiar with spam comments).

The Spam option is the one you should use. Together with this plugin, comments marked as spam can trigger an automatic block

on the IP that posted it.

Here are the settings I recommend:

Whenever you mark a comment as spam in the future, the plugin will add the IP address of the sender to the blocked IP list. The reason I choose 1 for the “minimum number of spam comments” is simple. If someone sends me even one spam comment, I want them blocked.

All the IP addresses of blocked Spam comments will now appear further down this screen in the Spammer IP Address Results table.

Save your settings before moving on.

The final tabs on the Spam Prevention settings are only useful for those using BuddyPress or BBPress. If these scripts are running, the options can add a captcha to their registration form. Since I don’t have either script running, there’s nothing to see here.

Chapter 20 – Scanner

When a hacker breaks into your site, they’ll usually change one or more files on your server. A typical hack would involve injecting malicious code into these files. If successful, they can then use your site for their evil purposes.

Auto email notifications are a great way to catch hackers early on if any files on your server change unexpectedly. In general, WordPress core files, plugin files, and theme files don’t change too often. PHP files and JavaScript files are the prime targets of most hackers.

Our plugin can monitor these files and notify you right away if something changes. You’ll know if it was you who made the changes the last time you were in your Dashboard. If not, it’ll be something or someone more sinister.

The first step to monitoring files is to carry out an initial scan. The plugin can then compare files in the future based on the scan date. At the top of the options screen, click Perform Scan Now in the Manual File Change Detection Scan .

Under the manual scan is a button that allows you to see files that have changed since the last scan. There won’t be anything to see yet as we’re just setting it up.

The next panel on this screen is the real workhorse. It carries out automated checks at predefined intervals. This is an “Intermediate” feature, though. Only activate it once you know your basic protection is working fine.

When you’re ready, check the Enable Automated File Change Detection Scan box.

The default scan frequency is four weeks. The interval you choose determines how long hackers have before the system notifies you. A scan interval of four weeks means it could be four weeks before you find out about any changes.

Note that these scans do take up server resources. Therefore, don’t do anything like scan every hour. That’s UNLESS you think a hacker is attempting to break into your site, and you want to monitor the situation.

I tend to stick to a 2 – 4-week scan interval on my sites.

You can also set the scan up to ignore certain file types. For example, if you post a lot of images, it’s wise to ignore the image file formats you use:

You can get the scan to ignore files or directories as well. If you know where your log files are, or their names, you can exclude those. Similarly, you might want to ignore any caching folder if these are just cached copies of your web pages.

Enter the address you want to use for auto email notifications at the bottom of the screen. Click Save Changes .

The Malware Scan tab is information about malware and links to tools you can use to scan for malware on your site. There are no settings on this screen.

Chapter 21 – Maintenance

When you want to lock visitors out of your site for any length of time, you can put your site into Maintenance Mode . We touched on this earlier when we first looked at the plugin’s Dashboard.

The Maintenance screen gives you some Visitor Lockout options.

The Enable Front-End Lockout checkbox will turn maintenance mode on. Visitors will see a message to say that your site is not live right now. The content of the Enter a Message box determines the exact message they will see, and you can customize this.

The default message simply states the site is not available and to try again later. You can change this message to read whatever you like. The editor for this is a full WYSIWYG, so you can control the format and even include images, and links, etc.

If you do change the default message, make sure you save the settings before proceeding. Also, make sure you have Enable Font- end Lockout DISABLED unless you want it enabled right now.

Chapter 22 – Miscellaneous

The final settings for this plugin are grouped in the Miscellaneous

screen.

There are four tabs.

The first one is the Copy Protection tab . This prevents people from right-clicking on your web pages. It’s useful because they can’t get the right-click popup menu to inspect (and steal) your web page content. It also stops people from highlighting blocks of text on your page, so it makes copying your content more difficult.

This feature won’t stop a determined hacker. It will certainly deter some common thieves, though, who simply want to steal your content.

Check the Enable Copy Protection box, and save the settings.

On the Frames tab, there is an option to stop other people from putting your web pages into a frame on their website. This type of technique allows them to trick visitors into thinking they’re actually on your site. Needless to say, this is a practice that can be quite damaging to you.

To prevent this, check the Enable iFrame Protection box, and save settings.

The Users Enumeration tab has one option. Disable Users Enumeration will prevent hackers (or bots) from accessing useful “hacking info.”

Check the box and save the settings.

The final tab is the WP REST API. Since some plugins use the REST API, I recommend you leave this feature disabled.

OK, that’s the plugin all set up. Your site is now really well- protected.

Go back and check your Security score. Your results will depend on which features you have activated. Here’s how mine looks now:

I’ve achieved this score after activating all basic and a few “Intermediate” features. Don’t worry right now if your score’s a lot less. It’ll increase as you go in and activate more features over time.

After testing the current security settings, I still have a few other features to activate, so my score will go up.

Notice the above image on the right. When we first began to activate the plugin, that pie chart looked like the one below:

I’m feeling a lot more confident now that my site is secure.

In reality, though, no site is ever 100% safe against the most determined hackers. You probably know this already after seeing the successful hacks of high-profile internet companies. However, the measures you’ve taken here will keep your site safe against

99.9% of hackers. The ones who could succeed are likely to be more interested in much bigger, higher-profile prey.

And remember, even if the worst did happen — including a server meltdown and your web host not having a backup — it’s not the end of the world. You have all the necessary files to restore your site with the backups you’ve done (and automated) as you went through this tutorial.

In the next chapter, I provide you with a security checklist. This will help you to methodically work your way through as you protect your website(s).

Remember, start with the “Basic” features first. Test them for a while before activating the “Intermediate” features recommending in this tutorial. Test again for a while, and then go in and tweak some of the “Advanced” options.

Chapter 23 – Security Checklist

This checklist includes items of all the main security fixes you should carry out on your WordPress website. I’ve included a complete list of those I enable on my sites. If there’re any in this list you don’t want to implement, just skip them.

The sub-headings refer to the section of the WP security plugin you have to visit to carry out the steps. Some screens have tabs. If I tell you to go to a specific tab, you’ll always find it along the top of the screen.

Before you begin to set up the security on a new site, I recommend you scan your site first and do a few backups.

Initial Tests and Backups

  1. Not Included in the Plugin
  • Disable PHP error reporting

  1. Scanner Menu

  • On the File Change Detection tab, Perform Scan Now to check if any files are different from the default installation files. You may find that the .htaccess file has changed, but that’s usually fine.
  • Check the option to Enable Automated File Change Detection Scan .

  1. Settings Menu

  • Backup your Database
  • Backup your .htaccess file
  • Backup your wp-config.php
  • Click on the WP version Info tab across the top and check the Remove WP Generator Meta box.

Setting up Security

User Accounts Menu

  • On the WP Username tab, ensure you are not using admin as the username.
  • On the Display Name tab, ensure your login name and display name are different.

User Login Menu

  • On the Login Lockdown tab, enable Login Lockdown .
  • On the Force Logout tab, enable the Force WP User Logout

User Registration Menu

  • On the Manual Approval tab, enable Manual approval of new registrations .
  • On the Registration Captcha tab, enable Captcha on Registration Page .

Database Security

  • On the DB Prefix tab, make sure you’re not using the default wp_ as your table prefix.
  • On the DB Backup tab, enable automated backups.

Filesystem Security

  • On the File Permissions tab, if there are any

Recommended Actions , take them.

  • On the PHP File Editing tab, Disable the ability to edit PHP Files .

  • On the WP File Access tab, Prevent Access to WP Default Install Files .

Firewall

  • On the Basic Firewall Rules tab, Enable Basic Firewall Protection .
  • If you are not using XMLRPC, you can block it completely; however, I don’t recommend this as some plugins will use it.
  • Enable the Block Access to debug.log file .
  • On the Additional Firewall Rules tab, enable Disable Index Views.
  • Enable the Disable Trace and Track .
  • Enable Forbid Proxy Comment Posting .
  • Enable Deny Bad Query Strings .
  • Enable the Enable Advanced Character String Filter .
  • On the 6G Blacklist Firewall Rules tab, check the Enable 6G Firewall Protection option.
  • On the Internet Bots tab, enable the option to Block Fake Googlebots .
  • On the Prevent Hotlinks tab, enable the option to Prevent Image Hotlinking .
  • On the 4O4 Detection tab, check the option to Enable 4O4 IP Detection and Lockout .

Brute Force

  • On the Cookie Based Brute Force Prevention , perform the cookie test to make sure your site can use this method of protection. If it can, enter a Secret Word and then Enable Brute Force Attack Prevention on this tab. If it cannot, go to the Rename Login Page tab and use that instead.

  • On the Login Captcha tab, enable any of the captchas that you want to use.

  • On the Honeypot tab, check the option to Enable Honeypot on Login Page .

SPAM Prevention

  • On the Comment Spam tab, check the option to Enable Captcha On Comment Forms .
  • Check the option to Block Spambots from posting comments .
  • On the Comment SPAM IP Monitoring tab, check the option to Enable Auto Block of SPAM Comment IPs . I recommend you enter a low number into the Minimum number of SPAM comments box. I use 1.

Miscellaneous

  • On the Copy Protection tab, check the option to Enable Copy Protection .
  • On the Frames tab, check the option to Enable iFrame Protection .

On the Users Enumeration tab, check the option to Disable Users Enumeration.

If you enjoyed the tutorial feel free to leave a like :smiley:

4 Likes
2

Absolutely the best guide there is. Kudos! :grinning:

1 Like
3

Cheers man =)

Glad to have you back at our community as well.

1 Like