WordPress is a content management system (CMS) that allows us to create and maintain a website. It has a great deal of experience and has a multitude of templates and plugins that increase the level of customization. Like all CMS, they have a series of parameters related to the security of the site. These parameters are not sufficiently secure in their default state and must be modified in order to prevent any type of computer attack . Iván San Román , web developer at Flat 101, details 8 sections that the team takes care of and takes into account to have the best web pages and, above all, the most secure ones .
1. Change the default administrator user
During the WordPress installation process, you must decide on a username. This user will be granted all permissions by default, which is why you must be especially careful when choosing it. Initially, you are offered a default username that you should not use. For added security, you must choose a username that is your own and of course not a generic one (admin, Admin, root, user).
A sample name to use on your website is your company name + the last 4 digits of your VAT number (for example: FLAT101_1234).
2. Use a strong password
Most people have difficulty remembering all the passwords they need to remember on a daily basis. That's why they use passwords as simple as "123456" or "0000". These passwords are easy to remember, but they are also easy to guess.
This poses a huge risk to the security of our sites, so at Flat 101 we recommend that you configure your password with special characters, a length of between 8 and 12 characters, alphanumeric values, and upper and lower case letters used alternately. This will be very useful in creating a strong password that is difficult to hack.
An example of a strong password would be “F+l+a_T<101”.
3. Change the admin panel URL
One measure that almost no one uses is to change the address to access the administration panel . By default, WordPress has the well-known URL composed of the address of the hosting/wp-admin.
By changing this address, if someone tries to access our website - whether through bots or by trying different addresses - it will be almost impossible for them to find the correct address. This will significantly improve the security of the site .
4. Update to the latest versions of both WordPress and the plugins that have been installed
This is important because every update brings security improvements from the developer. This makes it harder for malicious software to get into the WordPress dashboard.
5. Make backup copies
If you really care about the security of your website, you should always have a backup of your database. This will not prevent you from being hacked, but you will be able to restore your website in a matter of minutes in a quick and easy way, making available to users the same information that was on the web before your servers were attacked.
The database is the fundamental part of a website and therefore it is very important to protect it, not only by making backup copies so that it can be restored if necessary, but also by changing the prefix of the tables to prevent possible saudi arabia number data attackers from obtaining the data they contain.
Database Service – Makes database access only possible from the server or instance where WordPress is installed (not open).
Database User – Allows “wp-config” to be something other than root, but rather just someone with access to the WordPress schema.
7. Ban potential hackers
To keep your WordPress-based website secure , we recommend installing a system that counts login attempts on the “wp_login.php” page.
If you detect a high number of logins from the same IP, it would be advisable to ban that address, either for a limited time (30 minutes, 50 minutes, 1 hour...) or permanently.
This will prevent a bot from guessing the username and password using an alphabet or dictionary attack. These attacks consist of trying to decipher usernames and passwords by trying numerous attempts and basing them on words from a dictionary of previously used keys or passwords that they may have obtained in previous attacks.
8. Content Security Policy (CSP)
It consists of adding an HTTP header to the web page and giving it specific values to control the resources that the user can load for that page. They serve as an additional layer of security that helps prevent and reduce certain attacks such as Cross Site Scripting (XSS) and data injection.
Cross Site Scripting is the execution of malicious scripts in the browser , s.