• Home
  • WordPress
  • web Hosting
    • Free hosting
    • Cheap Hosting
    • comparison cloud , vps, shared, wordpress
    • managed wordpress hosting
    • managed cloud hosting
  • page Speed
  • Deals
  • Services
  • About

RAaz Kumar .com

wordpress tutorials seo hosting etc


WordPress Security Plugins 2021 (Brute force, Login lockdown, Malware scanner etc)

Find the best wordpress security plugins in 2021 to update the wp security rules to get rid of unwanted bot traffic, brute force attacks that slowing down your website. prevent security vulnerabilities like source code injection, sql injection, DDOS attacks by rate limiting rules etc. There are many wordpress security plugins out there, but we have to choose them wisely based on our security rules,  most hosting provides hardens their server security but most cases  our shared hosting account suspended by one following reasons.

 

All in one security plugin

all_in_one_wp_security_and_firewall

Basic Rules:

  1. Change Username by default its admin (its easy to crack when cracker knows the username).
  2. Rename login Page (by default its wp-login.php) if someone knows its wp by footprint or source they hit this.
  3. Change DB Prefix by Defaults its wp_Options (easy way to sql injection)
  4. COmment captcha  enabling captcha to submitting a posts avoids some bot comments.
  5. Login Lockdown Features: if certain requests during the time it will lock ip address for few minutes to prevent attack.
  6. Automated Database Backups:

WordPress Security Plugins FIrewall Rules

DIsable XML RPC (wordpress checks latest plugins through XML RPC cron functions)

Disables Pings for XML RPC: jetpack plugin otr wordpress android apps need this functionality

Disable Index Views:  Apache server ip server not done, you can do this by all in one wp security plugin’s firewall rules.

Disable Trace and Track: HTTP Trace attack (XST) Used to cross site scripting attacks (XSS). (No other functionality affected)

Bad Query Strings:

This setting will implement the 6G security firewall protection mechanisms on your site which include the following things:

1) Block forbidden characters commonly used in exploitative attacks.

2) Block malicious encoded URL characters such as the “.css(” string.

3) Guard against the common patterns and specific exploits in the root portion of targeted URLs.

4) Stop attackers from manipulating query strings by disallowing illicit characters.

 

Prevent Hotlinking to files (image pdf)

How this Affects?

If you hae a good image, someone copied their blog posts. (so eery his page gets load, you server has sere the image as cdn)

If their page get lot hits. your server gets down due to request per second limits reached by your server, high cpu, memory usage.

you can do this cloudflare, apache, nginx server configuration

 

#2 Wordfence The best wordpress Security Plugin  – Firewall & Malware Scan

wordfence plugin

Premium and Free

Active installations:3+ million

Rating 4.8 /5 (3600 votes)

 

Wordfence plugin Premium Features (free version is delayed by 30 days)

  1. Real-time firewall rule and malware signature updates
  2. Real-time IP Blacklist from reported sources
  3. Country blocking

 

Free Features

  1. Login Lockdown
  2. Ip blocking
  3. 2Fa 2 factor authentication
  4. Lie traffic monitor by Ip Address
  5. System scanner is 3rd features analyzed files & permissions , FIle source code to identify malicious scripts (Source code injections).

 

 

#3 Jetpack plugin for wordpress Security

install_jetpack

Jetpack by wordpress team. all in features bundled with moduled. every feature build as module. For security lets dig it now

Install the Plugin, go to modules and activate the Security features and then configure settings.

  • Free:
  • Personal:
  • Professional:
  • EnterPrise:

Traffic & Insights
site stats
Google analytics integration in premium
Automation
auto Post sharing, Related Posts
SEO
Xml Sitemap
Site verification

Jetpack Plugin Security Features for wordpress

Brute force attack Protection
downtime monitoring
secure authentication
easy plugin management
plugin auto updates
site activity 20 events
Backups not in free
Security scanning including malware scan
not in free version

 

TIp: Look at the backend team of Plugin and their company

 

How Source code injection works & ways to remove it?

When you download pirated theme or plugin. the cracks leaves php backdoor,

Mostly the code in index.php.

When the user visited the website they  place ads from different ad networks. or requesting user to download a software like flash player by a popup page on your website. (incase of adsense they may change publisher id & ad code but adsense not allowed this on unverified sites.)

They download other software instead of flash player.

Scan with wordfence or other tools or edit manually all files and remove the code.

NOTE: Don’t use all Features unless you know what you doing. (less resources consumption)

adds lot of rules to your .htaccess file but it slows down your wp-admin access. maybe it slows your website performance.

the best feature is Disabling brute force attack by custom URL login page and custom keyword with string to store a cookie on your pc with a secret word. all other trying to access they will redirect where you want.

google Authenticator plugin

Add step 2 verification WordPress login: you can use google Authenticator plugin. for that you have t o install google authenticator app on mobile.

You can login with wordpress.com username & password if you installed jetpack plugin.

How to prevent WordPress brute force Attacks Login lockdown?

Login Lockdown by IP Address banning really not works for brute force attacks, because hackers use lots of ip address.

 

Don’t expose wp-login.php

Protect wp-admin directory with .htaccess password.

 

Always check the error log in WordPress directory.

Block brute force attack by XML -RPC.php

try to rename xml-rpc.php but we can get errors in access logs.  but we can protect it by .htaccess

<FilesMatch “xmlrpc.php”>
Order Deny,Allow
deny from all
</FilesMatch>

 

Block XML RPC & anonymous referees

Block No referer request by .htaccess apache

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*chagewithyour.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>

 

You can block post requests to avoid injecting malicious script.

evasis 20 apache module blocks XML RPC.php

 

ip based login — wordpress without any securing plugins

Allow login from only from your workstation if your isp provides a static ip. if dynamic IP you can add isp hostname or you can check hostname by ip address online with this word on google host to ip. or subnet mask of ip.  to know your id just do search as what is my ip.

 

add this .htaccess file

<FilesMatch “wp-login.php”>
Order Deny,Allow
deny from all
allow from 8.8.8.8
</FilesMatch>

subnet ip address are start with same address but last few digits different

Allow from dynamic ip

<FilesMatch “wp-login.php”>
Order Deny,Allow
deny from all
allow from .isp.example.com
</FilesMatch>

Limited Access to Wp-admin folder

add the same code in wp-admin .htaccess folder.

 

.htaccess password protecting wp-login.php without any wordpress security plugins

<Files ~ “^\.ht”> Order allow,deny Deny from all </Files>

<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access”
AuthType Basic
require user green
</Files>

 

Authorization file can be located anywhere in the directory. but you have to give the exact path.

create a New file called .htpasswd and paste the htaccess password there.

you have to generate htacess password using one of many available tools like Cpanel, ssh.

USE Cloudflare and Select security level medium or high based on your requirement.

 

Securing Apache server

Evasis module

Mod security

Firewall IPtables or UFW for Debian 8, SELinux

 

Note: the conflict between security rules may cause server slowdown.

HaCkEd By RxR HaCkEr

HaCkeD By SA3D HaCk3D

 

wordpress security vulnerabilities

  1. wp-login.ph
  2. xml-rpc.php
  3. wp-cron.php
  4. Bot spam comments by wordpress footprints “post a comment, wordpress, login to post” (wordpress comment management)
  5. php backdoors on pirated themes (some pirated themes provides includes some back doors) one case i saw they replaced with their adcode to earnmoneey.

 

Attacks

Sql injection, Source code Injection, Brute force attack to wp-login php,

Best practices:

Rate limiting, blocking , Human verification methods.

 

 

 

Related topics:

  1. cpanel alternative for vps free centos, ubuntu, mac, windows,debian,nginx open source
  2. top 10 apt & apt-get commands (most used) apt vs apt-get
  3. us india tax treaty for google adsense, youtube, google play
  4. linux commands pdf (files & Directories, zip & unzip process, search etc)
  5. xampp tutorials 2021 installation errors fix wordpress phpmyadmin mysql apache

wordpress tutorials for beginners advanced complete guide to run WordPress

  • Rules to get 100/100 in Google pagespeed web core vitalsscore
  • How to add adsense amp ads to wordpress
  • wordpress password reset in 3 ways mail, phpmyadmin, mysql command
  • how i recovered hacked website site 5 times ft wordpress?
  • enable browser caching in wordpress apache nginx caching headers explained
  • W3TC w3 total cache plugin setup guide review comparison with wp rocket and wp super cache
  • Wordpress database optimization (don't neglect) plugins & phpmyadmin manually
  • Optimize css delivery inline critical css, remove unused css, render blocking css
  • Converting WordPress into static website speed after 1 second dynamic 3 seconds
  • Wordpress errors and fix
  • website cache best caching plugins wordpress w3tc cloudflare
  • Install xamp & wordpress on localhost windows
  • favicon ico Change / Add / Disable favicon in wordpress Ft Genesis Theme or any theme
  • increase wordpress memory limit (how to ) 40MB , 64 MB 128 MB or 512 MB maybe 1024MB
  • wp cron job check working or not disable enable change schedule
  • google analytics plugins for wordpress #sitekit #monsterinsights gadwp back as gainwp
  • Lazy Load Adsense to improve core web vitals - Vs revenue
  • xmlrpc php wordpress uses, disable without 403 error log message
  • wordpress change post date programmatically (auto on update like blogger
  • wordpress plugins that slow down your site and its alternatives
  • best wordpress plugins social, seo, Backup, speed up your blog
  • TOP 10 Wordpress Themes Premium/ Free & providers
  • Wordpress Adsense Plugins & Manually
  • Social share buttons for website Wordpress Blogger
  • How to bulk delete in wordpress posts, pages, Media Images, tags and categories
  • TOP 5 Best wordpress comment plugins 2020 (disable pingback, replytocom, customize form)
  • all in one seo pack vs yoast seo pressor
  • Auto post to Facebook, twitter, Google Plus Wordpress Posts 2019
  • wordpress speed optimization Speed up wordpress Score on Google pagespeed
  • How to use wordpress tags and categories
  • Wordpress duplicate thin content Issues {FIXED}
  • how to increase wordpress memory & file upload size
  • combine rss feeds wordpress
  • Reduce the impact of third-party code ,optimize JS delivery, Minify, remove unused js, pre connect, inline, lazy load etc
  • change wordpress site url
  • install wordpress on ubuntu apache nginx debian command line
  • Wordpress Security Plugins 2021 (Brute force, Login lockdown, Malware scanner etc)

 

 

wordpress Pagespeed optimization

Digitalocean free $100 Credit

Cloudways Review pricing promo codes

Siteground cpu limits Pricing

Shared Hosting

Managed wordpress Hosting

Managed Hosting Cloud server

VPS Hosting

Cloud Hosting – Unmanaged

Google cloud Pricing

Aws Pricing

Azure pricing

nginx server tutorials

apache server tutorials

linux sysadmin tutorials

mysql Commands list pdf

LEMP Install Ubuntu

Mysql Performance Tuning

Nginx Performance tuning

Linux Performance tuning

Php -fpm performance tuning

Redis Performance tuning

linux server security

nginx security best practices

wordpress security plugins

 

 

wordpress

 

Top 5  WP Google Analytics Plugins

WP Backup Plugins

Wp Comment Plugins

Top wordpress Security Plugins

WP Seo Plugins

WP Caching Plugins

Best Adsense Plugins for WordPress

Wp social Sharing Plugins

autoshare social media plugins

WP speed Optimization Plugins

Speedup WordPress google Score

More Wp tuts

Server Admin Cloud

 

Installing Nginx LEMP On ubuntu

Installing apache Lamp ubuntu

nginx fastcgi cache enable

php – fpm install  & Configuration

Opcache install & Configure

php -fpm pool manager explained

Mysql Install & Configuration

Redis Object cache install & configure

 

Nginx as Reverse Proxy and Load balancer

Load Balance / auto scaling in google cloud

Linux Commands PDF

Mysql Commands Pdf

Letsencrypt tutorial

mysqldump export & import 

Pagespeed Module install & configure

nginx.conf best file

mysql.conf best file

upgrade ubuntu

© 2023 - All Rights Reserved Disclaimer & Privacy Policy