WordPress is the most popular CMS in the world. This caused that it is the target of the most number of hackers attacks.
Many of WordPress sites is insecure because of outdated CMS/plugins/themes or server site software: PHP/SQL
If you add few rules of security you could minimize this risk, but remember – you can feel secure if you have no website 🙂
At the beginning:
- do not use login same as domain name
- use strong passwords for WordPress, hosting and database
- use separate databases for every website with user name different than database name
- use separate domain hosting providers
- do not use auto installers like Installatron – this is pure evil 🙂
- use a strong table prefix
While using:
- for saving password use external secure password managers like LastPass, not the build-in browser
- always use themes and plugins from secure sources
- update your core, theme, and plugins regularly – I recommend using Perfect Dashboard with visual tests after each update
- make backups – same here, in Perfect Dashboard you could schedule automatic backups with malware test and scan for custom changesin core files and store them in external secure servers
Advanced methods:
- change default salts What, Why, and Hows of WordPress Security Keys
hide some files
<FilesMatch “wp-config.*\.php|\.htaccess|readme\.html”>
Order allow,deny
Deny from all
</FilesMatch>
hide version
remove_action(‘wp_head’, ‘wp_generator’);
secure login page
<Files wp-login.php>
AuthType Basic
AuthGroupFile /dev/null
AuthName “What are you looking for?”
AuthUserFile /path/.htpasswdrequire
alid-user
</Files>
remove XMLRPC
add_filter(‘xmlrpc_enabled’, ‘__return_false’);
… and many many more…
อ่านต่อ
https://www.quora.com/Is-it-easy-to-hack-WordPress-websites