Secure WordPress Website Effectively Using Best Methods

Bao Mat Website Wordpress toan tap

WordPress is an open source platform written in PHP and is the most used content management system in the world with nearly 30% of websites currently running on this source code. That’s why it’s always targeted by hackers to steal content, place dirty backlinks, add strange Adsense ads, redirect innocently, index Japanese, etc.

For Pro Hackers, it cannot be 100% guaranteed to prevent it because it depends on whether your website is attractive enough to them, or whether it has any value or not. Each feature comes with a small or large security hole, so in this article I will guide you through all the best security methods applicable to the website you can use. to increase security and make it difficult for novice hackers to Pro hackers to take control of your Website.

What is the main cause of a website being infected with malware?

Mostly due to one of the following main reasons that I have concluded in the process of fixing malicious code for many websites and have had problems in the past when I first started making a WordPress website:

  • Due to using pirated Themes and Plugins : This is the main reason why websites in Vietnam are often infected with malicious code because the website owner downloaded it from an unreliable source and shared it online. Free theme plugins in general should not be used if you are serious about making your own business website, because the website is like your internet store, it takes all the passion and effort put into it. Free Theme Plugins shared online are very dangerous in that no one knows if they have any malicious code installed inside or not.
  • Because other websites on the same hosting are infected with malicious code: If you buy a shared hosting for many websites, it is easy to spread from one website to another when one website has a virus. Your websites are basically located in the same storage folder in hosting, so malware infection is very easy to happen.
WordPress security
WordPress security
  • Security vulnerability from WordPress core, Theme / Plugin : This is an objective error coming from the source code you are using. To overcome this, themes, plugins and even wordpress regularly update their latest patches with new features. If a serious error has just been discovered, the programmers will immediately release an update to fix this error. You just need to press the Update button on the admin interface and everything will be fixed.
  • Vulnerabilities from Hosting, VPS, Server being used: Another objective cause that you can rarely intervene in is a vulnerability from your hosting service provider. These vulnerabilities, from less serious to serious, can cause your website to be affected or even discolored. Choose a reputable hosting and vps provider can advise you to use such as: Vietnix, Pavietnam, Tinohost, Azdigi,…

Consequences of poor website security

Your website has a very high risk of being infected with a virus if security methods are not applied. In fact, every day on the Internet there are many tools running, controlled by bad guys, this tool will continuously scan websites to detect security holes. If your website is unfortunately on the detection list and has poor security, it is very easy to be hacked.

There are a few consequences you will suffer when using a website with poor security:

  • Easy to hack, lose website , put bad backlinks, index in Japanese, insert strange Adsense ads, redirect to xxx website, delete data, lose Admin access
  • Impact on SEO : Google sends an email warning to you through Google Search Console (requires prior registration) indicating the situation and warning of danger to each user’s browser when accessing the link of your website. . Not to mention how it affects rankings, but customers will gradually lose trust in a website that is constantly told that it is dangerous from Google.
  • Affects the reputation of your website , business, and business: Your website cannot be accessed and you will have bad experiences when visiting. It will gradually kill your website if you do not find a way to fix the code. poisoning as soon as possible. Put yourself in the customer’s position to see if you would spend money to buy a product from a dangerous website or would Google want a website containing viruses to rank at the top of search results?

Effective WordPress website security methods to prevent hacking

Use Username – Password that is difficult to guess

In fact, there are many widely shared password detection tools online, the method is quite simple, a novice hacker or trainee hacker can also figure out how to run a website password detection tool. The methods here are in the prepared dictionary file, your password is easy to find, for example 123, anhyeuem, 123456… it will be broken in just a few seconds. Password difficulty is increased when you insert special characters such as !@#$, add alternating uppercase and lowercase characters, and passwords with more than 8 characters. You combine all of the above and the password is almost unfathomable with current technology.

A tool to detect difficult passwords of more than 8 characters, with lowercase and uppercase letters, including special characters, takes about tens of thousands of years or even millions of years if you increase the password length by one. little. This is considered a tough measure to eliminate bad guys who intend to discover passwords with tools.

Update WordPress version, Update Theme, Plugin to the latest version

Please continuously update to the latest version to ensure the Website is secure and fix existing patches. If your website uses an old version of WordPress / Theme / Plugin that has a serious error and you haven’t updated it yet, your website will likely be hacked if bad guys scan the version you are using. So please update all the things I mentioned above as soon as possible. Don’t be afraid of any errors or conflicts because it has been thoroughly tested by experienced programmers, or you can wait a few days to update. It’s not too late.

Use 2-factor authentication

1. 2-factor authentication for Hosting : open Cpanel and find the 2-factor authentication section , abbreviated as 2FA (Two – Factor Authentication) .

2-factor authentication for Cpanel
2-factor authentication for Cpanel

Chọn Set up Two-Factor Authentication:

Chọn Set up Two-Factor Authentication
Chọn Set up Two-Factor Authentication

Next open CH Play on your phone, download the app called: Google Authentication and install it:

Google Authentication app on Google Play
Google Authentication app on Google Play

Then you open the application, click on the plus sign / Scan the QR code. Scan the QR code in your Cpanel, then enter the authentication code in the box below and click the Configure Two – Fator Authentication button to confirm.

Fill in the authentication code
Fill in the authentication code

Next time you log in to Hosting / Cpanel, you need to provide a code in the Google Authentication application to verify yourself again. This code is randomly generated and reset every 30 seconds so it is quite safe. With these methods, even if a bad guy knows your password, they cannot log in because they need the authentication code you hold.

2. 2-factor authentication for WordPress: You should combine both types of authentication at the same time to achieve the highest efficiency. With WordPress, you need to download the Wordfence Premium Plugin so we can install 2-factor authentication for each Admin login.

After installing Wordfence Premium , click on Wordfence / Login Security. Open your phone and scan the QR code:

Enter the code then click Active
Enter the code then click Active

You will receive a 6-digit code, enter this code in the right-hand box and press the ACTIVE button to activate the same as above. After logging in, you need to provide a 6-digit code in the Google Authentication application on your phone for a second verification before you can log in. This method also prevents bad guys, even if they have your password, they cannot log in to Admin to do anything.

Delete/Remove unused Themes and Plugins

Deleting all unused plugin themes helps save your hosting space while also removing files that may be infected with malicious viruses that are hidden inside these plugin theme files. Whichever one you use, turn it on, otherwise disable and delete them immediately.

Do not review comments, do not click on comments with strange links

There are some people who intentionally place bad backlinks or try to exploit your website’s vulnerabilities through comments. Luckily, WordPress has a comment review function before it can appear outside the article content. You should only keep comments that you consider to be real readers, and comments with links of unknown origin should be placed in the trash or not approved.

You can also use the free Akismet Spam Protection Plugin on the WordPress repository, this plugin also prevents spam comments very well for websites with large comment spam, you can download and install it here .

Use the latest version of PHP

Besides constantly updating Themes, Plugins, and WordPress, you should use the latest version for PHP. To do this, open Cpanel / Select PHP Version :

Select PHP version
Select PHP version

Here you change the PHP version for the hosting you are using. You should choose PHP version from 7.4 or higher (above 8.0 is better) because previous versions have security holes that are relatively easy to exploit. Your website will also be somewhat more secure when using an updated PHP version. latest update.

Choose the latest PHP version
Choose the latest PHP version

Use SSL/HTTPS security certificates

A website with SSL installed helps the browser display ” Safe Browsing ” mode, otherwise it displays a red ” Not Secure ” warning. Installing SSL helps your and your customers’ data to be transmitted with indecipherable encryption, ensuring the security of important information related to personal, bank accounts, ATM cards, etc.

* SSL not installed:

SSL certificate error
SSL certificate error

* SSL installed:

SSL security enabled
SSL security enabled

As for other normal pages, the biggest reason for this is your WordPress login page. If you are not running over an HTTPS connection, your user login id and password will be sent in clear text over the internet. Hosts now all support free SSL installation, so you just need to send a ticket to the support department for quick installation.

Che Giấu File Config: wp-config.php

Hiding the wp-config.php file will make it difficult for hackers to scan and detect database information and website source code, because the wp-config file, as its name suggests, contains all the configurations. important to a website, revealing it to others is equivalent to inviting them to hack your website.

To hide the wp-config.php file , go to Cpanel and create an empty folder at the same location as public_html :

Create a Public peer folder
Create a Public peer folder

Then go to the public_html folder and download the wp-config.php file :

Download the wp-config file
Download the wp-config file

Download this wp-config.php file inside the newly created subfolder:

Upload the wp-config file to the newly created subfolder
Upload the wp-config file to the newly created subfolder

Edit the wp-config.php file in the public_html folder :

Edit the config file in the public_html folder
Edit the config file in the public_html folder

Delete all content in the wp-config.php file (in the public_html folder ) and then paste the following code :

Paste this code in
Paste this code, remember to replace the word “xindunghackem” with the name of the new folder you just created (located on the same level as the plublic_html  folder ).

* Code content (located in the opening tag <?php ):

Change database prefix (Database Prefix)

The default database prefix name is always wp_ so you need to change it to another name to avoid hackers knowing. To do this, you download a security plugin called Ithemes Security Pro so they can We configure and download link for Ithemes Security Pro here .

You install Ithemes Security Pro on the Website, then you search in the following navigation order: Security / Settings / Tools / Change Database Table Prefix :

Chọn Change Database Table Prefix
Chọn Change Database Table Prefix

Click Run to start running. The system will change all tables in your database from the default wp_ to a new style of randomly generated characters:

Successfully changed database prefix
Successfully changed database prefix

You can check the results by opening Cpanel / phpMyAdmin, selecting the Database you are using, now all tables have been changed from the wp_ prefix to the new prefix:

The prefix has been changed successfully
The prefix has been changed successfully

Change the Security Key content

Security Key is a randomly generated secret code stored in the wp-config.php file located in the public_html root directory of the WordPress Website. When you open the wp- config.php file , you will see lines like this:

This code is randomly generated and unique for each account login session, make sure it is randomly generated, you should also change this code several times within a week if your website is being hacked. attack. To generate random code, Click here . This page generates a new Security Key code , copy this code and replace the old one to update the new Key, then remember to click Save to save the changes.

Editing / Installing additional Themes & Plugins is prohibited

Biện pháp này được coi như là một khống chế cứng cho các hacker, thật khó để thâm nhập và hack vào một website khi được thêm các đoạn mã bảo vệ chống việc chỉnh sửa, cài mới file giao diện và file Plugin. Khi áp dụng cách này, Website của bạn nếu bị mất quyền kiểm soát Admin thì Kẻ xấu cũng không thể thâm nhập sâu hơn được, giúp giảm thiệt hại đáng kể nếu không may có chuyện xấu xảy ra.

Để cấm cài mới / chỉnh sửa Theme & Plugin bạn chỉ cần thêm 2 dòng code này vào file wp-config.php (nằm trong thư mục gốc public_html) là được:

Nếu bạn cần cài Plugin / Theme mới hoặc muốn chỉnh sửa file thì chỉ cần sửa đoạn code trên, cụ thể bạn đổi True thành False để tắt tính năng bảo mật này.

Phân quyền truy cập (CHMOD) các file cấu hình quan trọng

Theo mặc định, các file trong Cpanel (hosting) của bạn được phân quyền CHMOD là 644 và thư mục được phần quyền 755. Đối với các file chứa cấu hình toàn bộ website của bạn cần được bảo mật tốt hơn các file khác nên chúng ta sẽ thay đổi quyền truy cập vào các tệp này nghiêm ngặt hơn. 2 file cấu hình quan trọng mình muốn nói đến là wp-config.php.htaccess.

* Đối với file wp-config.php:

Chuột phải vào file wp-config.php và chọn Change Permissions:

Select Change Permissions
Chọn Change Permissions

Bạn tích chọn các ô giống như mình để phân quyền cho người dùng có thể đọc file này mà thôi. Như vậy file wp-config.php bạn chuyển thành quyền 400:

Delegate permissions to wp-config
Phân quyền cho wp-config

* Đối với file .htaccess:

File .htaccess theo mặc định có thể bị ẩn đi, để hiển thị file .htaccess bạn bấm vào nút Cài đặt ở góc trên cùng bên tay phải:

Click the Install button
Bấm nút Cài đặt

Một cửa sổ mới hiện ra, bạn tích chọn vào ô Hiển Thị Tệp Ẩn (dotfiles) và chọn Save để lưu lại:

Show htaccess file
Hiện file htaccess

Chuột phải vào file .htaccess rồi bấm Change Permissions:

Change htaccess file content
Thay đổi nội dung file htaccess

Bạn tích chọn vào các ô giống như hình bên dưới để cho Quyền được đổi thành 444. Sau đó bấm nút Change Permissions để lưu lại thay đổi:

Choose permissions for htaccess
Chọn quyền cho .htaccess

Chặn thực thi file wp-config.php

Bạn thấy bài viết này liên tục nhắc đến file wp-config.php bởi vì nó là file mang cấu hình cực kỳ quan trọng cho Website WordPress. Bây giờ mình sẽ chỉ bạn cách chặn không cho phép ai chỉnh sửa hay thực thi file này.

Chuột phải vào file .htaccess, chọn Edit:

Edit file htaccess
Edit file .htaccess

Dán dòng code này vào trong file .htaccess:

Như vậy là xong, không có ai, theme hoặc plugin nào có thể chỉnh sửa và thay đổi nội dung trong file cấu hình wp-config.php này. Bạn nên làm nếu như website của bạn đã ổn định và đi vào hoạt động. Còn vẫn đang trong quá trình xây dựng bạn có thể tắt nó đi bằng cách xóa dòng code trên.

Sử dụng plugin quét mã độc

Wordfence Premium: đây là plugin bảo mật phổ biến nhất trên WordPress, có rất nhiều tính năng thú vị như xem được ai đang truy cập website của bạn cùng với thông tin chi tiết, phân biết bot hay người, đồng thời chặn tất cả các mối đe dọa tiềm tàng bằng trình quét virus mạnh mẽ. Wordfence cũng đưa ra thông tin về file nào đang bị nhiễm virus đồng thời cung cấp vị trí cụ thể đoạn code chứa mã độc, bạn có thể bấm vào xem và xóa chúng. Mình thường xuyên sử dụng plugin này và nó là ưu tiên số 1 mình khuyên các bạn nên dùng để bảo mật cho Website WordPress.

Ithemes Security Pro: một plugin có tiếng trong cộng đồng WordPress với các biện pháp bảo mật tiên tiến nhất như chống dò mật khẩu Brute Attack, đăng nhập 2 yếu tố, đổi đường dẫn admin, quét virus,… tất cả những gì bạn cần để bảo mật website đều có trong bản Pro của plugin này. Ithemes Security Pro sử dụng API của Sucuri quét virus Server bên ngoài nên đảm bảo tính khách quan và độ chính xác khá cao.

Sucuri: Một plugin cũng chất lượng không kém đó chính là Sucuri. Sucuri được lập trình bởi các nhà bảo mật và chuyên gia trình độ cao. Khả năng quét tường lửa của Sucuri rất mạnh, nó phát hiện ra các lỗ hổng bảo mật và bạn sẽ được sửa miễn phí bởi các chuyên gia. Miễn phí ở đây khi và chỉ khi bạn đã đóng học phí trước đó. Bởi vì chi phí dùng Sucuri không hề rẻ chút nào, nên bạn được hỗ trợ fix mã độc từ chuyên gia với mức giả khoảng 500$ / 1 site / 1 năm.

Trong trường hợp Website bạn bị nhiễm mã độc, hãy dùng các công cụ quét sẵn có trong 3 plugin trên để tìm ra mã độc càng sớm càng tốt, rất may các công cụ trên hoạt động rất hiệu quả trong suốt thời gian mình đã sử dụng. Bạn nên kết hợp cả 3 plugin trên (đặc biệt là Wordfence và Sucuri) để quét vì 2 plugin này khả năng quét rất mạnh mẽ. Còn việc sử dụng thực tế thì nên chọn chỉ một cái mà thôi. Nếu là mình thì luôn luôn chọn Wordfence Premium là lựa chọn số 1. Bạn có thể mua Wordfence Premium chính hãng giá rẻ có key bản quyền tại đây.

Tắt XML – RPC không dùng đến

Trong bất kỳ Website WordPress nào bạn để ý sẽ thấy một file nằm trong thư mục gốc public_html có tên xmlrpc.php. XML-RPC là một script là một đoạn mã script mới được sử dụng từ bản 3.5 trở lên, đến nay nó luôn được bật mặc định trong bản cốt lõi WordPress

XML – RPC là giao thức để kết nối với website WordPress thông qua các file XML. Hiện tại có thể hỗ trợ các API của các CMS như WordPress API, Blogger API, Movable API, Pingback API, MetaWeblog API,…

Normally on WordPress, we will use XML-RPC when setting up posting from another external application such as Windows Live Writer, or services that connect to the website to post like IFTTT, for example.

But since XML-RPC is commonly used on WordPress, it has raised the risk of being attacked by brute force attack to detect passwords or worse, sending a large number of requests to the server to paralyze the server. , this form of attack is called HTTP Flood Attack, which is a type of DDoS attack.

To turn off the XML – RPC feature, paste the following line of code inside the .htaccess file:

Turn off display directory browsing

By default files are public and a complete stranger can see what’s inside them, by visiting the following link:

All content is publicly displayed, hackers can take advantage of this loophole to exploit security holes:

Directory exposed
Directory exposed

To secure important folders and prevent others from freely viewing the content, you just need to insert the following code into the .htaccess file :

Block a suspicious IP

Frequently using the Wordfence plugin, I often see strange IPs whose behavior is neither like a benign bot (Google) nor like a visitor. These IPs often enter strange queries like they are exploiting illegal vulnerabilities. Website method, you can block any IP address within the entire hosting range. Note that if you block it with plugins, that IP can still view the website if you use cache. Blocking IPs on the entire hosting scale causes the blocked IP to not be able to view any content other than the blocked error message 403 Forbidden: Access to this resource on the server is denied!

Block suspicious IPs
Block suspicious IPs

To block suspicious IPs, paste the following code into the .htaccess file:

* Example 1:

* Example 2:

In Example 1, each line you insert an IP address you want to block. In example 2, I replace the last number in the IP range to 0/24 to block all ip ranges in the same local network, avoiding the case where the subject changes to another device. With this method, the only way is to Reset the network Modem or Fake IP can access your website.

Add Security Headers

HTTP Security Headers  are a basic part of website security, helping to fight attacks that websites are at high risk of encountering such as: MIME types, clickjacking, code injection, XSS … I will guide you to create HTTP headers. Most importantly, you should configure the web server to improve website security.

Adding a security header makes the red warning on the Security Headers check page disappear and turns into a safe green color once you have added a security header to the Website. You can check to see what security headers your website has set up by going to .

* No security header yet:

No Security Headers yet
No Security Headers yet

* Full security headers available:

Added full security header
Added full security header

Cách thêm tiêu đề bảo mật là mở file .htaccess lên và thêm các đoạn mã Security Headers dưới đây vào nội dung bên trong file này:

Header always append X-Frame-Options SAMEORIGIN: Được hỗ trợ bởi tất cả các trình duyệt và ngăn kẻ tấn công chuyển nội dung trang web của bạn sang các trang khác.

Header set X-Content-Type-Options nosniff: Giảm rủi ro bảo mật kiểu MIME, tìm hiểu thêm tại đây.

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”: tính năng bảo mật cho phép website, thông báo cho các trình duyệt chỉ nên giao tiếp bằng giao thức HTTPS an toàn thay vì HTTP.

Header set Content-Security-Policy “script-src ‘none’;”: Tắt toàn bộ Javascript trên trình duyệt người dùng.

Header always set Referrer-Policy “same-origin”: tiêu đề này hướng dẫn các trình duyệt hỗ trợ chỉ đặt tiêu đề liên kết giới thiệu cho yêu cầu từ miền hiện tại ( same-origin).

Header set X-XSS-Protection “1; mode=block”: bảo mật chống kiểu tấn công XSS.

READ  Top WordPress Themes for 2024: Exceptional Choices for Your Website

Header always set Permissions-Policy “geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);”: Kiểm soát các tính năng mà trình duyệt có thể sử dụng.

* Tổng hợp tất cả các đoạn code trên chúng ta có đoạn mã bên dưới, lưu ý bạn dán đoạn mã này vào file .htaccess rồi lưu lại nhé:

Lưu ý rằng bạn cần bảo mật Website ở mức độ nghiêm ngặt mới áp dụng các tiêu đề bảo mật bên trên. Bởi một số plugin, theme, và các tính năng của Website sẽ bị ảnh hưởng, nên cân nhắc lựa chọn nên bật và nên tắt cái nào cho phù hợp.

Đổi đường dẫn đăng nhập mặc định /wp-admin (wp-login.php)

Mỗi khi đăng nhập tài khoản Admin bạn hay vào đường link https://tên web site/wp-admin hoặc https://tên website/wp-login.php. Đây là đường linh được cài đặt mặc định cho tất cả các Website WordPress lúc mới đầu. Hoàn toàn có thể thay đổi đường dẫn này sang một cái tên ngẫu nhiên hoặc bạn đặt tùy ý chỉ mình bạn biết. Cách này tránh được hacker hack website của bạn phần nào bởi vì hacker thường tấn công các Website bảo mật kém và tạm thời ngó lơ đi các Website được quản lý bởi Admin có một chút kỹ năng bảo mật.

* Ẩn đường dẫn đăng nhập bằng WPS Hide Login

Change login path with WPS Hide Login plugin
Thay đổi đường dẫn đăng nhập với plugin WPS Hide Login

Để đổi đường dẫn đăng nhập, bạn cần sử dụng một plugin bảo mật có tên là WPS Hide Login. Plugin này bạn có thể tải miễn phí trên kho Plugin của WordPress. Cài đặt plugin này vào Website rồi mở nó ra chúng ta bắt đầu thiết lập cài đặt.

After installing the plugin, open it by clicking Settings / Overview . Scroll down to the bottom line, at the url you change to the url you want as follows:

Change login link
Change login link

* Hide login path with Ithemes Security Pro:

Go to Security / Settings / Advenced then select the HIDE BACKEND tab:

Hide login path with Ithemes Security Pro
Hide login path with Ithemes Security Pro

There are boxes here you can fill in as follows:

  • Login Slug: The new login path you want to match
  • Register Slug: Path to the registration page you want to change
  • Redirection: Redirection path after someone logs in to the old default login link

After filling in the information, click the Save button to save and apply the changes.

Back up the entire Website and store it in a safe place

Backup is now simpler than ever because there are plugins that support this, you don’t need to waste time manually backing up and restoring. Backing up data helps you restore all source code and databases to a previous safe state. You should periodically back up about once a week or once a month and then store it in the cloud (Google Drive, Ondrive) to be sure. You should not save backup files to your computer’s hard drive or USB because it is easy to lose or drop the USB, and your computer may also be infected with viruses or Windows errors.

Back up entire website data with All in One Migration
Back up entire website data with All in One Migration

The data backup plugin that recommends to you is All in One Migration Unlimited Extension . It backs up extremely powerfully and quickly, with just one click, all your data is stored into a single file. After that, if you want to restore, just use that backup file, which is very convenient.

Disable PHP execution in certain directories

This method applies to any website that uses images and I see that all websites today use images, more or less. Every time you, or someone else, uploads an article with an image illustrating the content, whether accidentally or intentionally, there is a probability that the image you upload contains a virus and php code is inserted into the image. We should disable all php code when uploading image files or any file, not allowing them to be executed.

To do this, you open Cpanel / public_html / wp-contents / uploads . Click the + File sign to add a new file:

Click add new file
Click add new file

Enter the new file name to add as .htaccess and then click the Create New File button:

Add htaccess file
Add htaccess file

Then you insert this line of code inside the .htaccess file:

The above code prevents execution of PHP scripts on all files you upload.

Change user ID using Ithemes Security

Run this tool in the Ithemes Security Pro plugin to change the user ID of the user whose user ID is “1”. This can prevent simple attacks assuming the user with ID “1” is an administrator.

To do this, install the Ithemes Security Pro plugin on the Website, then navigate to the following path: Security / Tools / Change User ID 1 and click Run to run the tool automatically:

Change default User ID 1
Change default User ID

Limit login attempts using Plugins

Limiting login attempts helps prevent tools from automatically sniffing passwords (a classic Brute Force Attack), adding another layer of security after 2-factor authentication , contributing to double login security import for your WordPress Website. It’s also extremely easy to do with security plugins that already have these features built-in. We just need to reconfigure it depending on each person’s needs.

* Login limits with Wordfence Premium:

Go to Wordfence / All Options / Brute Force Protection and fill in the numbers in the blank boxes corresponding to the function of each section.

Limit login attempts
Limit login attempts
  • Lock out after how many login failures: Lock out after how many login failures
  • Lock out after how many forgotten password attempts : Lock out after how many forgotten password attempts
  • Count failures over what time period: Count the number of failures after what time period
  • Amount of time a user is locked out: The amount of time the user is locked out
  • Immediately lock out invalid usernames : Block immediately if you enter the wrong account

* Limit login attempts with Ithemes Security Pro:

Go to Security / Settings then select the Lockouts tab . Next, click on the settings icon in the Local Brute Force section:

Select the Local Brute Force setting
Select the Local Brute Force setting

Select/fill in the lines corresponding to the function you want to use:

Limit login attempts with Ithemes Security Pro
Limit login attempts with Ithemes Security Pro
  • Automatically ban “admin” users: Immediately block users who log in with the name “Admin”
  • MAX LOGIN ATTEMPTS PER HOST: Maximum number of login attempts per server
  • MAX LOGIN ATTEMPTS PER USER: Maximum number of login attempts per user
  • MINUTES TO REMEMBER BAD LOGIN (CHECK PERIOD): Number of minutes to remember incorrectly logged in time

Secure login and registration pages with Recapcha V3

First, go to this page to register to create a new ReCapcha: Google ReCapcha V3.

Click on v3 Admin Console:

Click on v3 Admin Console
Click on v3 Admin Console

Fill in complete information in the blank boxes:

Fill in information for ReCapcha
Fill in information for ReCapcha
  • Label: Enter the Capcha name you want to create
  • reCAPTCHA type : Capcha type, here you choose
  • Domains : Enter your domain name
  • Accept the reCAPTCHA Terms of Service: agree to Google’s terms

Then you click the Submit button to submit your registration:

Click the Submit button
Click the Submit button

Click on the Copy Site Key and Copy Secret Key buttons :

Copy Site Key và Secret Key
Copy Site Key và Secret Key

Return to your Website, access Wordfence / Login Security and enter the Keys you just copied into the corresponding box in the Plugin:

Fill in the Keys you just copied
Fill in the Keys you just copied

Then click Save to save the edits. So you have configured Recapcha V3 for the Website, next time you log in you will see the Google ReCapcha icon appear. Recapcha is responsible for detecting spam and spam bots and preventing them, helping the Website have an additional layer of security against vulnerability detection tools from hackers.

Install Cloudflare to increase WordPress Website security

Cloudflare , Inc. is an American company that provides content delivery networks, Internet security services, and domain name server delivery services, standing between visitors and the user’s hosting provider Cloudflare, operating as a reverse proxy for websites.

Cloudflare you can register for a free account to manage domain names, point domains to hosting, prevent DDos for Websites, add security firewalls, add security rules, block content scraping Bots and apply them. quickly without needing to log into WordPress. To install Cloudflare, read this article .

Here are some options you can set to increase security with Cloudflare:

* Bật Proxy Cloudflare:

Enable Proxy for Cloudflare
Enable Proxy for Cloudflare

* Enable Bot fight mode (Bot Fight Mode):

Enable bot battle mode for Cloudflare
Enable bot battle mode for Cloudflare

* Setting Rules for visitors:

Install firewall for Cloudflare
Install firewall for Cloudflare

* Enable SSL security encryption on Cloudflare:

Enable Full SSL on Cloudflare
Enable Full SSL on Cloudflare

If you know how to use Cloudflare, it is extremely powerful in setting rules according to your needs, especially being able to block some types of content scraping bots (Crawl).


In this article has shared with you all the best security methods for WordPress Website and how to do it in detail step by step. Applying these methods makes your website more secure and very difficult to hack. Hope it is useful to you. Hello, see you again in the next articles.

Leave a Reply

Your email address will not be published. Required fields are marked *