How do you handle WordPress security on your sites?
How do you handle WordPress security on your sites?
[ad_1]
Hey everyone! How do you handle security for your WordPress sites? I’m curious to know which tools, plugins, or best practices you rely on to keep your site safe.
Looking forward to hearing what’s worked best for you!
Plugins I used:
1. Cloudflare Turnstile
2. All in one security
3. WPS Hide login
4. Wordfense
Ninjafirewall I’ve needed nothing else.
Wordfence
I use cloudways for my server and they have some built in security features that work great
Used to be with hostgator and got hacked multiple times – since switching to cloudways no issues – granted they are more expensive
Cloudflare WAF & Rate Limit Rules, WordFence, ModSecurity on Ubuntu Server. ModSecurity will block a lot of stuff and can be customized, but WordFence also does a lot of it you don’t know ModSecurity.
For Cloudflare, make a rule that blocks blank user agents, and also max out rules for rate limiting URLs that contain these words: /wp-login, /xmlrpc, password, and login. This is the best solution because it never reaches your server, saving lots of resources, but you also need to only allow Cloudflare proxy IPs to access your server, and not allow direct access through server IP.
I am security. Security apps are pointless unless you or your clients are lazy. Keep things up to date and clean and you’ll never have issues. If a site has multiple admins I always recommend MFA or 2FA. Have fun.
Security is a layered approach. I don’t like to promote, but I have a Security guide that consists of code snippets you put in your Htaccess if you are using either Apache or litespeed. I can send you the link to it. It has over 50 or so snippets and it locks it down where the NSA would not be able to get in.
Cloudflare. Virusdie. Ninja Firewall (depending on the set up).
I know it’s not necessarily the done thing, but I always develop a dev site on my server – no surprises that way with migration. Ninja Firewall is the first plugin I always install.
Blog vault
Cloudflare turnstile
Hide login
The best would be to not use wordpress, seriously. There are so many wide spread plugins which have some serious security issues or data leaks. These plugins usually remain unpatched. It’s easier to attack the supply chain (the plugins) rather than a webhosting itself.
Wordfence seems pretty good to me if you really want to go with WordPress.
Along with running a number of security items(Wordfence 2fa etc) and others from the server level, I put this into my .htaccess of all the domains
Plugins I used:
1. Cloudflare Turnstile
2. All in one security
3. WPS Hide login
4. Wordfense
Ninjafirewall I’ve needed nothing else.
Wordfence
I use cloudways for my server and they have some built in security features that work great
Used to be with hostgator and got hacked multiple times – since switching to cloudways no issues – granted they are more expensive
Cloudflare WAF & Rate Limit Rules, WordFence, ModSecurity on Ubuntu Server. ModSecurity will block a lot of stuff and can be customized, but WordFence also does a lot of it you don’t know ModSecurity.
For Cloudflare, make a rule that blocks blank user agents, and also max out rules for rate limiting URLs that contain these words: /wp-login, /xmlrpc, password, and login. This is the best solution because it never reaches your server, saving lots of resources, but you also need to only allow Cloudflare proxy IPs to access your server, and not allow direct access through server IP.
I am security. Security apps are pointless unless you or your clients are lazy. Keep things up to date and clean and you’ll never have issues. If a site has multiple admins I always recommend MFA or 2FA. Have fun.
Security is a layered approach. I don’t like to promote, but I have a Security guide that consists of code snippets you put in your Htaccess if you are using either Apache or litespeed. I can send you the link to it. It has over 50 or so snippets and it locks it down where the NSA would not be able to get in.
Cloudflare. Virusdie. Ninja Firewall (depending on the set up).
I know it’s not necessarily the done thing, but I always develop a dev site on my server – no surprises that way with migration. Ninja Firewall is the first plugin I always install.
Blog vault
Cloudflare turnstile
Hide login
The best would be to not use wordpress, seriously. There are so many wide spread plugins which have some serious security issues or data leaks. These plugins usually remain unpatched. It’s easier to attack the supply chain (the plugins) rather than a webhosting itself.
Wordfence seems pretty good to me if you really want to go with WordPress.
Along with running a number of security items(Wordfence 2fa etc) and others from the server level, I put this into my .htaccess of all the domains
DENY ACCCESS TO WPADMIN LOGIN PAGE
<FilesMatch “^(wp-login\.php)”>
Order Allow,Deny
Allow from [xxx.xx.xxx.xxx](http://xxx.xx.xxx.xxx)
</FilesMatch>
#/END DENY ACCCESS TO WPADMIN LOGIN PAGE
replace Allow from [xxx.xx.xxx.xxx](http://xxx.xx.xxx.xxx) with your IP
Oh and I do a full file system+DB backup server 2 times/day off loaded to another server.