Hacker attacks, in recent years, have become increasingly frequent especially in the various sites / blogs developed with CMS (WordPress, Joomla, etc.). Avoiding a well-built hacker attack is almost impossible but there are several operations that can ward off most hacker attacks.
ALWAYS UPDATE WORDPRESS
In my opinion this is the most important point that every self-respecting WordPresser must always do. Updates do not only make aesthetic and functional changes, but almost always fix bugs of all kinds. In this way, hackers will not be able to exploit the holes made available by bugs in previous versions of WordPress.
USE RESISTANT PASSWORDS
The password is a fundamental element, therefore it must be as complex as possible. Following WordPress tips, here's what a password should look like:
length of at least 8 alphanumeric characters, i.e. both letters and numbers, perhaps even mixing uppercase and lowercase. It must not contain the associated username, nor the name or surname of the person himself. Avoid using meaningful words, such as birthday88, rather use c8eanmopl8no.
use special characters like # @! ? use software to generate secure passwords, for example IOBit do not use dates, only numbers passwords, or real names as passwords.
TOTAL BACKUP OF THE SITE / BLOG
If you have a working backup you are always safe! And remember backups should always be tested.
It is highly recommended to make a total backup (FTP + database), in order to avoid hacker attacks aimed at eliminating parts of the site and / or database.
DO NOT USE THE ADMIN USER NAME
The username Admin it is the standard user that is attributed to every WordPress installation, so the hacker easily knows the username. My advice is to always change your username when installing WordPress.
LIMIT THE NUMBER OF LOGIN ATTEMPTS ON WORDPRESS
There are various WAFs available for WordPress; here I would recommend two: Sucuri and Wordfence, even at the expense of server performance!
Wordfence limits the possibility for a user to try and try again to access the blog / site through the login. After a total of unsuccessful attempts in certain minutes, the user's IP address will be blocked for as long as you want, up to 24 hours. Thanks to this plugin you can avoid hacker attacks through Brute Force Attack.
INCREASE THE SECURITY OF THE WP-CONFIG.PHP FILE
The wp-config.php file has the task of containing all the passwords for accessing the database. Just add these lines of code to the .htaccess file and anyone will be denied access to the file:
# protect wp-config.php Order deny, allow Deny from all
CHANGE THE TABLE PREFIX IN THE DATABASE
WordPress tables always have the prefix wp_, so the hacker knows this too. Change the prefix of the table with a name of your choice (not too long). The prefix change can be made during the installation of WordPress or using the wp security scan plugin, which allows you to make this change from the database section in just one click.
EDIT FOLDERS AND FILE PERMITS
File permissions must be set on the 644 while the folders with 755. You will thus avoid finding yourself with modified or deleted files.
PERIODIC CHECK OF THE WORDPRESS BLOG / SITE
Periodically check if your blog or site has been hit by a hacker attack. Connect to this address, enter the URL of your site / blog and click Scan Website. After launching the processing, go to Website Blacklist Report to check if all the entries (which correspond to the various types of viruses and malware) are green, otherwise it means that that type of threat is present on the site and the files will also be indicated. infected.
Article by Andrea Lupi - https://www.guida-wordpress.com/