Settings
- Under "Setting" create backups of.
htaccess
wp-config.php - WP version Hide info (whitelabeling
)Remove metadata from WordPress from the source code because bots like to search for it - Import / E
xportallows to export/import the settings
User accounts
- User nam
eImportant -> remove "admin" - Display nam
eUsername should be different from nickname - Passwor
dhere can be tested for password strength
Login-backing
- Enable From Lockdown Feature
- Max Login Attempts: enable (better set 5x)
- At the item "Instant lockout invalid Usernames": rather do not activate because you could lock yourself out
IP whitelisting
- To, for example, Enter your own IP address so that you don't lock yourself out
To find your own IP address out -> "Logged in Users"
In the tab "Failed login Records"
- Collection of failed login's
Force Logout
- As soon as you don't do anything on the page, the time is counted
- It can be determined when someone automatically logged out (recommended is 120min)
Account Activity Logs
- Shows the activities
Registration
- "Enable manual approval of new registration": prevents automatic registration (on shop page or forum – do not activate)
- Registration – Enable Captcha
- Registration – Honeypot
: Creates a hidden field that a user does not see but only a bot
Database
- DB-Prefix: Better to change the prefix immediately when installed; about the plug-in somespooky
- Automatic backup: 2xMonth
Access Permissions: (On file basis)
- Gmeint is the "File Permission" – "Read | Writing | Execute"
User permission | Grouper permission | Public permission |
R eadW rite | ReadWrite | ReadWrite |
755 is set for all files
For security reasons for ".htaccess" 644 should be set
User permission | Grouper permission | Public permission |
ReadWrite | ReadWrite | ReadWrite |
Disable editing of PHP files
- PHP File Editing
WP-File Access
- Prevents editing of WordPress Core Files
Blacklist Manager
- If one detects suspicious login attempts under "User-Login -> Account Activity Logs" (i.e. same IP-many attemp
ts)Under "Enter IP-Addresss" the IP can be defined which should be locked out
Firewall
- Enable Basic Firewall – protects .htaccess | wp-config.php
- WordPress XMLRPC + Pingb
ackProtects external access (If something does not work again disable) - Block Access to Debug Log F
ileFirewall blocking is written to "debug.log" - Additional – Rule
sDisable Index View – suppressed directory listing
Track – Trace
- To note whether it affects tools that interact with the site (Google – Analytics)
- Proxi Comment Pos
tingWhen a cometar is written behind a proxi, the cometar is banned : activate - Bad Query Str
ingAt strings that indicate spam – is prevented
6G Blacklist Firewall Rules
- Enable 6G Firewall Prote
ctionUses "perishablepress.com" to get an up-to-date list of hackersas
they want to do something on the site they are blocked
Internet Bots
- Block Fake Googlebot : blocks "fake" Google bots – activate
Hotlinks
- Prevent – Hotl
ink hotlinks are self-hosted images hosted on another domain : enable
404 Detection
- Log the IP's of visitors who access different pages : activate
Custom Rules
- You can write here in the ".htacces
s" is written dynamically so if the .htaccess is replaced, the rules still apply
Brute Force
- Brute Forc
e1000'de Login attempts "Username & Password" randomly – at some point paralyzes the server - Rename Login-Pa
gewp-login.php is renamed
e.e. from wp-login to start
Cookie Based Brute Force Protection
- cannot be activated when "Rename login" is active
Login Captcha
- For login
- For Lost Password
Login whitelist
- Enter IP's here which should not be excluded
Honey Pot
- Again hidden field for bots – activate
Spam
- Captcha for Komentar – activate
- Blocks Spambots From Post
ingSPAM bots trying to access the cometar page directly, this setting prevents the
Comment SPAM IP monitoring
- Auto Block SPAM comment
IP'sIf spam komentar has already been sent from an IP, it can be blocked - Akismet does not need to be installed
Scanner – takes an image of all files
- If the page is hacked, you will receive an e-mail
- Important -> Files to ignore : jpg | png |
bmpOtherwise you get a notification every image upload - Important -> Directories to ignore : activate when a caching plugin is active