Credit: https://www.todhost.com/blog/website-security/240-6-steps-to-clean-and-harden-your-wordpress-website-security-with-the-free-sucuri-plugin


If your WordPress website has been hacked, or you need to strengthen your security to prevent a hack, then this tutorial will be a good guide. There are several ways to harden your WordPress website security and you never will be able to discuss all in one short post as this one.

Sometimes, implementing a combination of strategies can be a good option. In this post, we will look at steps that will help clean and strengthen the security of your website using the Sucuri security plugin.

This plugin will be useful to Identify, remove, and harden your site even after a hack.

Sucuri has devoted years to helping WordPress administrators identify and fix hacked websites. We have put together this guide to help website owners walk through the process of identifying and cleaning a WordPress hack. This is not meant to be all encompassing guide, but if followed should help address 70% of known infections common with WodPress websites. A lot of the guidance is built on the use of the free Sucuri WordPress security plugin.

1.1 Install the Sucuri Plugin

You will begin by installing the free Sucuri plugin. If your WordPress site has been hacked, the free security plugin can help you identify which areas need to be cleaned.
Sucuri actively maintains a free WordPress security plugin with features to enhance security and identify indicators of compromise. This tool will help you perform most of the steps in this guide.

How to install the free Sucuri security plugin:

Log into WordPress as an admin and go to Plugins

Type Sucuri Scanner into the field.

Click Install Now next to Sucuri Security - Auditing, Malware Scanner and Security Hardening.

Activate the plugin.

1.2 Scan Your Site

You can use the Sucuri plugin to scan your site to find malicious payloads and malware locations. Finish all three steps instantly with this affordable, industry-leading WordPress security plans.

Clean Your Site

To scan WordPress for hacks using the Sucuri plugin:

Log into WordPress as an admin and go to Sucuri Security Malware Scan.

Click Scan Website.

If the site is infected, you will see a warning.

If the remote scanner isn't able to find a payload, continue with other tests in the section. You can also manually review the iFrames / Links / Scripts tab of the Malware Scan to look for unfamiliar or suspicious elements.

If you have multiple websites on the same server we recommend scanning them all (you can also use SiteCheck to do this). Cross-site contamination is one of the leading causes of reinfections. We advise every website owner to isolate their hosting and web accounts.

The Malware Scan feature is a remote scanner that browses the site to identify potential security issues. Some issues do not show up in a browser, instead, they manifest on the server (i.e., backdoors, phishing, and server-based scripts). The most comprehensive approach to scanning includes remote and server-side scanners.

<p style="text-align: justify;"><strong>

1.3 Check Core File Integrity

Most core WordPress files should never be modified. The Sucuri plugin checks for integrity issues in the wp-admin, wp-includes, and root folders.

How to check core file integrity using the Sucuri plugin:

Log into WordPress as an admin and go to Sucuri Security > Dashboard.

Review the Core Integrity section for the current status.

Any modified, added, or removed files could be part of the hack.

If nothing has been modified, your core files are clean.

Note: You may want to use an FTP client to quickly check for malware in directories like wp-content. We recommend using FTPS/SFTP/SSH rather than unencrypted FTP.

1.4 Check Recently Modified Files

You can identify hacked files by seeing if they were recently modified using the audit logs from the Sucuri plugin.

How to check recently modified files using the Sucuri plugin:

Log into WordPress as an admin and go to Sucuri Security > Dashboard.

Review the Audit Logs section for recent changes.

Unfamiliar modifications in the last 7-30 days may be suspicious.

Also read; How A Plugin Installation Can Crash Your Wordpress Website

1.5 Confirm User Logins

You can review the list of recent user logins to check if passwords have been stolen or new malicious users have been created.

How to check recent logins using the Sucuri plugin:

Log into WordPress as an admin and go to Sucuri Security> Last Logins

Confirm the list of users and the time they logged on.

Unexpected login dates/times could indicate a user account has been hacked.

Also read: WordPress Maintenance Tasks You Need to Perform Regularly

General Guide to a Strong WordPress Website Security

Here are some 4 basic steps we have recommended as necessary to secure your WordPress website:

1. Use HTTPS Domains

A secure socket layer can make sure that the information traveling from your site goes directly to the person accessing it. These secured websites are often identified by the HTTPS in front of the domain name. This denotes the site is secured through encryption and is next to impossible to intercept. With SSL, you build customer confidence.

Encrypting the information sent to your visitors eliminates the risk of compromised data transfers. This keeps information safe from snooping while reducing the risks of stealing login credentials. In this environment, by using an SSL on your site, you are helping yourself as well as those who visit your website.

NOTE: Using the HTTPS solution for domains doesn't mean that you are hack-proofing your website. In fact, these focus more on encrypting data transfers from your pages to the visitor. However, it does prevent others from spying on that data transmission and accessing the visitor's login credentials. This information could be used to gain access to the site in order to find other exploits. It's like putting a curtain around an ATM machine. This would give privacy as well as stop someone from looking over a person's shoulder to see the pin code.

2. Index Pages In All Folders

Folders that do not have an index.html page will display contents such as other folders and file systems. This will show the average visitor what exactly is in your website's structure. If you're trying to hide an admin folder or other piece of information, these areas can give hackers a way to identify access points.

This is an easy hole to plug for the most part. A blank index.html will prevent browsers from stumbling across a folder without a page. You will want to check all of your folders to make sure there is a index available. If there isn't one, you can create this using text editor software such as Notepad. Save a blank document as index.html and upload it to the folder in question.

Most attacks are performed on those who are easy targets. Unless you operate a high-risk or very public website, most hackers will quickly give up on something that shows any kind of a resistance. Although this measure won't absolutely stop those who are determined to access your site, it does act as a deterrent. It's a bit like posting a sign in your lawn that says your home is being monitored. Most criminals will move on because the risk is too great for an unknown reward.

3. Routine Tests for Vulnerabilities

The more popular your website becomes, the greater the threat could be for security. By using a cyber-security organization or even security plugins to test your site's functionality, you can address exploits quickly. Usually, these companies and plugins have extensive tools and capabilities that are used to test the limits of your website. When considering the alternatives, having security measures such as these can be enlightening for finding its week points.

Penetration Attempts

An extremely useful procedure is that of penetration analytics. Essentially, you'll hire a cyber security company or use high-end software with the sole purpose of hacking your own site. Since youam're in control during this procedure, there is less of a threat when discovering the holes in security. The resulting reports will show you the weak spots in your site and how to seal them up.

Validate All Code

Preventing cross-site scripting can save your visitors a great deal of trouble. This is done when someone visits a page that has been injected with a JavaScript payload. This payload can contribute to a variety of problems such as impersonating a user through the use of cookies or play into remotely activating things such as webcams and microphones. Have security software routinely check your website can eliminate the threat of XSS attacks such as these. By making sure the coding is constantly legit, you can improve online privacy protection for your visitors.

4. Deny Access Through .htaccess

This had been one of the strongest approach to website security. The .htaccess file can be used to help eliminate access to your login page from any IP address other than your own. Although there are ways to circumvent this measure, it's still a very useful stopgap to prevent those looking for an easy target. This kind of a method is ideal for websites that use WordPress or other content management system. You can edit the .htaccess file with Notepad or use your online editing system such as that provided by cPanel. In the .htaccess file located in your admin folder, enter in the following:

order deny, allow

deny from all

allow from Bleep.Bleep.Bleep.Bleep

In place of the X, use the connection IP address that is assigned to you b your Internet service provider. In the event you have others working on the site with you, simply add another allow from line under the first with their IP addresses as well.

The downside to this method is that you must keep it updated should your IP address change. Not everyone pays for a static IP address, and many ISPs will change the number you use once every eight days or so. One way to get around this problem is to only input the first two series of the IP address. For example, 123.456. This will allow you to continue accessing those pages from that specific ISP. You can use this method to protect your folders/directories by adding the code above in all folders. Remember that you have to create the .htaccess file before adding the above restriction through the htaccess file.

This article is superb. You just made a very elaborate explanation here.

I love it.

Also, I have written a cool article about The Basic WordPress Security Tips that anyone can do right now whether you are a WordPress pro or newbie.

Check it out.

Kudos.

Website security is incredibly important, especially for businesses or websites hosting personal information such as social media and career portfolios. There are many ways to test your website’s security, whether it be on your own or through a third-party.

1. Test Your Website Yourself

Probably the most affordable option is to test the security yourself. However, for those who aren’t particularly computer savvy, this may end up being more confusing and time-consuming than is worth it. If you’re confident in your abilities, here’s what you can do on your own:

User Login Testing
Read more from source