Search Our Database

WordPress Attacks Prevention and Content Protection

Last updated on |
by

ATTACKS PREVENTION

It is strongly recommended to have a comprehensive security plugin to be installed in your WordPress. There are many plugins out there, but one of the most preferred plugins is the iThemes Security, which can be downloaded from here: https://wordpress.org/plugins/better-wp-security/

iThemes Security is one of the most user-friendly security plugins in the market. It does more than most others on the application layer (jQuery, hide backend, etc) and is better paired with a network protection plugin like CloudFlare than a plugin(s) that is trying to do the same thing.

Alternatively, you can choose to use Wordfence as the comprehensive security plugin for your WordPress.

**Note: It is crucial for you to use only one comprehensive security plugin for your WordPress. Using two or more will most likely cause conflicts between one another.

These comprehensive tools require periodical charges unless you are using the basic version. If you are looking for some free security plugins to harden your WordPress security, these are some precautions to take alongside with the free basic comprehensive security plugins:-

Two-Factor Authentication

This approach will add another layer of authentication for you not just your username and password but to verify through either e-mail, SMS or other secondary authentication types for free.

Step 1:

Download and install this plugin: https://wordpress.org/plugins/two-factor-auth

Choose between Email and Third party apps

Choose between Email and Third-party apps

For this plugin, you can choose either email or third party apps.

Step 2:

Go to the settings page of the plugin:

Plugin Settings

Plugin Settings

From here, you can set the user roles, e-mail settings and a lot more for the two-factor authentication method.

Password Protection for wp-login.php [extracted from codex.wordpress.org/Brute_Force_Attacks]

Password protecting your wp-login.php file (and wp-admin folder) can add an extra layer to your server. Because password protecting wp-admin can break any plugin that uses ajax on the front end, it’s usually sufficient to just protect wp-login.

To do this, you will need to create a .htpasswds file. Many hosts have tools to do this for you, but if you have to do it manually, you can use this htpasswd generator. Much like your .htaccess file (which is a file that is only an extension), .htpasswd will also have no prefix.

You can either put this file outside of your public web folder (i.e. not in /public_html/ or /domain.com/, depending on your host), or you can put it in the same folder, but you’ll want to do some extra security work in your .htaccess file if you do.

Speaking of which, once you’ve uploaded the .htpasswd file, you need to tell .htaccess where it’s at. Assuming you’ve put .htpasswd in your user’s home directory and your htpasswd username is mysecretuser, then you put this in your .htaccess:

# Stop Apache from serving .ht* files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

# Protect wp-login
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName "Private access"
AuthType Basic
require user mysecretuser
</Files>

The actual location of AuthUserFile depends on your server, and the ‘require user’ will change based on what username you pick.

If you are using Nginx you can password protect your wp-login.php file using the HttpAuthBasicModule. This block should be inside your server block.

location /wp-login.php {
    auth_basic "Administrator Login";
    auth_basic_user_file .htpasswd;
}

The filename path is relative to the directory of nginx configuration file nginx.conf The file should be in the following format:

user:pass
user2:pass2
user3:pass3

Passwords must be encoded by function crypt(3). You can use an online htpasswd generator to encrypt your password.

CONTENT PROTECTION

Besides those security measures to be taken to secure your WordPress, it is also very important to protect your contents of your webpages. These are some precautions to take to protect your content:-

Hotlinking Prevention

Hotlinking prevention is to prevent anonymous visitors to your website to link images, stylesheets (CSS), javascript files and any resources from your website. For instance, the anonymous visitor links your image to his/her site to save his/her bandwidth. We want to prevent this because it will hog your bandwidth instead (bandwidth stealing) every time their websites load. This is how to do it:

Step 1:

Access your .htaccess file which will be within your “public_html” folder (if not found, the file could be in one of the subfolders in “public_html” such as “blog“)

Step 2:

Edit the .htaccess file by adding these lines of codes into your .htaccess file as below:

#Prevent Hotlinking
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(WWW\.)?yourwordpressdomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|css|js)$ - [F]

*Replace yourwordpressdomain.com to your own WordPress domain.
*If you want to add more file types to be restricted, you can continue adding within the RewriteRule as highlighted in red, e.g.

RewriteRule \.(gif|jpg|png|css|js|bmp|mp3)$ - [F]

Step 3:

Save and exit the text editor.

What you just did is to restrict your WordPress content from being linked to other sites by specifying the file types.

Video and Images and DMCA Protection

You most probably want to prevent visitors from downloading your images and videos from your website. This is how you do it:

For video:

You can download the plugin: https://wordpress.org/plugins/secure-html5-video-player/

This is a plugin to secure your HTML5 videos from getting downloaded by visitors without revealing the link of your videos is your own video or a YouTube/Vimeo video.

screenshot-1

Security tab

screenshot-3

Playback tab

screenshot-2

Skin tab

Compatibility tab

Compatibility tab

To insert a video into your post, go to the “Help” section as referred to the screenshot below for the code to add a video:
screenshot-5

For images and texts (DMCA protection):

If you have an image on your site, designed by your graphic designer, and you do not want to affect your search engine ranking by having someone to copy your texts, you would not want your images everywhere and texts to be just copied and pasted to other sites.

You can download and install the WP Content Copy Protection & No Right Click plugin here: https://wordpress.org/plugins/wp-content-copy-protector/

This is to prevent visitors to right-click on your content specifically images to download them and copy your text content.