MANDATORY security measures for WordPress

1
It is not a secret, wordpress websites suffer from multiple attacks and increasingly causing downtime of your sites, also causing problems issues on servers. This is mainly due to a too light conception of unique URL of access wp-login.php . We see this happening on several websites of server regularly, but world wide also. There is preventive action we do on server side already (XMLRPC), note that you are already protected by server for XMLRPC, and you must do nothing ! :

https://support.yoorshop.hosting/knowledgebase/1207/Protection-WordPress-xmlrpcphp.html

 We have put in place by default on limitation on accessing wp-login.php with only 2 requests possible/ minutes (this discourage any repeated attempts). If your wp-login.php is not accessible and shows error 429 by interval of 1-2 minutes + our dedicated message, this means that many tries are ongoing on your wp-login.php.

After this, you must install immediately the next plugin :1.


For ALL, you must install this first plugin, or activate this similar function in a security plugin.

1. Protection wp-login.php (MANDATORY)
The best way to counter this is to rename the URL to your administration me to using a plugin such as :
https://wordpress.org/plugins/wps-hide-login + basic firewall (see tab IDS firewall with country block if desired)

From your admin wordpress, extensions and "add", type : wps hide login, install it, activate it ang to settings, down the page, give the new desired login page, and save !

Others if you prefer : https://wordpress.org/plugins/search/hide+login/


Very important, make sure your domain without www redirects to www well, otherwise the system will work only half !

MANDATORY :  we control regularly accounts, especially with WordPress, if we find that you don't have renamed your admin URL, we will suspend your account as a first step. If you refuse to apply measure : termination of account.

NB : plugins anti brute force attacks are useless because robots will come back later, or change its IP !!!


2. Firewall (optional)
These plugins for most duplicate what we already protect you against server wide.
This require proper assessment and configuration, be careful, as this can mess up your database

We recommend this one which is the best we know as it protects against injections and some other attacks, you will have to setup/activate some settings :
https://wordpress.org/plugins/ninjafirewall
Once installed, check these important settings :
Firewall protection : enabled
Enable FileGuard : enabled
Updates : yes daily

Less good :
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ 
https://fr.wordpress.org/plugins/wordfence/ 
 

3. Anti-Ddos plugin (Optional, only if under attack, this plugin is the only one to fight ddos, depend on your stats : see awstats in your cpanel, and study hits,visitors)
For anti-ddos affecting any pages, we found a plugin that is quite good to install, and limiting access by IP :
https://wordpress.org/plugins/wpantiddos/ 
You can leave all defaults settings as a first step, and for settings like 'Maximal Hits count for GET requests (per 1 seconds)', if this is causing illegitim message alerts to your users you can increase it gradually.
Put the few lines of code in wp-config.php as they suggest to get an efficient protection of wordpress core.
You will see who has been blocked in section Errors of cPanel
Finally, if any attack would persist causing unavailibility of your website, you can change these plugin settings :
Maximal Hits count for GET = 2
Minimal Seconds timeout = ANY
(Read documentation if needed : wp-content/plugins/wpantiddos/Documentation)
On the contrary, if this causes issues on some functions in your admin/legit traffic, enlarge settings...

NB :
We already protect you against basics xss/sql injection, and bots ! don't do over security, this can cause trouble to your website !)