- Aug 3, 2011
- Reaction score
♛ This post is a 7th extension of my Money Making Guide... surely not the last! You should read these first to be able to understand what's this about ♛
- ♛ MOVIESITE GUIDE ♛ How To Build And Earn Money With Movie/Trailer Site And Publicly Available Videos
- [GUIDE] Extension #1 To My Money Making Guide: ♛How To Stay Anonymous - VPN List And More Details!♛
- [GUIDE] Extension #2 To My Money Making Guide: ♛Free Organic Traffic From Free Blogs & WEB 2.0s!♛
- [GUIDE] Extension #3 To My Money Making Guide: ♛Use Social Media for Traffic - Churn & Burn Method!♛
- [GUIDE] Extension #4 To My Money Making Guide: ♛Keep Posts Fresh, Add New Embeds & Video Networks!♛
- [GUIDE] Extension #5 To My Money Making Guide: ♛Rank before competitors, stay one step ahead!♛ [SEO]
- [GUIDE] Extension #6 To My Money Making Guide: ♛Expired Domains for Traffic and Ranking!♛ [SEO]
If your website is growing you will definitely be a "hot target" for competitors and they will try all the time to DDOS you, bruteforce your login and even hack your website completely and take your database which took you months of work to build. We do not want that to happen.
What is this about?
This thread will teach you basic wordpress security to protect your website from hackers and competitors on a friendly way using wordpress plugins and other beginner friendly methods.
I will be covering
- DDOS Protection with Cloudflare
- Securing your Wordpress using plugins
- Basic brute force protection
- Files that should be disabled and are by default enabled on wordpress
- Captcha on login and other pages
Before we start, you should always use a separate email, username and password for your wordpress login, because websites get hacked all the time and you do not want to be exposed if you use the same password everywhere as this can lead to serious trouble for you.
DDOS Protection with Cloudflare
Setting up your website to go through cloudflare is easy.
You will need a free cloudflare account and you will need to add your website there using a free plan using the add site button in the corner.
When your website is under a DDos attack Cloudflare provides a lot of analytics, so in case you notice something suspicious and a lot of unusual requests, you should click on your website.
Look for Quick Actions and then Under Attack Mode. Then for Security Level select I'm under attack!
What this will do is give captchas and check browser integrity for each visitor, however this will not solve the problem if the DDOS attack is strong.
Another good thing to do on Cloudflare when you are under attack is see which IP's and countries the most requests come from. Usually these would be some hacked dedicated servers or VPS servers so do not put the blame to the actual IP or the datacenter. Now you can either block by IP address or by country and leave the settings blocking until the DDOS attack is over.
This can be done easily by clicking on your domain then going to the Firewall tab. Click Firewall Rules and then Create a Firewall Rule. The interface is friendly and you will see the options you have to block the attacker.
Securing your website using plugins
I am not a fan of wordpress plugins at all as many times in the past, plugins for security have actually made my websites vulnerable.
Anyways, a few plugins that are worth mentioning and installing are.
- Disable REST API Plugin
When your website is DDosed usually people send requests through the REST API that is by default enabled on wordpress.
You can disable it using the plugin
Install it, then go to your Wordpress dashboard - Settings - Disable Rest API
Tick  Rest API Root and click save.
- Disable XML-RPC Plugin
Disabling the XML-RPC will help you protect from attacks. This feature is by default enabled by wordpress so the website can have external communication. You will not notice any difference when you disable this.
If you do not want to install this, you can open your .htaccess file and add this snippet at the end of the file
<Files xmlrpc.php> order deny,allow deny from all </Files>
- WPS Hide Login
A lot of times people will try to hack your website using bruteforce or just send dumb requests to your login page which by default is /wp-login.php and what this plugin does is making it something custom that only you know. This plugin is a must. After Installing you will be able to change your login page to something like /badassloginpage/ or anything custom you would like. This will give you DDOS and Bruteforce protection, but also protect you if you password was the same and exposed on the dark web at some point at the past and add an extra precaution.
The name speaks for itself, loginizer is a nice plugin to have and it will lock brute force attackers even if they accessed your login page by blocking their IPs after a few failed attempts.
- hCaptcha for Wordpress
This is a new plugin and probably the best captcha to have on your login page. It is not related with big G and you can get a free account even if you are on a VPN, they don't even ask for email registration.
Once installed you just need to register and put your site key and secret key from hCaptcha to the plugin and choose the pages where you want hCaptcha to be shown. You should add it on login page, registration page, forget password page, contact form and anything similar that can be used to exhaust your traffic. Set security settings to highest on the hCaptcha website.
More plugins and other software worth checking
2. Sucuri (paid)
3. Managed wordpress solutions such as WPXHosting (not affiliated with them), they are based in Bulgaria and would only work for you if you are using a DMCA friendly method to bank (movie reviews, trailers, documentaries).
Keeping your Wordpress Empire Safe is a vital task that needs to be done and not skipped for later point. Stay tuned for more.