My original method for securing WordPress

For this method you need Apache and the Wordfence plugin.

  1. Stop using the traditional login, use an alternative way to login such as scanning the screen with your cellphone.
  2. Change the permissions of wp-login.php to 000 ; this will avoid any people to be able to crack your login since the login function will not be accessible.
  3. Install the Wordfence plugin and restrict access to the following url pattern:
    /wp-login*
    Everybody that tries to visit any link in the website that begins with /wp-login would be instantaneously blocked, rather, them will see a blank page.
  4. In order to block the clients who try to access to the /wp-login* url pattern, we need to add the following to the .htaccess file:

Redirect “/wp-login.php” “/wp-login”

  1. You can add an additional security layer in the case that a hacker achieves to bypass these restrictions.
    If you enable WordFence to block any single mistake in the login form -including login tries with nonexistent usernames- then you shall achieve a better security.

 

  1. Install Inactive User Logout. This plugin logs out the user after the minutes specified and also you can avoid concurrent logins. This is helpful since a cookie can be steal by hacker an used to impersonate you.

 

  1. Honeypot
    There is a blackhole plugin , but I concluded you can achieve the same using Wordfence. Create a random folder in your root installation, and add it to the file robots.txt, and add that folder in the Wordfence blacklist

You have to be certain that you are correctly logged when trying to access to the dashboard because failing to do so will block yourself from the site. Alternative you can add your own ip to the Wordfence with-list only if you are using VPN or static IP.

Please don’t try to test the restrictions aforementioned in this site since your ip would be blocked a long time.

These bottons respect your privacy