If you use the general basic security like unique password only, WordPress is a website platform (CMS) that’s notoriously vulnerable to hacker attacks like brute-force. No matter how often you backup and clean suspicious files in your CPanel hosting (File Manager Root), your website will still be hacked, and this is something that’s annoying and makes you as a blogger/webmaster frustrated.
But don’t worry, talk about WordPress security, here I am AlfinTech Computer is one the best expert, and then you can follow my tutorial. I guarantee you’ll be able to sleep soundly for the rest of your life, as hackers will no longer be interested in breaking into your site.
Steps to Secure Your WordPress Website for Free
We will utilize the free features of some secret plugins which I use, so that layered security remains optimal even with free version mode.
Please note that the steps or each method must be carried out in sequence according to the instructions I teach below.
1. Clean Your WordPress Core Files
This first step, if you are not sure that your WordPress Core is clean or there are suspicious files infected by malware located in the CPanel root (File Manager) of your hosting service.
If you have reinstalled your WordPress, you can skip this step and proceed to number 2 below. If not, I will give you a tutorial on how to backup and reinstall manually.
a. Back Up Database
You need to save your content database (SQL) in your computer, because you might need it someday.
Login to Your CPanel → phpMyAdmin then select your database with Quick Export. Save the SQL file into your computer.
b. Reinstall WordPress Core:
♦ In CPanel go to File Manager then select your WordPress directory.
♦ First you need to download latest WordPress Core version 
to your computer.
♦ In File Manager, Delete all files except wp-content and wp-config.php because the wp-content folder contains important files that should not be deleted, consisting of a collection of images/media, plugins, themes, etc., while wp-config.php contains configurations that connect the WordPress core system with your SQL database file.
♦ Other files that should not be deleted are usually .httaccess, ads.txt, and BingSiteAuth.xml
♦ After deleting all WordPress files except those mentioned above, upload the latest version of the WordPress.zip file you downloaded earlier. Then, extract it.
♦ After the restore process is complete, you can try login to your wp-admin in and your website should be accessible because the wp-config.php file is not deleted and the CMS is still connected to your SQL database.
Okay, let’s move on to the next step, which is installing the plugins needed for security.
2. Disable XML-RPC
You need to disable the xmlrpc.php file so that hackers cannot access your website’s FTP, please read the tutorial and download Disable XML-RPC-API.
3. WPS Hide Login
Use WPS Hide Login plugin to solve below issue:
By default, the WordPress login page is yourdomainname.com/wp-admin OR yourdomainname.com/wp-login.php. This is very dangerous, you should disable it and replace it with a secret URL known only to you to protect against unauthorized login attempts.
an. example plugin settings:
3. WP 2FA – Two-factor authentication for WordPress
WP 2FA – Two-factor authentication for WordPress is the most important security layer plugin that must be present in all website systems, and for settings on the WordPress platform, I recommend sending the OTP to GMail (Google Email) because Google has very good security and very difficult to hacked better than to your own domain email.
4. Loginizer
Loginizer plugin is powerful for kill brute-force attacks. With this plugin, you can set how many times maximum failed login attemps, Lockout Time, etc. Then any intruder will be blocked their IP Address so preventing them from logging in again, similar to security measures on banking sites.
For an example:
5. LoginPress | wp-login Custom Login Page Customizer
LoginPress plugin provides several security features similar to the previous plugin above, but because we are using the free version mode, we only do the necessary settings, namely customize/modify the appearance (layout) of your WordPress login page and removing unnecessary options such as “Forgot Password” link, because that is sufficient at the admin user level.
On the Customizer plugin menu, you can be creative in modifying the layout, such as adding a logo, background (image or youtube video), changing the color of text and buttons, deleting unwanted elements, etc.
Conclusion
After applying what I’ve learned, a WordPress website is a secure and highly practical CMS platform, with all security holes closed.
NOTE: If you’re still having trouble, you can contact me via email at alfintechcomputer@gmail.com. I can help you with affordable services.
AUTHOR BIO
On my daily job, I am a software engineer, programmer & computer technician. My passion is assembling PC hardware, studying Operating System and all things related to computers technology. I also love to make short films for YouTube as a producer. More at about me…
