[pepedeticher]

I installed WordFence, and I'm so glad I did! I also followed some advice on how to secure my website. It's really time well spent!

I still have almost no visits to the website, but suddenly, 2 days ago, I got hundreds of visits. Most of them were to my login page. Wordfence blocked many IP's. Interestingly enough most of them are from Russia and Ukraine. I don't get the interest these countries might have in my courses in Spanish. LOL.

I'm pretty confident my web is secure (I followed every advised action I found around). But, just in case, should I take any additional step? Or just do nothing?

[GndZ3r0]

When I installed a wordpress it ask me if I want to install Loginizer security.  Free version is good enough for stopping bruce force attacks. It advising you to set file permission to 0444 for wp-config. php and .htaccess.  So if you haven't already done so make sure you set those permission with or without this plugin.  Just go to your cpanel file manager or through ftp software on your pc.

Cloudflare is another one you can get free SSL, so you can either drop Let's Encrypt and use cloudflare or you can make them work side by side (many tutorials on google).  Cloudflare is built to be anti-brute force attacks.

One cool feature of cloudflare I found out recently while reading view source on one of my website is that they encrypt your emails, say you have email: me@mysite.com in your code, then cloudflare will somehow encrypt that so it looks normal when you visit the website but the code is different it looks like

Code:

email: <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8beaeff9e2eae5edfee7ffe4e5eceae7e7eef9e2eef8cbece6eae2e7a5e8e4e6">[email protected]</a>

Was checking out wordfence and I may give it a try, seems like a good plugin I like their 2FA feature.

[daya143]

I am not an expert, but one tip for you.
Go to securityheaders site & do a test.
To help you,  get HTTP Headers plugin for fix it easily.

[inesta]

for your security ,
You shoud add an extra security layer to your website with hosting your dns address to an Anti DDos service providers like cloudflare.
it has also an option wich called : "I'm Under Attack".
this service check your website compeletely first to identify that you are not an attacker bot and after that gain you access to your website.

[eladkarako]

get some cheap and easy to use .htaccess rules.
add country ip-based blocking rules, blocking every country its users you don't care about. yes you know the ones I talk about.

Make most of your website static, hosting it on CDN, those can handle ddos,

using javascript and security token access backend to retrieve data. avoid php generating HTML pages. it is 1990 programming.

But if you can't, look for a load balancing in which ever way you can use it, blocking ips is easy. there are many free data sources with 'honeypot' services that can help you with that.

But really .htaccess blocking whole countries is the easiest way to handle it. you can place a 302 html page on github-pages and redirect everyone there so the error pages are not rendered on your server either.


https://github.com/eladkarako/blocked-pa...e/gh-pages