If your website uses Wordpress, login to your Wordpress Admin area and locate the Astra Security link and click on it. You will be presented with a list of links to the Astra Portal without the need to enter another Username and Password.
If your website uses Opencart, login to your Wordpress Admin area and locate the Astra Security link and click on it. You will be presented with a list of links to the Astra Portal without the need to enter another Username and Password.
Astra is our premier partner for Wordpress website security. While we strongly recommend the licensed version of Astra which includes a firewall, login protection and malware scanning and cleanup, there is a FREE solution. This free plugin will cover a wide variety of security steps every Wordpress website should have to keep you safer than you are now.
If you already have an Astra license or plan to purchase an Astra License, we still recommend using the free plugin alongside the licensed version.
If you decide in the future to upgrade to the licensed version, remember, our prices are LOWER than Astra directly.
This plugin includes the following hardening features:
Hardening Audit
WordPress Version Check
It checks if your website is on the latest version or not.
Checking Outdated Plugins
It checks if your website is running the updated plugins or not.
Checking PHP Version
WP Hardening also checks if your website is running on a secure version of PHP
Checking File & Folder Permissions
WP Hardening also checks if your website is built on the secured version of PHP or not.
Database Password Strength
We check the strength of passwords used on your database. Not having a secured password can become an easy target for Brute-Force attacks.
Checking Firewall Protection
We’ll check if your website is being protected by a firewall or not. Firewalls leverage a great monitoring and filtering system on your website. Check out the features of Astra firewall.
Admin & API Security
Stop User Enumeration
Hackers & bad bots can easily find usernames in WordPress by visiting URLs like yourwebsite.com/?author=1. This can significantly help them in performing larger attacks like Bruteforce & SQL injection.
Change Login URL
Prevent admin password brute-forcing by changing the URL for the wp-admin login area. You can change the url only when this fixer is disabled.
Disable XMLRPC
This is often targeted by bots to perform brute force & DDoS attacks (via pingback) causing considerable stress on your server. However, there are some services which rely on xmlrpc. Be sure you definitely do not need xmlrpc before disabling it. If you are using Astra firewall, then you’re safe against xmlrpc attacks automatically.
Disable WP API JSON
Since 4.4 version, WordPress added JSON REST API which largely benefits developers. However, it’s often targeted for bruteforce attacks just like in the case of xmlrpc. If you are not using it, best is to disable it.
Disable File Editor
If a hacker is able to get access to your WordPress admin, with the file editor enabled it becomes quite easy for them to add malicious code to your theme or plugins. If you are not using this, it’s best to keep the file editor disabled.
Disable WordPress Application Passwords
WordPress application passwords have full permissions of the user that generated them, making it possible for an attacker to gain control of a website by tricking the site administrator into granting permission to their malicious application.
Disable Information Disclosure & Remove Meta information
Hide WordPress version number
This gives away your WordPress version number making life of a hacker simple as they’ll be able to find targeted exploits for your WordPress version. It’s best to keep this hidden, enabling the button shall do that.
Remove WordPress Meta Generator Tag
The WordPress Meta tag contains your WordPress version number which is best kept hidden
Remove WPML (WordPress Multilingual Plugin) Meta Generator Tag
This discloses the WordPress version number which is best kept hidden.
Remove Slider Revolution Meta Generator Tag
Slider revolution stays on the radar of hackers due to its popularity. An overnight hack in the version you’re using could lead your website vulnerable too. Make it difficult for hackers to exploit the vulnerabilities by disabling version number disclosure here
Remove WPBakery Page Builder Meta Generator Tag
Common page builders often are diagnosed with a vulnerability putting your website’s security at risk. With this toggle enabled, the version of these page builders will be hidden making it difficult for hackers to find if you’re using a vulnerable version.
Remove Version from Stylesheet
Many CSS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
Remove Version from Script
Many JS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
Basic Server Hardening
Hide Directory Listing of WP includes
WP-includes directory gives away a lot of information about your WordPress to hackers. Disable it by simply toggling the option to ensure you make reconnaissance of hackers difficult
Security Headers
Clickjacking Protection
Protect your WordPress Website from clickjacking with the X-Frame-Options response header. Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element.
XSS Protection
Add the HTTP X-XSS-Protection response header so that browsers such as Chrome, Safari, Microsoft Edge stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Content Sniffing protection
Add the X-Content-Type-Options response header to protect against MIME sniffing vulnerabilities. Such vulnerabilities can occur when a website allows users to upload content to a website, however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.
HTTP only & Secure flag
Enable the HttpOnly and secure flags to make the cookies more secure. This instructs the browser to trust the cookie only by the server, which adds a layer of protection against XSS attacks.
Make sure Wordpress Core Software, ALL Themes (enabled and disabled) and ALL plugins (enabled and disabled) are kept up to date at all times
[Important] Change the login passwords - all admin user accounts, FTP users, database passwords, cPanel/hosting account passwords
Remove all outdated / unused files (this includes .zip, .sql, .tar files). These expose the perfect hiding places for hackers to inject malware
Check in the WordPress Admin area if any new/unknown admin users are added
[Important] Secure the Opencart Admin area with HTTP auth - Guide
[Important] If you have other WordPress/OpenCart/Magento installs on the same server, please follow all the above recommendations for the sites & secure them with Astra. It is important to keep all the sites secured on a shared hosting server.
If you or your developer have uploaded a phpinfo.php file for testing / debugging, make sure it is removed from the server immediately after
Recommended File permissions
Ensure that the recommended file permissions are being used: 755 for folders & 644 for files - Guide.
Contact your Web Developer if you need Assistance. These are services of a developer and NOT included in Web Hosting Support
Opencart Security Recommendations
Update your Opencart core software, theme(s) and modules to the latest version
Remove all backup and outdated / unused files (this includes .zip, .sql, .tar files). These expose the perfect hiding places for hackers to inject malware
[Important] Secure the Opencart Admin area with HTTP auth - Guide
Check that the install folder is deleted
[Important] If you have other WordPress/OpenCart/Magento installs on the same server, please follow all the above recommendations for the sites & secure them with Astra. It is important to keep all the sites secured on a shared hosting server
If you or your developer have uploaded a phpinfo.php file for testing / debugging, make sure it is removed from the server immediately after
Recommended File permissions
Ensure that the recommended file permissions are being used: 755 for folders & 644 for files - Guide
The following files need to be set to 644 or 444 to prevent anyone else from writing to them:
config.php
index.php
admin/config.php
admin/index.php
system/startup.php
Contact your Web Developer if you need Assistance. These are services of a developer and NOT included in Web Hosting Support
[Important] If you have other WordPress/OpenCart/Magento installs on the same server, please follow all the above recommendations for the sites & secure them with Astra. It is important to keep all the sites secured on a shared hosting server.
If you or your developer have uploaded a phpinfo.php file for testing / debugging, make sure it is removed from the server immediately after
Recommended File permissions
Ensure that the recommended file permissions are being used: 755 for folders & 644 for files - Guide
Contact your Web Developer if you need Assistance. These are services provided by a developer and NOT included in Web Hosting Support
