WordPress dunyodagi saytlarning 40%'ini ishlatadi β shuning uchun hujum manbai #1. To'g'ri sozlanmasa β bir necha kun ichida buziladi. 10 qadamli himoya:
1. Yangilab turish
Core, plugin, tema β har doim oxirgi versiya. 70% buzilishlar eski plugin'lar tufayli. Auto-update yoqing.
2. Kuchli admin parol
16+ belgi, password manager (1Password, Bitwarden). "admin" username β boshqasiga o'zgartiring (admin user yaratib, eski admin'ni o'chiring).
3. 2FA majburiy
Wordfence yoki Google Authenticator plugin. SMS'dan ko'ra app safer.
4. Login URL o'zgartirish
/wp-login.php β /sirli-kalit. WPS Hide Login plugin. Brute force botlar default URL'ni hujum qiladi.
5. Login attempt cheklov
5 ta noto'g'ri kirish = 1 soat IP blok. Limit Login Attempts Reloaded plugin. Wordfence ham buni qiladi.
6. Ishonchli plugin'lar
Faqat 4+ yulduzli, 100K+ active install, 6 oy oldin yangilangan. Nulled tema/plugin β albatta yo'q (malware).
7. Fayl ruxsatlari
chmod 644 fayllarga, 755 papkalarga. wp-config.php β 600. SSH/FTP'dan o'zgartirish.
8. wp-config.php himoyasi
.htaccess: order allow,deny; deny from all; β yoki wp-content'dan tashqariga ko'chirish.
9. Backup avtomatik
UpdraftPlus, BackWPup. Kunlik DB + haftalik full. Google Drive yoki S3'ga avtomatik. Tikash uchun synxron tekshirish.
10. Security plugin
Wordfence (eng mashhur, bepul/$99), Sucuri ($199/yil), iThemes Security. Real-time monitoring, firewall, malware scan.
SSL majburiy
Let's Encrypt bepul. Settings β General β HTTPS. .htaccess: 301 redirect http β https.
DB prefix o'zgartirish
wp_ β xy_. SQL injection paytlarida random prefix qiyinlashtiradi. Install paytida yoki keyin Better Search Replace bilan.
XML-RPC o'chirish
Brute force va DDoS vektori. .htaccess'ga: