Hello Admin , I have logged into your SecurityFaTHeR website, I will not harm your system, I will just inform you. You should make your system stronger and if you follow these recommendations, your system can be safe; Informative: Many hackers make brute force attacks on ready-made content management systems, usually they start brute force attacks using the xmlrpc service on systems with Wordpress, so how can you be protected from these attacking hackers;
1- Do not put easy passwords first, for example: admin, admin123, admin@123 yes it may seem like a difficult password to you, but as a hacker, these passwords may be in the top 100 in the password list. For this, hard passwords should be used, website name should not be used directly in passwords, more complex passwords The important thing is, of course, you can make a hard password. First, look at the password lists of hackers. You can easily find these password lists on the internet. You can find these password lists on github. After analyzing the passwords there, you can now make difficult passwords. With special symbols, it will be a different language, you can support your password
2-You can disable xmlrpc for wordpress, usually hackers do brute force from xmlrpc, you can put xmlrpc firewall in the way to prevent this, you can research xmlrpc on the internet or delete "xmlrpc.php" from wordpress files from whichever server you have hosting service.2-If the attacker found your password, you can lower the wp-login.php or wp-admin.php authorization from xmlrpc and make it impossible for a normal person to login, or you can use the Wordpresstae incognito plugin to log in privately and wp-login.php wp-admin.php is a normal user. no matter how many times he tries to login he will never find the real login page and the Wordpress admin panel will say no or he guessed it was a hidden login but he won't find it if you made a difficult name
3-Wordpress admin panel is wp-login.php or wp-admin.php. You can have the developer not redirect a normal user to my wordpress admin panel and redirect it to the home page otherwise it will write wp-admin.php or wp-login.php if there is no firewall in the wordpress admin panel. If the normal user knows the username and password, he will log in to the Worpdress admin panel.
4-Let's say the attacker found your password and they reached your Wordpress admin panel and they are logging in. What you will do is you can install a firewall from Wordpress plugins and it will prevent brute force attacks, if it is a good firewall, you can install it by researching on the internet Do not use Imunify360 firewall, it is bypassed when we add a space at the end of the password, Imunify360 bypassed the firewall we become
5-Let's say the attacker found your password and accessed the wordpress admin panel. What you need to do is to restrict the permissions of the editor part from apperance, I mean by restricting the ability to write code and delete the modification features, so lock the update file feature so that it does not appear there, then the attacker will not be able to assign a shell to the server.
6-Restrict the installation of add-ons. By restrict, get ftp security and set a password Limit permissions. also make ftp username and password strong not simple password7-Set wp-login.php or wp-admin.php password attempt limit because attackers brute force attack
8-Set password attempt limit in wp-login.php or wp-admin.php as attackers brute force attack
9-If there is no limit limit, they can try as much as they want, so there are plugins for limit setting in wordpress10-apperance and plugins and this method will not work if the attacker cannot enter and throw malicious code on the server.
11-Theme installation, I'm throwing some winters, they will install the twentytwenty theme and change 403.php there and upload it to wordpress. Limit this download location in zip form and the attacker will not assign malicious code to the server in this method and this method will not work.
12-Use the Latest Wordpress Version
13-Install the most up-to-date plugins in Wordpress and check on the internet for any vulnerabilities. Yes, I tried to explain Wordpress security to you as much as I could. I didn't have any bad intentions when entering your Wordpress system, I just wanted to inform you. I can't say anything if something has been entered and done before, I just added an informative .html so you can read it.
14-sometimes there are usernames there. The attacker can find the username from that json data by running the enumerate -u parameter with the wpscan tool, and if you can detect and delete these api with wpscan, you can delete it or you can investigate how it was removed from the internet.
15-You can learn the parameters of the wpscan tool, scan your wordpress site and learn information about your wordpress site.
Note:No changes have been made to the Site or the Server, only this informative .html file has been added. I can't say anything if something has been entered and done before, I just added an informative .html file. so you can read.13-Your security may increase if you try to follow these steps
14-I do not accept any responsibility while doing these steps because I tried to explain Wordpress security as much as I could, if you read the topics I wrote, you can search and apply it on the internet, it is up to you whether to apply it or not. I just gave information about wordpress security.
See you Admin SecurityFaTHeR informed.