en-gb.wordpress.org/plugins/antispam-bee/

Say goodbye to comment spam on your WordPress blog or website. Antispam Bee blocks spam comments and trackbacks effectively, without captchas and without sending personal information to third-party services. It is free of charge, ad-free and 100% GDPR compliant.

---

---

search.google.com/search-console

Check the site for issues with Search Console

---

Google Safe Browsing

transparencyreport.google.com/safe-browsing/search

---

developers.google.com/web/fundamentals/security/hacked/request_review

---

patchstack.com

Identify plugin vulnerabilities in your WordPress sites

---

---

Complete Wordpress Malware Solution

Are you facing the problem with malware? Is your website blocked from Google and shows malware warning? We will solve your problem. Wpmalwares provide complete malware removal from your WordPress website at affordable price.

---

wpsec.com

IS YOUR WORDPRESS WEBSITE PROTECTED AGAINST ATTACKERS?

Scan your WordPress website below to get free & instant access to your online security scan results.

---

virustotal.com

Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community

---

sitecheck.sucuri.net

Enter a URL (ex. sucuri.net) and the Sucuri SiteCheck scanner will check the website for known malware, viruses, blacklisting status, website errors, and out-of-date software, and malicious code.

---

scanmyserver.com/my_account/ (Free)

What does ScanMyServer do?
We'll test your website or blog to see if it is vulnerable to being hacked. Each page will be tested for security weaknesses. We'll then provide you with a report that you can use to correct any problems.

---

ssllabs.com/ssltest/

This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. Please note that the information you submit here is used only to provide you the service. We don't use the domain names or the test results, and we never will.

---

acunetix.com/vulnerability-scanner/free-website-vulnerability-scanner-online

---

app.upguard.com/webscan

---

observatory.mozilla.org

---

tinfoilsecurity.com/

Real time security reports pushed directly into your developer's workflow.

---

hackercombat.com/website-malware-scanner/

---

webinspector.com/product-price.php

---

isitwp.com/wordpress-website-security-scanner/

---

wprecon.com/

---

app.upguard.com/webscan

---

safeweb.norton.com/

---

hackertarget.com/wordpress-security-scan/

securityscan.getastra.com/

codex.wordpress.org/Data_Validation

---

---

owasp.org/Category:Attack

---

Web Application Firewall (WAF)

---

Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF)

---

SQL Injection

Number one on the hit list is the SQL injection attack. In this case, someone enters an SQL fragment (the classic example is a drop database statement, although there are many possibilities that don’t include deletions which could be just as destructive) as a value in your URL or web form.

---

XSS (Cross Site Scripting)

---

Subdomain takeovers

---

developer.mozilla.org/en-US/docs/Web/Security

---

---

---

wordfence.com/learn/

---

How to remove Malware from WordPress sites

---

WordPress Security: The Ultimate 32-Step Checklist

---

How to clean my files from malicious code?

siteground.com

---

How To Change Wordpress Login URL Without Plugin-Complete Video

Video Tuts by ThemesGrove - Apr 27, 2019

---

The xmlrpc.php File and Site Security

---

sucuri.net/guides/how-to-remove-google-blocklist-warning/

---

Protect Against WordPress Brute Force Amplification Attack

---

---

WPBEGINNER» BLOG» TUTORIALS» HOW TO DISABLE DIRECTORY BROWSING IN WORDPRESS How to Disable Directory Browsing in WordPress

---

shipsoft.net/category/wordpress/wordpress-advance-security/

---

10 Best WordPress Security Plugins to Protect your Website

by LearnWoo

---

WordPress security & malware remove - 2

Video Tuts by RRF Online FREE - Jul 22, 2018

---

---

Keep your WordPress site and plugins up-to-date

It is really important to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed. Remove Any Inactive or Unused Plugins. Make Sure All Themes Are Kept Updated

---

Don't use the "admin" username

Most of the attackers will assume that your admin username is "admin". You can easily block a lot of brute-force and other attacks simply by using a different admin username. If you're installing a new WordPress site, you will be asked for the admin username during the WordPress installation process. If you already have a WordPress site, you can follow the instructions in this tutorial on how to change your WordPress username.

---

Use strong passwords

There are thousands of people that use phrases like "password" or "123456" for their admin login details. Needless to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.

passwordsgenerator.net

---

---

Don’t Reuse Passwords

You should NEVER reuse passwords.

I hear you, it’s convenient to have one (hopefully strong) password across the board. You won’t have to remember so many passwords but this is very wrong on many levels.

Once again, hackers know this is a bit of a human weakness. It means that when one of your accounts is compromised they have probable access to ALL of the rest of your accounts.

There are plenty of password managers out there that will allow you to create different passwords and store them securely. These are highly recommended.

---

 Protect Your Password(s) By Avoiding Plain-Text Password Transmission

It’s a known fact (and a sad reality) that there is all kinds of snooping on internet traffic. Sensitive data such as credit cards and passwords should never be sent in unencrypted form.

There will be plenty of eyes (and analyzers) on your data. Do make sure you protect your passwords by employing the following preventive techniques

1. Don’t send passwords over email, chat, social networks or other unencrypted forms of transmission
2. Implement HTTPS on your WordPress site, particularly on your backend, to avoid passwords being sent in plain-text..
3. Avoid using plain FTP when accessing your site. Use SSH or FTPS. The FTP protocol was written in the internet dark ages, and it’s not safe to use. Passwords and files are transmitted in plain text and not encrypted at all. FTPS or (Secure FTP), on the other hand, actually encrypts data transmission over FTP. You’ll need to setup an FTPS account on your hosting server before being able to do this.
4. Of course, passwords should not be shared between users or stored in plain-text anywhere no matter how convenient this may be. The practice of sharing logins and passwords flies in the face of security and accountability.

---

Ensure your computer is free of viruses and malware

If your computer is infected with virus or a malware software, a potential attacker can gain access to your login details and make a valid login to your site, bypassing all the measures you've taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.

---

Protect your WordPress Admin Area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get your home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address:

 <Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
 </Files>
 

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.

If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a the plugin called WP Limit login attempts.

---

Use a Good Web Host

A good web host is your first line of defense against attacks on your site. So don’t automatically opt for cheap shared hosting.

Go with a reputable host that supports the latest versions of basic web technologies, such as PHP and MySQL. Be sure to check your host supports PHP 7 – it is the official recommended PHP version for WordPress.

---

Only Use Quality Themes and Plugins

According to WPScan, 52% of website vulnerabilities are caused by plugins while 11% are caused by themes. Combine, that’s more than 60% of WordPress security

The easiest way to ensure your plugins and themes can stand up to attacks is to only download them from reputable sources. This includes WordPress.org and premium providers. Downloading from dodgy developers who hide malicious code in their themes and plugins could compromise your site.

Also, ensure any plugins and themes you use are also well-supported and regularly updated. If a plugin or theme hasn’t been updated in a long time, chances are it contains security holes that are unpatched or even bad code that could leave you vulnerable to hacks.

---

Protecting wp-config.php and .htaccess Files

Your site’s wp-config.php file, which is usually located in the root folder of your website, contains critical information about your WordPress installation, including the name, host, username and password for your database. Meanwhile, .htaccess is a hidden file that sets directory level server configuration, enables pretty permalinks, and allows for redirects.

Preventing access to these critical files is easy. Simply add the following to your .htaccess file to protect wp-config.php:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Alternatively, you could simply move your wp-config.php file on directory higher as WordPress will automatically look for it there.

To stop unwanted access to .htaccess, all you need to do is change the file name in the code:

<Files .htaccess>
order allow,deny
deny from all
</Files>

---

Install Themes, Plugins and Scripts ONLY From Their Official Source

---

Make Sure Your Site is Running the Latest Version of PHP

---

Only Update Your Site From Trusted Networks

Sometimes we tend to take the convenience of finding free Internet Wifi as a godsend.

But paranoid security freaks (like me) tend to shudder at the thought of updating a website from an untrusted network such as the free Wifi connection at your local cafe.

An open Wifi connection is extremely easy to snoop on. You may be getting much more than the “freebie” you thought you were getting if you access your WordPress administration site from a network that is untrusted.

Only update your site from trusted networks, such as those at your home and at your office.

---

Add Security Keys

WordPress security keys and salts encrypt information stored in browser cookies, protecting passwords and other sensitive information. There are four security keys in total: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY.

These authentication keys are basically a set of random variables and make it harder to crack your passwords. A non-encrypted password like “wordpress” doesn’t take much effort for attackers to break. But a long and random password like “L2(Bpw 6#:S.}tjSKYnrR~.Dys5c>+>2l2YMMSVWno4`!%wz^GOBf};uj*>-tkye” is much more difficult to crack.

Adding security keys and salts is a manual process and easy to do. Here’s how to do it:

1. Get a new set of security keys and salts. You can randomly generate them here.
2. Next, update your wp-config.php file. Open your file and scroll down until you find the section below and replace the old values with your new keys and salts:

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY', 'add unique variables here');
define('SECURE_AUTH_KEY', 'add unique variables here');
define('LOGGED_IN_KEY', 'add unique variables here');
define('NONCE_KEY', 'add unique variables here');
define('AUTH_SALT', 'add unique variables here');
define('SECURE_AUTH_SALT', 'add unique variables here');
define('LOGGED_IN_SALT', 'add unique variables here');
define('NONCE_SALT', 'add unique variables here');

/**#@-*/

3. Save your wp-config.php file. You’ll be automatically logged out of your WordPress site and will need to log in again.

---

Disable File Editing

WordPress features an internal code editor for plugin and theme files. While this is useful for admins who want to make quick changes to files, it also means hackers and high-level users can also make file changes. You can find this feature by going to Appearance > Editor in your WordPress admin.

You can disable file editing in your wp-config.php file. Just open your file and add this line of code:

define('DISALLOW_FILE_EDIT', true);

You’ll still be able to edit your plugins and themes via FTP or cPanel, just not in the WordPress admin.

---

Prevent PHP Files from Being Executed/Disable PHP Execution

A common folder for hackers to upload malware in WordPress is wp-content/uploads, but also wp-includes/. To prevent files from being executed in these folders, create a new text file in a text editor and paste in this code:

<Files *.php>
deny from all
</Files>

Next, save this file as .htaccess and upload it to both your /wp-content/uploads and wp-includes/ folders via FTP or cPanel.

Disable PHP Error Reporting

When you are developing a website, error reporting is a life-saver. It shows you exactly where an error is coming from so you can quickly fix it.

But, on a live site, error reporting gives crucial clues to hacker to make their life much easier than it has to be.

For example, check out the below error report:

PHP error reporting can give away important information about your WordPress installation.

The error above is giving away the username of the account. That’s a crucial piece of information for somebody who is looking to attack your hosting account.

This is only one piece of information – error reporting can typically give really good clues if you know what weaknesses you are looking for.

You can disable PHP error reporting using the following change in your php.ini file:

error_reporting = 4339
display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /home/example.com/logs/php_error.log
log_errors_max_len = 1024
ignore_repeated_errors = On
ignore_repeated_source = Off
html_errors = Off

Disable XML-RPC Selectively

XML-RPC, or XML Remote Procedure Call, is an API that helps connect web and mobile apps with your WordPress site. It was enabled by default in WordPress 3.5 but has since been found to significantly amplify brute force attacks.

For example, if a hacker wanted to try 500 different passwords on your site, usually they would have to make 500 separate login attempts. But with XML-RPC, the hacker could use the system.multicall function to try a large number of username and passwords combinations in a single HTTP request.

While it would be easy to simply disable this feature altogether for your site, it would mean losing functionality for plugins like Jetpack. Instead, it’s best to selective in the way you implement and disable XML-RPC using specially designed plugins.

XML-RPC files are installed by default on every WordPress website. These files allow your website to utilize third-party apps or plugins such as Google Analytics for WordPress. Third-party apps are a common method for hackers to use when infiltrating a website. You may remove this function from your WordPress website with the following code implemented onto your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

It depends on configuration but your WordPress theme may be considered a third-party app or plugin. As such we recommend confirming with your developer, theme vendor and saving a backup .htaccess file to restore as needed.

Remote File Inclusion

Hang on while I try to explain this: remote file inclusion is when remote files get included in your application. Pretty deep, eh? But why is this a problem? Because the remote file is untrusted. It could have been maliciously modified to contain code you don’t want running in your application.

Suppose you have a situation where your site at www.myplace.com includes the library www.goodpeople.com/script.php. One night, www.goodpeople.com is compromised and the contents of the file is replaced with evil code that will trash your application. Then someone visits your site, you pull in the updated code, and Bam! So how do you stop it?

Limit Login Attempts

We’ve already discussed brute-forcing of passwords and the fact that using bots is cheap and a good investment for hackers. For this reason, you should put in place mechanisms to block any attempts at brute-forcing your password.

The Limit Login WordPress plugin does exactly this. If it detects a number of incorrect login attempts it denies that user the possibility of trying again for some time. This, of course, makes the brute-forcing attempts much more difficult to succeed and significantly improves your WordPress security.

---

Enable Two-Factor Authentication

One way of quickly and very easily securing your WordPress logins is by enabling Two Factor Authentication, also known as 2FA.

2FA creates a mechanism whereby to log in to your WordPress backend, besides your regular password, you will also need a time-based security token that is unique to each user. This token also expires after a period of time usually 60 seconds.

The security token is typically generated by an app such as the Google Authenticator.

Because there is a security token unique to each single user that expires, even if somebody knows your login credentials, they will still not be able to log in. This is because they will not have the current security token. This drastically increases the strength of your login and also helps mitigate brute force attacks on your login details.

There are a number of plugins that can help you setup WordPress Two Factor Authentication.

Ensure File Permissions Are Correct

This is a bit of technical thing.

PHP and WordPress in general use a set of permissions associated with files and folders. Without going into too much detail, there are different types of permissions

• Publicly writable files and directories
• Files writable by the web server only
• Read-only files

In general, your web server typically needs to be able to write files for WordPress to work correctly, whilst the public internet NEVER needs to have write access to your files.

Some newbie or lazy developers, might suggest that you change permissions to be more lax. For example, they might suggest making certain files or folders publicly writeable (777). This will create a serious security threat because it means that anyone can write anything to that folder. You can rest assured that you’ll find plenty of nasties in your WordPress site if you do that. They will also probably find ways and means of jumping out of the folder to wreak havoc on the rest of your site.

As a general rule of thumb, files should have a 644 permission and folders should have 755 permissions. The wp-config.php file should have 400 or 440 permission.

If anybody tells you otherwise, be very wary. My suggestion is stop dealing with anybody who suggests otherwise.

How can you check for the correct file permissions? Defender, mentioned above, is a WordPress security plugin that will check and fix file permissions for you as necessary.

---

Change the Default Table Prefix

This is another remnant of old versions of WordPress. Previously, the name of WordPress tables in the database used to start with the prefix wp_

Although this is no longer default behavior, some people still tend to revert to this (unsafe) practice, whilst older versions of course still have to live with this.

Although this is, strictly speaking, WordPress security through obscurity, renaming the tables from wp_ to a different prefix may still block some attempted SQL injection attacks.

The procedure to rename existing wp_ tables should be done only by your trusted WordPress developer.

---

Install a Firewall

There are two main types of firewalls, or uses for firewalls. In network security, firewalls are used to segregate different types of networks. Either keeping things from getting in, or things from getting out.

Again, if we use an analogy, a firewall can be described as a bouncer – you’re only allowed into a VIP party if you are on the guest list. Just like the bouncer at a party who typically stops people from getting in, software firewalls can be used to keep hackers from getting near your website(‘s party).

In the case of securing WordPress, we’re going to use a Web Application Firewall (WAF) to keep hackers from sticking their dirty little hands (or bots) into places where they don’t belong.

There are a number of WAF firewalls but one of the most reliable, free and open-source firewalls usually available with WordPress hosting services is the ModSecurity firewall.

You may want to ask your hosting service to see whether this is available on your hosting service, and enable it if it is. Once it is enabled, your hosting provider or your trusted WordPress developer can typically suggest or implement rules around ModSecurity.

WP-ADMIN DIRECTORY PROTECTION

This is the heart of your site. This is another vulnerable place that hackers are itchy to access. In order to protect it from breaching, it's strongly recommended to protect your wp-admin directory with a password. In such a way, a website administrator will be asked to submit 2 passwords when he needs to access your site's backend. One of them is the password to the login page, whereas the second one is responsible for the admin panel of your site.

---

SET USER ROLES WISELY

If you run a multi-author blog, then you will need to specify what kind of content different users will be able to access and manage once they enter the admin panel of your site. You can use free WordPress plugins for this purpose. Several of the most useful suggestions are listed below. These will help you to specify user roles on your site and restrict access to the vulnerable data.

As the administrator of your site, you need to rename the admin username in a way that is not so easy for the hackers to guess when they try to access the admin panel of your site

---

KEEP YOUR CURRENT WORDPRESS VERSION NUMBER IN SECRET

Do not help hackers to attack you! If they know the exact version of the software that powers your site, they will be able to tailor-build the perfect attack for your web project. In order to prevent this from happening, hide your WordPress version using the free WordPress security plugins that we reviewed below. Just in case your site got hacked, use Sucuri. The link to it is also on the list below!

---

Protect Admin Login by IP Address

You may be surprised to find out that the default login page for every WordPress website is https://www.yourdomain.com/wp-admin/. This allows those who are looking to breach your website to easily attempt to login. However, by adding an internet protocol (IP) address exclusion only users from a specific area will be able to view your login page. Here is the code you should add to your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist User1 IP address
allow from 12.345.67.890
# whitelist User2 IP address
allow from 09.87.65.432
</LIMIT>

In the above code make sure to update the “allow from 12.345.67.890” with your own IP address. If you have multiple users accessing this page or are accessing it yourself from multiple locations then be sure to update the second user as well “allow from 09.87.65.432”. You can find your own IP address by searching Google “what is my ip address?”.

Disable Directory Traversal

Disabling directory browsing adds another layer of security to your WordPress website. It will help prevent others from viewing your directory, archive or image files in a list which may be used to find a weak spot on your domain security. While obscuring directory listings may not be the end all to avoiding security breaches, it definitely helps deters those who may want to breach your website by making it more difficult. You may implement the following code on your .htaccess file to prevent directories from being viewed:

Options -Indexes
IndexIgnore *.zip *jpg *.gif

It is recommended by most WordPress security experts to add these lines of code to your .htaccess file. Implementing this solution will make you a more difficult target to breach, hopefully deterring any attacker and increasing their chances to move on to an easier domain.

Ban An Abuser IP Address

This would be the equivalent of ejecting a bad customer from your store. They may be running a script to slow down your website, sending an abnormal amount of requests or harassing others on the forums or blog comments. Regardless, it is time for them to leave and no longer enter your store. This is done quite easily using the following line of code:

order allow,deny
deny from 12.345.67.89
deny from 71.181.64.80
allow from all

This code will block incoming traffic from the internet protocol (IP) addresses 12.345.67.89 and 71.181.64.80 respectively. They will be shown a 403: Forbidden error page which you may customize using the code found in our Custom Error Pages section. In addition, it will still allow all other users to navigate the website as normal with the “allow from all” line of code found at the bottom.

Secure WordPress Plugin Files

WordPress is one of the most popular content management systems due to their integration with third-party plugins. While these third-party plugins enable you to completely customize your website, they do leave you vulnerable to security breaches. While not common, a few WordPress plugins allow access to unauthorized users posing a major security threat. The following code will prevent others from having access to plugin files:

<files ~ ".(js|css)$"="&”.(js|css)$&">
order allow,deny
allow from all
</files>

We strongly encourage you to keep your plugin up to date and report any potential security issue to the developer.

Prevent Code Injections

Code injections are attacks on your domain which have a wide variety of purposes. The script may be used to discover login information, breach your database, display pop-up messages to incoming traffic and more. They specifically target elements within your HTML, CSS, Javascript or SQL database. The following htaccess rewrite rules prevents unauthorized code injection from running on your website:

    Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

In this trick you do not need to edit any of the above code to fit your website. You can simply copy and paste this into your .htaccess file to prevent code injections.

Block Brute Force Attacks

With WordPress being such a common content management system (CMS) or website platform, it has naturally become a target for hackers to crack. The most common effort is running a script which attempts logins over and over. This causes your server to overload and the hacker may find out your password. You may add the following lines of code to prevent these brute force attacks:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

In the above example you will need to update the third line from example\.com to your domain (without www). In the above scenario a hacker is attempting logins without ever visiting your website. This script prevents anyone from direct access and requires that the user submitted the login form on your website.

If you would prefer only known IP addresses to be able to attempt to login you may add the following code:

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule ^(.*)$ - [R=403,L]

You must update line four with your actual IP address. You may find your IP address by searching on Google “What is my IP address?”. In addition, you may add multiple IP addresses simply by adding another line below.

Prevent Unauthorized wp-admin and wp-login.php Attempts

You may add another layer of security by preventing unauthorized access to admin login. If you are not an authorized user you will be given an error page such as 401 Unauthorized or 403 Forbidden. You will need access to your hosting files and add the following code to your .htaccess file under wp-admin directory:

ErrorDocument 401 "Unauthorized"
ErrorDocument 403 "Forbidden"

# Allow admin-ajax.php access
<files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</files>

In addition, you will need to add the following code to your .htaccess file under the public_html directory:

ErrorDocument 401 "Unauthorized"
ErrorDocument 403 "Forbidden"
<filesmatch "wp-login.php">
AuthType Basic
AuthName "WordPress Admin"
AuthUserFile "/home/USERNAME/.htpasswds/public_html/wp-admin/passwd"
require valid-user
</filesmatch>

The above code this adds another layer of security to prevent hackers from breaching your website.

BACK UP YOUR SITE REGULARLY

You may run the most secure website with the 2-step authorization and tons of security plugins for a range of purposes. However, you never know what kind of risk your web resource may face tomorrow or what issues the web host may undergo. Whatever happens, you need to feel certain that all data and site settings are protected. This is when the regular site backups will come into play. Even if your site crashes or gets attacked by scammers, you can always restore it with the help of a backup.

---

search.google.com/search-console

You have to request a review with search console after cleaning the site

---

How to Remove Google Blocklist Warnings

sucuri.net/guides/how-to-remove-google-blocklist-warning/

---

---

---

divpusher.com/blog/wordpress-customizer-sanitization-examples/

---

developer.wordpress.org/themes/theme-security/data-sanitization-escaping/

---

---

---