There are various steps that can be taken with .htaccess as well. You can even protect the .htaccess file itself.

From many videos I've watched, hardening the server is the first thing one must do. Then add necessary security on WordPress.

Great video. But from what I hear from other WP security experts: there is more to securing a website than just using a security plugin. In short, they suggest security should be done in layers starting from the server layer down to the application layer. But yea, I get it. For beginners using a strong password and a security plugin should work 90% of the time.

Who in their right mind uses 3 letters for a password? BOB. LOL!. I've got a password breaker and it takes over 24 hours to scan properly, and it still couldn't get my password.

ty for the video and Would be great to see the v2 of this video. with extra ways and more details.

I might of missed it, but might be a good video follow up about how to use that wpscan CLI to test your own or client site setups

So what to do if you cannot guess the username and password please?

Great content, Jamie. You are always bringing your A-game.

First rule ! normally wordpress website don't have admin as the username or user id and also wpscan doesn't work when your add enumerator disabled. .

Welp...a little nerve wracking, but very informative, good to know info. TY, Jamie and Ryan.

This is a well put together and informative video. Thank you. I'm glad you popped up in my suggestions. I have liked and subscribed.

Thanks Jamie. Just a few remarks: I gonna watch the clip again. From what I've seen the strategy is to find a password. There other methods as well, such as : (1) installing the hacker's own file for index.php/index.html in one of the landing directories. That could be countered by installing a dummy index.php and index.html in each directory (dummies wherever the files are NOT IN USE) and then making all of these files (including the functioning files) write-protected (read-only). (2) The site owner should change the username with admin rights to another name, to make it more difficult for the hacker to log in. I had been thinking about using a child theme with a name not obvious related to the parent theme. Would that be sufficient to hide the parent theme name, from hackers? Security is important for e-commerce websites or any website that displays payment information. I see people use QR-codes with payment information and that makes me think, how possible is it for the hacker to overwrite that with his own information? To check a QR-code takes quite some effort since you cannot just eye-ball them?

Plugins are the most comromised I would say. Because of old plugins they can overwrite your SQL database. Basically the do this to deal shaddy ads to your visitors.

Yikes - great video and public service announcement!

It would be great if you could make a video on how to protect wordpress with .htaaces without plugin, with all the necessary codes. There is also code for the wp.config file. In addition, you can create a mu plugin or a custom plugin with codes such as smtp, google analytics, CPT and the like, in short, to reduce everything to code and have everything in one place without additional plugins. I would be happy to watch that video. Thank you.

Amazing video 🙌 congrats!

Why do “hackers” I’m not sure this person really is. 0:01 only hack easy passwords? It’s like someone showing you how to play snooker and putting all the balls over the pockets

Another great video.

He uses last pass?!

You brute forced the password online but what about the majority of websites that gives you a “404” when brute forcing?

Hi Jamie. I'm concerned about your nice kitty getting too fat. Should I avoid liking? :)

bro hack in mac

Nice try 'guessing' the user to hack