Since a lot of WordPress sites got hacked in the last months, i wrote some tips, and collected some from other blogs on how to secure your WordPress from getting hacked.
keep your WordPress and the plugins up to date
you must keep your WordPress and the plug-ins up to date, because mostly it will prevent the bad guys from using known vulnerabilities to hack your site
- Always check WordPress Development Blog for the latest security issues.
Use a strong password
check this meter out
Use a different prefix
for your WordPress Database tables to mitigate zero-day SQL Injection attacks.
Disable directory browsing
Always backup your files before modifying or editing them!
attackers will know what u have on your site [plugins, etc] , so just write this to your .htaccess file
Options All -Indexes
Prevent Search Engines from indexing your sub-folders
Also write this code to your robots.txt file to prevent bots from indexing your sub-folders contents
User-agent: * Disallow: /cgi-bin Disallow: /wp-*
Protect your wp-config.php file
wp-config.php file contains all your database login information, it should be protected well, this code will prevent anyone from looking at it, write it to your .htaccess file
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
or u can just move it, the wordpress has the ability to check for wp-config.php in your root directory,
which will make it harder to find or access your wp-config.php file
So you can change the location of your wp-config.php file from
To
Limit login attempts
Sometimes the hacker might think they know your password, or they might develop a script to
guess your password. In that case what you need to do is limit the login attempts. You can easily do so by using a plugin called Login Lockdown
which will lock a user out if they entered the wrong password more than the specified time. They will be locked out for a specified time. You can control the settings via your wp-admin panel.
Limit the access to the admin panel
if you have a static IP address this will be helpful, with this code you will be the only one who can access the admin area , write this to the .htaccess in your wp-admin folder,
Order Deny,Allow Deny from all Allow from xxx.xxx.xxx.xxx
replace the xxx.xxx.xxx.xxx with your IP address
Use secret-key
security keys, AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, were added to insure better encryption of information stored in the user’s cookies. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password, In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.To add security keys, open your wp-config.php
Visit this URL to get Security Keys: click here [random keys <-]
Find these lines in wp-config.php
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
And insert the keys you from the generator, ex:
define('AUTH_KEY', 'GJ--Vxy|sNmv8J4XS-o]={]O90_kK%ns,hsZ*hMpq+)y?aZc$,[s`I{Qh-?P22kd');
define('SECURE_AUTH_KEY', '&#+Rlm?xb?1]#w-v|W||H[!_ev@KMrP');
Protect your blog from malicious URL Requests
install the plugin to your WordPress installation and it will work like a charm.
Remove or Disable non used plugins
Youwould have tried lot of them for checking the functionality, but you would not have disabled or removed them. Remove all the non used plugins. Hackers can find a way exploit to them, even if you are not using them.
Backup
Always keep back up of your blog’s files and database, backup the blog contents to your system regularly. Taking manual backups are tedious tasks. try using WP DB Manager. or any other plugin that does the task
Happy Safe Blogging 😛
Tags: featured, plugins, security
Great post ! backup backup and backup ….
Excellent article! some measures that I use, and some new practices for me to put in place! Have you evaluated the services from CloudFlare? I consider it a key part of securing WordPress sites that I put up.
Excelent!!!
nice this help for helpful