Results 1 to 10 of 13
Hybrid View
-
8th Oct 2011, 03:11 PM #1OPJust Another Coder
Guide to Secure WordPress
WordPress is open source, meaning anyone, including a hacker with malicious intent, can sand the source code to find holes in its security. That’s why I’m going to show what are good to take precautions to protect you, your WordPress and most importantly, your users.
Every version comes with improvements, but until we get a completely secure WordPress version we have to find ways to improve the security ourselves. I just wanted a list of items you can do that can make your blog a little harder to crack. Some security is better than no security, in my opinion. If a bot or a hacker spends too much time trying to get it, hopefully move on to something different and easier to find.
There shouldn’t be any reason for you to leave your WordPress wide open for hackers to creep in and steal your information and/or destroy your data
Follow the following steps to secure your WordPress installation and your website.
- Regular Backups
Regardless of the level of security of your WordPress site, it is a good habit to always backup your site.There are many ways to do this.
You can take advantage of cron jobs, if you’re hosting company provides it, by using this command:
Code:DBNAME=DB_NAME DBPASS=DB_PASSWORD DBUSER=DB_USER EMAIL="you@your_email.com" mysqldump --opt -u $DBUSER -p$DBPASS $DBNAME > backup.sql gzip backup.sql DATE=`date +%Y%m%d` ; mv backup.sql.gz $DBNAME-backup-$DATE.sql.gz echo 'BLOG BACKUP:Your Backup is attached' | mutt -a $DBNAME-backup-$DATE.sql.gz $EMAIL -s "MySQL Backup" rm $DBNAME-backup-$DATE.sql.gz
Plugins on WordPress
- Use Strong Password
Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. Yes, I know, you’re sick and tired of this tip. But having a good password is a must.
Random PassWord Generator might help you out with this.
- Hide WordPress Version
Let me guess you don’t have time to update your WordPress version or 5 minutes to spare. Would you give a chance for a hacker to creep in ? No ? Then do the following to hide the current version of your WordPress blog.
Remove the following from your header.php (if exists). Delete it and press Update File.
Code:<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
Code:<?php remove_action('wp_head', 'wp_generator'); ?>
Create a new account with a username you like, give it full rights, then log in with that new account, and change the privileges of the admin user subscriber. That’s better than deleting the admin account. The admin account is essentially only needed to manage themes, plugins and other aspects of the site that does not need to be changed at on a daily basis – an editor account would be sufficient.
Why? Because the hacker or bot or whatever will first check the username admin, and if it does not exist, say wordpress will make mistakes, but if it does exist, he will believe is the real administrator account, and he will try to break the code for. Even if he manages to do, he is registered as a subscriber, he can not hurt. So we are actually misleading them in the wrong direction.
- Always UPDATE WordPress & Plugins
This is very important. Once a new update is for WordPress Plugin or Theme, or back up your database and click the update button without hesitation. Besides a few cool features that may have been added to WordPress in the new version there’s a good chance that some major security hole is fixed.
Nearly 60 million sites use WordPress, when Automatic pumps out an update, the sooner you update your site, the better because when they make a new update they also post the vulnerabilities that they fixed.
3rd party application makers always keep updating their applications by fixing the security holes. Make sure you update them also from time to time.
- Limit Login Attempts
When you are the admin of the site do you require more than 5 tries to login into the admin dashboard ? Well a hacker who is trying to get into it will probably require more than 5 attempts to get in there. Installing plugins will improve the security is what I feel by adding another layer for the security. Login LockDown is one of the best plugins to limit the login attempts. There are few options you can select like amount of unsuccessful login attempts in a certain period of time, and the “ban” time. This plugin is useful when it comes to defend yourself against a brute force attack – most of the attackers to give a site if they IP banned for 5 minutes, while running their brute strength program.
- .htaccess For Security
.htaccess plays an important role and is also a key file for securing your blog in an efficient way. Build a hard wall around the wp-admin folder to allow only “you” to enter it and see the contents of using the following code in .htaccess
Code:AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # Whitelist Your IP address allow from xx.xx.xx.xxx # Whitelist Your Office's IP address allow from xx.xx.xx.xxx # Whitelist Your IP address While Your Traveling (Delete When You Come Back Home) allow from xx.xx.xx.xxx </LIMIT>
- Configuring the wp-config file
Keys
Whenever you are installing wordpress for the first time make sure when you add the database details you should add the keys also to it. You can generate the keys from http://api.wordpress.org/secret-key/1.1/
This is the most common thing people forget to do.
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
The default prefix for tables in the database is “wp_” and it is advisable to change it into something else. You can use the WP Security Scan plugin to that and more on improving the safety to do so.
- Hide your Plugins
In the recent versions of WordPress this is already being implemented but just to let you I am writing about this. A hacker may easily find out if there are any security related plugins installed on your blog by going to /wp-content/plugins.
Adding blank index.html in the plugins folder is like a security sign, it does not matter if you actually security, but as long as the hacker does not know he will be less inclined to try something.
- Folder permissions
Unfortunately, this is a difficult issue and varies from server to server. In general, do you really want to limit who has access to your files on your server. For shared hosting, they are already configured for you. For others, you should probably limit entries to 755 or 644. You can start looking like some recommendations for right permissions on WordPress.
List of Recommended Plugins
Note that many plugins will run at the expense of the performance of your WordPress blog. Part of the plug-ins run only on demand, while others are present and run all the time, so your mileage may vary. Also, some of these plugins are not working properly.
Now with a safe and secure WordPress installation, you are ready to freely post your content without having to be afraid if you’re vulnerable to be hacked.
There may be many posts about this subject but my post focuses on a complete overview of the best ways to secure your WordPress blog. I might have missed something, if yes do let me know. I am not a pro, I just shared what i know.
Source : Feed The Flow
Tip from Proto Worker
fdls Reviewed by fdls on . Guide to Secure WordPress WordPress is open source, meaning anyone, including a hacker with malicious intent, can sand the source code to find holes in its security. That’s why I’m going to show what are good to take precautions to protect you, your WordPress and most importantly, your users. Every version comes with improvements, but until we get a completely secure WordPress version we have to find ways to improve the security ourselves. I just wanted a list of items you can do that can make your blog a little Rating: 5
-
8th Oct 2011, 04:11 PM #2MemberWebsite's:
porntonight.infoThanks for the Info Dear
-
9th Oct 2011, 03:44 AM #3Member
Very nice information
Good Bye Mates..
-
9th Oct 2011, 03:54 AM #4Member
Also move wp-config.php to somewhere below the www/public_html directory. You need not do any additional modifications for that, just move it and its works fine.
EDIT: I also suggest a pl;ugin named '404 Notifier'. It not only helps you in finding dead requests but also garbage requests, which can be a good start point for hackers.
-
9th Oct 2011, 03:57 AM #5Member
bookmarked
-
9th Oct 2011, 12:04 PM #6OPJust Another Coder
-
9th Oct 2011, 06:35 PM #7Member
Thanks for this! Bookmarked!
-
9th Oct 2011, 06:47 PM #8Member
@fdls
I think you should suggest 'Limit Login Attempts' plugin instead of login lockdown. There are two problems with login lockdown:
1. It leaves a signature in your login page about the plugin and its name. If a known exploit of LL exists, a hacker will easily gain access to your site.
2. 'Limit login attempts' is constantly updated to fix bugs, unlike Login Lockdown.
-
14th Oct 2011, 03:22 PM #9Member
Thanks for this! Bookmarked!
-
7th Nov 2011, 11:24 PM #10Probation
Thanks very helpfull, I was looking to make automatic backups
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
[Guide] Warez Starter Guide For *n00bs* :D
By CyberAff in forum Tutorials and GuidesReplies: 19Last Post: 14th Nov 2012, 03:01 PM -
How to Secure SSH in WHM
By Bharat in forum Technical and Security TutorialsReplies: 0Last Post: 28th Dec 2011, 02:10 PM -
[FULL GUIDE]*~\♦How To Secure Your Computer♦/~* [DETAILED]★★
By aman8819 in forum Tutorials and GuidesReplies: 0Last Post: 26th Jan 2011, 01:32 PM -
Top 15 Wordpress Plugins to Make Your Blog Secure
By SLiMRiDER in forum Useful SitesReplies: 3Last Post: 2nd Jun 2010, 05:05 PM -
need step-by-step guide to wordpress
By Daniel in forum Webmaster DiscussionReplies: 0Last Post: 9th Jan 2010, 06:30 PM
themaManager - edit and manage...
Version 4.04 released. Open older version (or...