Announcement

Collapse
No announcement yet.

How to Make Your WordPress Blog or Website Secure from Hackers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to Make Your WordPress Blog or Website Secure from Hackers

    It sounds terrible when you hear or see your site or blog got hacked. When you have given your 100% effort to your site or blog like installed WordPress, upload theme & write good contents & pages.

    Tips to make your site or blog secure from hackers

    Check Your Local Network/Machine: Always keep your PC neat & up-to-date. Specially on window machine you need to run full malware and anti-virus scan regularly.

    Make sure your PC's software firewall is turned on and that Windows' file-sharing feature is off.

    For checking your firewall setting go to Control Panel and choose Windows Firewall if you are using window XP or Vista then maybe you need to click Security Center first.

    In window XP, select the Exceptions tab then look in the programs and services to make sure "File and Printer Sharing" is unchecked.

    In Vista, click on change settings after clicking select the exceptions tab and follow the instructions for XP.

    Also Secure Your Wireless & Network Connection: For secure blog you need to make sure that your Wi-Fi connection should be secure from hackers.

    To make your wireless connection more secure please visit my last post http://www.indiabook.com/bbs/showthr...390#post343390

    Blacklist all IP Addresses Excluding Your Own: Blacklist of IP is another way to secure your blogs & good solution to prevent everyone from logging in to your admin.

    For this you need to go in wp-admin folder of your WordPress installation and opening the .htaccess file & add the code given below anywhere in site:
    [sourcecode]
    order deny,allow
    deny from all
    # whitelist home IP address
    allow from YOURIPNUMBER
    # whitelist work IP address
    allow from YOURIPNUMBER
    # whitelist holiday IP address
    allow from YOURIPNUMBER
    [/sourcecode]
    When someone try to access your admin page he or she will get the massage
    Forbidden. You don’t have permission to access /wp-admin on this server.

    Check Your Webmaster Tools: Webmaster tool is a great resource for your site or blog security. It will notify you when Google detect any malware or any other security issues with your site.

    You can check these notifications in the “Security Issues” section of your profile.

    Disable Pings: In WordPress blog pingback option is enabled by default. Its required you disable this option because hackers can use this in DDOS attacks against other sites.

    Shared Hosting Provider: When your blog get hacked first check your shared hosting provider.

    Use Trusted Web Server: Make sure you are using secure, stable version of web server & other software’s. When you are using shared host providers then your website or blogs can potentially be compromised. Ask your host providers what security precautions they take.

    Never access your server from an unsecured network.

    Use Secure Usernames/Passwords:
    Never use default user name admin as username, change this in to something else. Use tough password so that other people can’t guess this easily. Use online password generator tool to generate secure password or you can create this by the combination of upper-case and lower-case letters, numbers and symbols.

    What You Need to Avoid When You Choose Password?
    • Never use our own name,username,company name or name of your website.
    • Password should not be too short
    • Never use any word from dictionary otherwise people can guess this easily.
    • Never use any numeric-only or alphabetic-only password.


    It's good if you enable two-step authentication as an additional security measure.

    Update Your WordPress: Like other software WordPress regularly update its version to address new security issues. So always use latest version of WordPress to make your blog & site secure from hackers.

    Always use WordPress official site to install WordPress. Never use any other site rather than http://WordPress.org

    Use Secure Theme & Plugins: Always stay away from free WordPress themes & plugins otherwise they will land you in danger. When you use any theme & plugin just search this in Google : “[insert plugin name] security” to make sure there will be no security alarm in these plugins & themes.

    Always take theme only from authenticated websites like themeforest, elegant themes etc.

    Update Theme & Plugin : Always keep in mind updation of plugin & themes are required to make your blog secure. High quality & reliable plugins will almost have some updates after few time of the WordPress core release. If you see any updates showing in your dashboard then take backup of your blog or site & run that update.

    Delete unused theme & plugin from your WordPress system.

    When Your Plugin Need Write Access: When you are installing any plugin that need write access then please read the code of that plugin carefully to make sure they should legal or from any trusted site.

    Hide Your WordPress Version: Leaving your WordPress version on your blog & site may be a security leak,when you are not using the latest version of WordPress. So remove WordPress version from your header file & RSS field.

    If you are using latest version of WordPress then there is no need to worry.

    The correct way to remove the WordPress version number from your header & Rss Field is given below:

    Add This Code to Your functions.php file:

    function wpbeginner_remove_version() {
    return '';
    }
    add_filter('the_generator', 'wpbeginner_remove_version');
    Take Backup of Your Website or Blog: Always take backup of your site or blog daily. You can take this by using host & any other WordPress plugin like VaultPress, BackupBuddy, BackWPup, BlogVault, etc.

    Secure Your WordPress wp-config.php File: Wp-config.php is the single most important file in your whole WordPress.

    WordPress is made up of two things
    • WordPress Database
    • WordPress Files


    wp-config.php file links your WordPress database and files together.

    Safety: Always take back-up of WordPress. It doesn’t matter how much time you will use this.

    The code of line in wp-config-sample.php file is in some specific order so never try to rearrange this order otherwise it will create errors.

    wp-config-sample.php is the file which you use to create wp-config.php

    Default Location of the wp-config.php File: By default you can get this file in /public_html folder.

    Normal set location of wp-config.php is public_html/wp-config.php

    For subdirectory the location of wp-config.php : public_html/subdirectory/wp-config.php

    Secure The Location of wp-config.php file: To complete your security move your wp-config.php file up one level and out of the /public_html folder.
    This will make your file secure from hackers.

    When you are using sub domains then moving your wp-config.php file up one level will not take this out of /public_html folder.

    For this you can use "include" statement in the wp-config.php file.

    Change File Permissions: WordPress allow files to be writable by the web server. Allowing or giving writing access is really dangerous for your website or blog. So the best way to secure your files from hacker is to lockdown your file permission & change the permission that allow writing access in files & folders.

    To secure your wp-config.php file change the access permission of this file to 000 so that no one can access your file.

    Never forget to protect your wp-config.php file using your .htaccess file.

    /

    This sign denotes the WordPress directory:Make sure all files should be writable by only owner except .htaccess if you want WordPress to automatically generate rewrite rules for you.

    /wp-admin/
    It denotes the WordPress administration area, makes sure all files of this area should be writable only by owner.

    /wp-includes/
    It denotes bulk of WordPress application logic: all files should be writable only by owner.

    /wp-content/
    User-supplied content: intended to be writable by owner and the web server process.

    Automatic Updates: When you are using automatic updates in WordPress make sure all operation are done by owner.

    Secure Your Database: When you run multiple blogs on same server then its good if you consider keeping them in separate databases each managed by a different user.

    If you handle your administer MySQL yourself then make sure you understand its configuration & disable its unneeded features like accepting remote TCP connections.

    Put Restrictions on Database User Privileges in WordPress: As you know normal WordPress operations are like blog posts, upload media files, doing comments, creating new user & WordPress plugins etc.

    For all these operation you only need data read and data write privileges to the MySQL database:SELECT, INSERT, UPDATE and DELETE.

    Because there is no need of any other administration privileges that’s why you can be revoked DROP, ALTER and GRANT permissions. By doing this you can keep your blog away from hackers.

    In some cases when you update plugins, themes and major WordPress updates then maybe you required database structural changes like adding new tables or change the schema. In that case, you can temporarily allow the database user the required privileges before installing the plugin or updating software.

    Limit Login Attempts:
    Limit the login attempts will block an internet address from making next attempts after specific limit. It can be possible both through normal login as well as using auth cookies.

    Install WordPress File Monitor Plus: Install this plugin to monitors your WordPress installation for added/deleted/changed files. When any change is detected it will send you email. on specific address.
    Last edited by Guest; 07-26-2014, 05:05 PM.
Working...
X