WordPress is an extremely popular web platform, and because of its popularity it is often the target of hackers looking to “take...
Make WordPress site Robust and Secure Manually
Important post about how to optimize the security of your WordPress site or blog from Hackers.
Appclick Web & SecuritiesInto to the world, WordPress is widely used framework. There are approximately 76.5 million WordPress blogs available on the web. From them, most of are mainly focus on designing, developing a good concept, search engine optimization, conversion any many other important concepts. However they often overlook one important issue is SECURITY. Into this article I will discuss that how to make WordPress site robust and secure with the essential actions you need to take after WordPress installation…
Those who are believe into the security of their important content and concepts as I am, want to full control of their security. You can easily do this by using WordPress security plugins that allows for you to perform WordPress security measures manually.
Create new administrator user and delete default “admin” user
After installing WordPress, you should create a new administrator user immediately. Then, Log in with the new one and delete the default user “admin”. Doing so allows for protection from the most standard attacks, attempts to use administrator credentials to login into the backend.
Make your password strong as you can
A password should not be easy to guess because using social engineering, hackers easily break it if you have use real words, birth place, birth date, contact number etc.. for your account password. So, password should contain at least one number and one special character and also one capital letter to make it very strong. WordPress security plugins such as Better WP Security or Sucuri, you can also set secure password for user groups as required.
Secure the upload directory prior to listing the files
Create blank file with the name index.php and save it into the uploads directory. So no one can output the contents of the folder in the browser or see the list of file and folders contain by uploads directory.
Update secret key in the wp-config.php
After WordPress Version 2.6, secret key were added to ensure better encryption of information stored in the user’s cookies. A secret key makes your site harder to hack and access harder to crack by adding random elements to the password. You can get more information about secret key from wp-config.php file information.
Use different prefix for the WordPress database
In order to impede attacks on the WordPress MySQL database, it makes sense to use a different prefix than wp_ for the database tables to use.
Make wp-admin Password protect using .htaccess
The Administrator’s login doesn’t actually have to be easily accessible. So it’s recommended that you make it password protected using .htaccess and .htpasswd file in the wp-admin folder to protect the root directory. First, you need to create a .htpasswd file in which the credentials are stored in encrypted form. You can create a .htpasswd password here. This is what the .htpasswd file looks like:
desiredusername : $apr1$EsEZBC8a$2mY1lsyM1WjdoctUMmWU30
And this is what the entry in the .htaccess file should look like
# protect /wp-admin
AuthName “Admin-Area”
AuthType Basic
AuthUserFile /path/to/.htpasswd
require valid-user
Block Bad queries from URL
Using the following snippet to will protect your WordPress site against malicious URL requests. By saving the following snippet to a PHP file such as wp-content/plugins with folder name appclick-secure-url, filename appclick-secure-url.php and activating it in the backend.
<?php
/*Plugin Name: Secure URL Plugin by Appclick
Plugin URI: http://appclick.in/
Description: Protect your WordPress contents against malicious URL requests
Author URI: http://appclick.in/
Author: Appclick Web & Securities
Version: 1.0
*/if (strpos($_SERVER[‘REQUEST_URI’], “eval(” ||
strpos($_SERVER[‘REQUEST_URI’], ‘CONCAT’) ||
strpos($_SERVER[‘REQUEST_URI’], “UNION+SELECT”) ||
strpos($_SERVER[‘REQUEST_URI’], “base64”)))
{
@header(“HTTP/1.1 400 Bad Request”);
@header(“Status: 400 Bad Request”);
@header(“Connection: Close”);
@exit;
}
Hide your WordPress Version number
it’s easier for Hackers to attack and find vulnerabilities in a site if they know the WordPress installation version number because if you are using older version of the WordPress then there are my sites providing wide range of exploit with vulnerability that shows you how to respond if you’re vulnerable. Using the following snippet in the functions.php file keeps this information hidden.
function hide_version_wp() {
return ”;
}
add_filter( ‘the_generator’, ‘hide_version_wp’ );
Make Login error messages less meaningful
In the functions.php file, paste the below snippet can prevent an error message like “password incorrect”, from being displayed after unsuccessful login attempts. Otherwise, the attacker knows whether or not they are making progress.
function login_precaution(){
return ‘ERROR: Entered credentials are incorrect.’;
}
add_filter( ‘login_errors’, ‘login_precaution’ );
Disable Backend Editing
Using the following snippet in the wp-config.php file prevents backend themes and plugins from being changed. Hence, stopping the hacker, who broke into your backend, from doing any major harm.
define(‘DISALLOW_FILE_EDIT’, true);
Rename the wp-content folder
This security measure should be performed before you install anything or create any content to launch ( the WP Better Security plugin can do this easily for you). Rename the main folder in the WordPress installation (wp-content), so that attackers won’t know where to look for the most vulnerabilities. You can also do it yourself manually by following instructions on the page http://www.hongkiat.com/blog/renaming-wordpress-wp-content-folder/ or by using the WP Better Security plugin to rename the folder.
Restrict wp-config.php and .htaccess rights
The rights of the wp-config.php (which is hopefully in the blog installation folder) should be set to 400. The .htaccess to 644 or better ( 444 when WordPress has to make any automatic updates).
General Directory and File Rights
Although some think, for example, the wp-content folder with should have a value of 777, that’s not necessary. It’s best to set the file permissions to 644 and the directory permissions to 755.
Keep WordPress themes and plugins updated
All these security measures are useless if one is operating on an ancient system with outdated plugins or themes. So you must make sure to keep everything up to date. And there is no excuse because WordPress makes updating pretty easy.
Note: There is no any system 100% secure! But you should take the necessary measures, from the ground up, to secure and protect against the most common attacks, script kiddies. However, Bots are even a worst enemy to a WordPress installation because they act more randomly, are automated and know how to take advantage of system vulnerabilities.