Results 1 to 25 of 77
-
06-28-2012, 12:15 PM #1Web Hosting Guru
- Join Date
- Nov 2010
- Location
- Tulsa, OK
- Posts
- 253
Securing Your WordPress Site [first posted 2012]
We have been having some issues come up recently with clients not fully understanding or knowing exactly how to secure their WordPress site from being hacked. Here's a quick tutorial on how to do exactly that. Credits go to David from Hostwinds for writing this!
Step 1
Create a backup of your site.
If you have cPanel you can do this with the backup manager.
If not I would recommend "backup buddy", a WordPress plugin you can find with a google search.
Step 2
Update WordPress Version
This is critical because WordPress issues updates that close security vulnerabilities; it's things like this that could keep your site healthy!
Step 3
Change Your Login/Password
The default WP username is "admin" and hackers know this. So you should change it to something more personal EG "RocketRanger416" or "James86". Best thing to do is to add that new user and make it a admin the delete the original login of "admin"
I would suggest really strong passwords (These should incluse UPPER and lowercase letters, numbers, and symbols) Like "Rocket!2@" or "jessieNOMAD12#4"
Most hackers try to brute-force your passwords so if it is really strong you should be fine in that regard.
Step 4
Change your Wordpress Keys!
Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.
Use the WordPress Key Generator to generate mentioned keys. Now edit your wp-config.php file and fine the lines that look like:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
Save and you're good to go.
Step 5
Install WP Security Scan
This plugin is great and makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code.
If the plugin shows your text as green you should be good. However, if they are not green you will have to fix the problem to make them green.
Step 6
Change Table Prefix
-- Warning! Make a backup of your database before continuing. --
The default prefix for a WP bsite is "wp_" This makes it so sql injection hacks are easy for the hacker because it is easy to guess.
A good prefix would be "march26_" or "magnol1a_" this is a highly recommended change and you can do this with the WP Security Scan Plug-in.
WP Security Scan has a tab called "Database". Once you open that tab you have the option to rename your entire prefix to something secure.
Step 7
Prevent WordPress hacks by blocking search engine spiders from indexing the admin area. Spiders crawl all over your site structure unless they are told not to, and we don't want that.
The easiest way to prevent spiders from indexing the admin area is to create a robots.txt file in your public_html folder with the following lines of code.
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
Prevent .htaccess Hacks
.htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.
.htaccess files are often used for security restrictions on a particular directory.
So let's secure your .htaccess!
First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)
# STRONG HTACCESS PROTECTION
order allow,deny
deny from all
satisfy all
Now lets secure your config.php by adding:
# protect wp-config.php
Order deny,allow
Deny from all
# disable directory browsing
Options All -Indexes
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Order deny,allow
Deny from all
Allow from all
# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx
deny from all
Step 9
Last but not least!
You can install Wordpress Firewall 2 - this actually prevents most hacking attempts. Use with care, however, because you can lock yourself out of your site!
Hope this helps anyone having WordPress security issues, or people who DON'T want to have them.█ Hostwinds Unlimited Web Hosting
█ Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
█ Cloud Hosting
-
06-28-2012, 12:21 PM #2Web Hosting Evangelist
- Join Date
- Mar 2012
- Posts
- 509
Great advice! Lot's of truly useful tips here. Is WP Security Scan a 3rd part scan external from the host? If not That is the only additional things I would recommend. Thanks for posting this for the community.
-
06-28-2012, 12:25 PM #3Web Hosting Guru
- Join Date
- Nov 2010
- Location
- Tulsa, OK
- Posts
- 253
Thank you very much! Yes, WP Security scan is a third-party WordPress plugin located here. Always glad to help.
█ Hostwinds Unlimited Web Hosting
█ Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
█ Cloud Hosting
-
06-28-2012, 12:42 PM #4Web Hosting Master
- Join Date
- Apr 2004
- Location
- Pacific Palisades, CA
- Posts
- 3,641
Has anyone tried password-protecting the wp-admin folder? I am wondering if that would create any problems.
█ Collabora Hosting - Unlimited Windows and Linux Hosting
█ Web Security - VPS - Dedicated Servers
█ Cloud and Managed WordPress Hosting
█ Read how we do Unlimited Hosting at the Unlimited FAQ
-
06-28-2012, 02:19 PM #5Junior Guru Wannabe
- Join Date
- Sep 2011
- Posts
- 62
Nice post. Some good info there. Hopefully people jump in and share their own tips.
I will never understand why some hosting companies think that updating to the absolute latest version of the wp core is the only thing that matters and is so important. Many wp version updates have absolutely nothing to do with security related patches or vulnerability fixes. Meanwhile most wp installs have huge gaping holes that you could drive a bus through regardless of having or not having the latest core updates.
The plugins and themes are most often the weakest link beyond brute force or stolen pw's, not hacked wp core files. The path to the core is started by first exploiting the plugins/themes.
The best thing you can do to secure your wp is to delete all the old themes and plugins that you are not using. Then update the ones that you are using. If there are no recent updates, or your plugin hasn't been supported for many moons, then de-activate and delete it. I'm always amazed at the ignorance shown by "admins" who have the latest version of wp, yet fail to deal with their themes and plugins.
Speaking of plugins, I highly recommend getting a few security plugins such as 'limit login attempts', 'wordpress file monitor' and 'bulletproof security' or similar that create hardcore htaccess, brute force protection, and file monitoring. Obscurity is a weak and easily foiled "protection" against hackers. The 'limit login attempts' shuts down brute force attacks without the need for any obscurity measures. The bps plugin automagically generates bombproof htaccess files that foil most nasties. The file monitoring is just common sense. If a file is changed, deleted, or added, then the admin should be notified.
Also Check and change your permissions. Beyond using the htaccess, you should be using the strictest possible permissions so important files cannot be viewed, changed, or executed.
Delete old themes. This is an extremely common problem. People try out many themes, then choose one and activate it. Then they leave the others and ignore them. There are many popular exploits that take advantage of un-activated themes. Even the themes that come pre-packaged with wordpress are often easily hacked.
Sure, update the core when there is a security related patch, but don't blindly ignore the real threats.
-
06-29-2012, 03:13 PM #6Temporarily Suspended
- Join Date
- Jun 2012
- Location
- Canada
- Posts
- 13
Thank you for this advice actually wordpress is secured however there is many addons non secured
-
07-02-2012, 09:59 AM #7Web Hosting Evangelist
- Join Date
- Mar 2012
- Posts
- 509
WorkerBees,
You bring up a really great point about removing inactive themes and plugins. Many people forget that even in an inactive state they can still provide entrance for malicious activity.
In addition, this removal of inactive themes should be performed server wide.
-
07-05-2012, 11:37 AM #8Newbie
- Join Date
- Jul 2012
- Posts
- 14
thank you man it was so helpful
-
08-03-2012, 02:52 AM #9New Member
- Join Date
- Aug 2012
- Posts
- 2
Very informative post. I have implemented only some of the points. Very helpful to a beginner like me. Thanks for sharing.
-
08-26-2012, 11:35 AM #10New Member
- Join Date
- Aug 2012
- Posts
- 3
Thanks for sharing these tips. You might also wana try better wp security plugin.
-
09-15-2012, 02:13 PM #11Junior Guru
- Join Date
- Oct 2007
- Posts
- 191
Thanks for sharing the good tips
We have been also getting many notices that Wordpress sites are getting hacked if you are using an older version, thus it is also necessary to make sure all plugins and Wordpress version is latest and up to date.
-
09-18-2012, 12:12 PM #12Web Hosting Guru
- Join Date
- Sep 2012
- Posts
- 269
Great tutorial here. Covered all areas!
Although each of the steps are equally important, steps 6,7,8 are my top 3.
-
09-18-2012, 12:15 PM #13Disabled
- Join Date
- Nov 2011
- Location
- Nasik, MH,INDIA
- Posts
- 862
Hello,
Thanks for sharing the useful knowledge. It's really helpful for us..
-
09-23-2012, 12:17 PM #14Newbie
- Join Date
- Sep 2012
- Location
- Cambodia
- Posts
- 11
Thanks for sharing. That's very useful information.
-
10-17-2012, 11:57 AM #15Newbie
- Join Date
- Aug 2012
- Posts
- 8
This was great! I had some of the things done, but a lot of the htaccess stuff I had not done. Thanks.
-
10-18-2012, 01:27 AM #16Web Hosting Guru
- Join Date
- Jun 2009
- Location
- Sri Lanka
- Posts
- 317
Thanks for the tutorial and its really helpful
██ LANKAHOST WEB HOSTING NETWORK
LK Domain Registration | Business Hosting | Windows Hyper-V VPS | XEN VPS | Dedicated Servers
-
10-18-2012, 07:53 PM #17Web Hosting Guru
- Join Date
- Dec 2010
- Location
- United States
- Posts
- 258
First of all, since i am on WordPress.com and uses Self-hosted WP as well, i would say thanks for the tutorial. Yet one of the most important part can be "Using CDN" to fasten your site rendering + to optimize your site code for better alexa ranking.
Wanna Wiki ? So here it is Wiki
-
10-25-2012, 04:16 AM #18New Member
- Join Date
- Jun 2012
- Posts
- 3
Thanks a lot for this nice article, really helpful.
-
11-05-2012, 04:49 PM #19Web Hosting Master
- Join Date
- Nov 2009
- Location
- Toronto, Canada
- Posts
- 837
On a lower level, things like mod_security, php suhosin, and csf all help prevent attacks as well. In fact they will often help with unpatched exploits. These things however would be the responsibility of your web hosting provider.
█ CanSpace Solutions - www.canspace.ca - Canada's leading domain registrar and web hosting provider
█ Premium Canadian Web Hosting and .ca domains. Trusted by Canada's largest corporations
█ Affordable Web Hosting | 24/7 Support | CIRA CERTIFIED | Proudly Canadian
-
11-06-2012, 04:13 AM #20New Member
- Join Date
- Nov 2012
- Posts
- 1
Hey guys
That is great thanks for sharing wonderful tips..
-
11-06-2012, 11:33 AM #21Junior Guru Wannabe
- Join Date
- Nov 2009
- Location
- San Antonio, Texas
- Posts
- 74
Thanks HostWinds and David. You anticipated a thread I was going to post. I'd also like to see -- from a host's point of view -- a similar review on essential and minimal plugins for WP caching and backup.
-
11-08-2012, 04:54 AM #22Web Hosting Guru
- Join Date
- May 2012
- Posts
- 338
Thansk a lot for useful information. I will try to applied on my blogs. For now, I just change the password regularly without any other security technique.
-
11-19-2012, 11:12 AM #23Newbie
- Join Date
- Oct 2012
- Location
- Houston, Texas
- Posts
- 29
I found that installing a 404 plugin also led me to hints of a lot of malicious activity by visitors attempting to access plugins that didn't exist. I ban them on a case by case basis now.
-
11-19-2012, 01:53 PM #24Web Hosting Master
- Join Date
- Nov 2012
- Location
- WWW
- Posts
- 751
Thank you! I did everything what you wrote
ADELINAhost (Established 2012)
Shared Hosting - VPS - Dedicated Servers in more than 10 locations
https://www.adelinahost.com
-
11-21-2012, 03:05 AM #25Temporarily Suspended
- Join Date
- Apr 2011
- Posts
- 15
This tutorial is really helpful for us.Thanks
Similar Threads
-
Fair Price For Securing A Wordpress Site?
By chilli in forum Hosting Security and TechnologyReplies: 8Last Post: 07-26-2013, 05:48 PM -
Perfect home for your Wordpress site | 50% off your first month!
By pygi in forum Shared Hosting OffersReplies: 1Last Post: 01-19-2011, 08:35 PM -
WordPress Help Desk Plugin - Add a help desk to your WordPress site
By Hey It's Me in forum Software & Scripts OffersReplies: 0Last Post: 11-17-2009, 12:31 PM -
WordPress Help Desk Plugin - Add a help desk to your WordPress site
By Hey It's Me in forum Software & Scripts OffersReplies: 0Last Post: 08-20-2009, 09:15 PM