Page 1 of 5 1234 ... LastLast
Results 1 to 15 of 72
  1. #1
    Join Date
    Nov 2010
    Location
    Tulsa, OK
    Posts
    208

    Lightbulb Securing Your WordPress Site

    We have been having some issues come up recently with clients not fully understanding or knowing exactly how to secure their WordPress site from being hacked. Here's a quick tutorial on how to do exactly that. Credits go to David from Hostwinds for writing this!

    Step 1

    Create a backup of your site.

    If you have cPanel you can do this with the backup manager.
    If not I would recommend "backup buddy", a WordPress plugin you can find with a google search.


    Step 2

    Update WordPress Version

    This is critical because WordPress issues updates that close security vulnerabilities; it's things like this that could keep your site healthy!


    Step 3

    Change Your Login/Password

    The default WP username is "admin" and hackers know this. So you should change it to something more personal EG "RocketRanger416" or "James86". Best thing to do is to add that new user and make it a admin the delete the original login of "admin"

    I would suggest really strong passwords (These should incluse UPPER and lowercase letters, numbers, and symbols) Like "Rocket!2@" or "jessieNOMAD12#4"

    Most hackers try to brute-force your passwords so if it is really strong you should be fine in that regard.


    Step 4

    Change your Wordpress Keys!

    Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.

    Use the WordPress Key Generator to generate mentioned keys. Now edit your wp-config.php file and fine the lines that look like:


    define(‘AUTH_KEY’, ‘put your unique phrase here’);
    define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
    define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
    define(‘NONCE_KEY’, ‘put your unique phrase here’);
    and replace them with the ones from the Key Generator.

    Save and you're good to go.

    Step 5

    Install WP Security Scan

    This plugin is great and makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code.

    If the plugin shows your text as green you should be good. However, if they are not green you will have to fix the problem to make them green.

    Step 6

    Change Table Prefix

    -- Warning! Make a backup of your database before continuing. --

    The default prefix for a WP bsite is "wp_" This makes it so sql injection hacks are easy for the hacker because it is easy to guess.

    A good prefix would be "march26_" or "magnol1a_" this is a highly recommended change and you can do this with the WP Security Scan Plug-in.

    WP Security Scan has a tab called "Database". Once you open that tab you have the option to rename your entire prefix to something secure.

    Step 7

    Prevent WordPress hacks by blocking search engine spiders from indexing the admin area. Spiders crawl all over your site structure unless they are told not to, and we don't want that.

    The easiest way to prevent spiders from indexing the admin area is to create a robots.txt file in your public_html folder with the following lines of code.

    #
    User-agent: *
    Disallow: /cgi-bin
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins/
    Disallow: /wp-content/cache/
    Disallow: /wp-content/themes/
    Disallow: */trackback/
    Disallow: */feed/
    Disallow: /*/feed/rss/$
    Disallow: /category/*
    Step 8

    Prevent .htaccess Hacks

    .htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.

    .htaccess files are often used for security restrictions on a particular directory.

    So let's secure your .htaccess!

    First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)

    # STRONG HTACCESS PROTECTION

    order allow,deny
    deny from all
    satisfy all
    Public_html .htaccess below

    Now lets secure your config.php by adding:

    # protect wp-config.php

    Order deny,allow
    Deny from all
    Now lets prevent the hacker from browsing your directory tree by adding

    # disable directory browsing
    Options All -Indexes
    Lets prevent some script injections now:

    # protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]
    Go to your /wp-content folder. Lets limit access to the wp-content directory by creating a .htaccess in the wp-content folder and adding:

    Order deny,allow
    Deny from all

    Allow from all
    Go to your /wp-admin/ folder. Now if you have a static IP I would recommend creating a .htaccess in your wp-admin folder with the following (replace x's with your STATIC IP)

    # deny access to wp admin
    order deny,allow
    allow from xx.xx.xx.xx
    deny from all
    Replace the X's with your IP.

    Step 9

    Last but not least!

    You can install Wordpress Firewall 2 - this actually prevents most hacking attempts. Use with care, however, because you can lock yourself out of your site!

    Hope this helps anyone having WordPress security issues, or people who DON'T want to have them.
    Hostwinds Unlimited Web Hosting
    Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
    VPS Hosting | OpenVZ | SolusVM | Popular Distributions | Windows VPS's

  2. #2
    Join Date
    Mar 2012
    Posts
    507
    Great advice! Lot's of truly useful tips here. Is WP Security Scan a 3rd part scan external from the host? If not That is the only additional things I would recommend. Thanks for posting this for the community.
    Gabe
    Go Daddy® Hosting Ambassador
    GoDaddy.com

  3. #3
    Join Date
    Nov 2010
    Location
    Tulsa, OK
    Posts
    208
    Quote Originally Posted by Gabe_GoDaddy View Post
    Great advice! Lot's of truly useful tips here. Is WP Security Scan a 3rd part scan external from the host? If not That is the only additional things I would recommend. Thanks for posting this for the community.
    Thank you very much! Yes, WP Security scan is a third-party WordPress plugin located here. Always glad to help.
    Hostwinds Unlimited Web Hosting
    Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
    VPS Hosting | OpenVZ | SolusVM | Popular Distributions | Windows VPS's

  4. #4
    Join Date
    Mar 2009
    Location
    Santa Monica, CA
    Posts
    3,372
    Has anyone tried password-protecting the wp-admin folder? I am wondering if that would create any problems.

  5. #5
    Join Date
    Sep 2011
    Posts
    60
    Nice post. Some good info there. Hopefully people jump in and share their own tips.

    I will never understand why some hosting companies think that updating to the absolute latest version of the wp core is the only thing that matters and is so important. Many wp version updates have absolutely nothing to do with security related patches or vulnerability fixes. Meanwhile most wp installs have huge gaping holes that you could drive a bus through regardless of having or not having the latest core updates.

    The plugins and themes are most often the weakest link beyond brute force or stolen pw's, not hacked wp core files. The path to the core is started by first exploiting the plugins/themes.

    The best thing you can do to secure your wp is to delete all the old themes and plugins that you are not using. Then update the ones that you are using. If there are no recent updates, or your plugin hasn't been supported for many moons, then de-activate and delete it. I'm always amazed at the ignorance shown by "admins" who have the latest version of wp, yet fail to deal with their themes and plugins.

    Speaking of plugins, I highly recommend getting a few security plugins such as 'limit login attempts', 'wordpress file monitor' and 'bulletproof security' or similar that create hardcore htaccess, brute force protection, and file monitoring. Obscurity is a weak and easily foiled "protection" against hackers. The 'limit login attempts' shuts down brute force attacks without the need for any obscurity measures. The bps plugin automagically generates bombproof htaccess files that foil most nasties. The file monitoring is just common sense. If a file is changed, deleted, or added, then the admin should be notified.

    Also Check and change your permissions. Beyond using the htaccess, you should be using the strictest possible permissions so important files cannot be viewed, changed, or executed.

    Delete old themes. This is an extremely common problem. People try out many themes, then choose one and activate it. Then they leave the others and ignore them. There are many popular exploits that take advantage of un-activated themes. Even the themes that come pre-packaged with wordpress are often easily hacked.

    Sure, update the core when there is a security related patch, but don't blindly ignore the real threats.

  6. #6
    Join Date
    Jun 2012
    Location
    Canada
    Posts
    12
    Thank you for this advice actually wordpress is secured however there is many addons non secured

  7. #7
    Join Date
    Mar 2012
    Posts
    507
    WorkerBees,

    You bring up a really great point about removing inactive themes and plugins. Many people forget that even in an inactive state they can still provide entrance for malicious activity.

    In addition, this removal of inactive themes should be performed server wide.
    Gabe
    Go Daddy® Hosting Ambassador
    GoDaddy.com

  8. #8
    thank you man it was so helpful

  9. #9
    Very informative post. I have implemented only some of the points. Very helpful to a beginner like me. Thanks for sharing.

  10. #10
    Thanks for sharing these tips. You might also wana try better wp security plugin.

  11. #11
    Join Date
    Oct 2007
    Location
    Jaipur, Rajasthan, India.
    Posts
    184
    Thanks for sharing the good tips
    We have been also getting many notices that Wordpress sites are getting hacked if you are using an older version, thus it is also necessary to make sure all plugins and Wordpress version is latest and up to date.
    B4UIndia Web Technologies - Web Hosting India Service Provider.
    Domain Name | Web Hosting | Reseller Hosting | VPS Hosting Specialist from India
    99.9% Network Uptime, 24/7 Technical Support
    Follow Us on Twitter @b4uindia More Info Visit: B4UIndia.com

  12. #12
    Great tutorial here. Covered all areas!

    Although each of the steps are equally important, steps 6,7,8 are my top 3.

  13. #13
    Join Date
    Nov 2011
    Location
    Nasik, MH,INDIA
    Posts
    850
    Hello,

    Thanks for sharing the useful knowledge. It's really helpful for us..

  14. #14
    Join Date
    Sep 2012
    Location
    Cambodia
    Posts
    9
    Thanks for sharing. That's very useful information.

  15. #15
    This was great! I had some of the things done, but a lot of the htaccess stuff I had not done. Thanks.

Page 1 of 5 1234 ... LastLast

Similar Threads

  1. Replies: 11
    Last Post: 04-28-2011, 08:01 AM
  2. Securing my site
    By Host4Geeks in forum Hosting Security and Technology
    Replies: 10
    Last Post: 09-02-2008, 03:52 PM
  3. Securing and protecting ecommerce ASP site
    By joephill in forum Hosting Security and Technology
    Replies: 2
    Last Post: 09-14-2004, 09:59 PM
  4. Site or book on securing a box?
    By recko11 in forum Dedicated Server
    Replies: 36
    Last Post: 06-11-2003, 03:42 PM
  5. securing virtual site on RaQ4
    By davea in forum Dedicated Server
    Replies: 5
    Last Post: 09-27-2002, 03:17 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •