hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Web Hosting Talk Tutorials : Web Hosting Tutorials : Securing Your WordPress Site
Reply

Forum Jump

Securing Your WordPress Site

Reply Post New Thread In Web Hosting Tutorials Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 06-28-2012, 12:15 PM
HostWinds HostWinds is offline
Corporate Member
 
Join Date: Nov 2010
Location: Tulsa, OK
Posts: 189
Lightbulb

Securing Your WordPress Site


We have been having some issues come up recently with clients not fully understanding or knowing exactly how to secure their WordPress site from being hacked. Here's a quick tutorial on how to do exactly that. Credits go to David from Hostwinds for writing this!

Step 1

Create a backup of your site.

If you have cPanel you can do this with the backup manager.
If not I would recommend "backup buddy", a WordPress plugin you can find with a google search.


Step 2

Update WordPress Version

This is critical because WordPress issues updates that close security vulnerabilities; it's things like this that could keep your site healthy!


Step 3

Change Your Login/Password

The default WP username is "admin" and hackers know this. So you should change it to something more personal EG "RocketRanger416" or "James86". Best thing to do is to add that new user and make it a admin the delete the original login of "admin"

I would suggest really strong passwords (These should incluse UPPER and lowercase letters, numbers, and symbols) Like "Rocket!2@" or "jessieNOMAD12#4"

Most hackers try to brute-force your passwords so if it is really strong you should be fine in that regard.


Step 4

Change your Wordpress Keys!

Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.

Use the WordPress Key Generator to generate mentioned keys. Now edit your wp-config.php file and fine the lines that look like:


Quote:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
and replace them with the ones from the Key Generator.

Save and you're good to go.

Step 5

Install WP Security Scan

This plugin is great and makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code.

If the plugin shows your text as green you should be good. However, if they are not green you will have to fix the problem to make them green.

Step 6

Change Table Prefix

-- Warning! Make a backup of your database before continuing. --

The default prefix for a WP bsite is "wp_" This makes it so sql injection hacks are easy for the hacker because it is easy to guess.

A good prefix would be "march26_" or "magnol1a_" this is a highly recommended change and you can do this with the WP Security Scan Plug-in.

WP Security Scan has a tab called "Database". Once you open that tab you have the option to rename your entire prefix to something secure.

Step 7

Prevent WordPress hacks by blocking search engine spiders from indexing the admin area. Spiders crawl all over your site structure unless they are told not to, and we don't want that.

The easiest way to prevent spiders from indexing the admin area is to create a robots.txt file in your public_html folder with the following lines of code.

Quote:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
Step 8

Prevent .htaccess Hacks

.htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.

.htaccess files are often used for security restrictions on a particular directory.

So let's secure your .htaccess!

First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)

Quote:
# STRONG HTACCESS PROTECTION

order allow,deny
deny from all
satisfy all
Public_html .htaccess below

Now lets secure your config.php by adding:

Quote:
# protect wp-config.php

Order deny,allow
Deny from all
Now lets prevent the hacker from browsing your directory tree by adding

Quote:
# disable directory browsing
Options All -Indexes
Lets prevent some script injections now:

Quote:
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Go to your /wp-content folder. Lets limit access to the wp-content directory by creating a .htaccess in the wp-content folder and adding:

Quote:
Order deny,allow
Deny from all

Allow from all
Go to your /wp-admin/ folder. Now if you have a static IP I would recommend creating a .htaccess in your wp-admin folder with the following (replace x's with your STATIC IP)

Quote:
# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx
deny from all
Replace the X's with your IP.

Step 9

Last but not least!

You can install Wordpress Firewall 2 - this actually prevents most hacking attempts. Use with care, however, because you can lock yourself out of your site!

Hope this helps anyone having WordPress security issues, or people who DON'T want to have them.

__________________
Hostwinds Unlimited Web Hosting
Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
VPS Hosting | OpenVZ | SolusVM | Popular Distributions | Windows VPS's



Sponsored Links
  #2  
Old 06-28-2012, 12:21 PM
Gabe_GoDaddy Gabe_GoDaddy is offline
Web Hosting Evangelist
 
Join Date: Mar 2012
Posts: 507
Great advice! Lot's of truly useful tips here. Is WP Security Scan a 3rd part scan external from the host? If not That is the only additional things I would recommend. Thanks for posting this for the community.

__________________
Gabe
Go Daddy® Hosting Ambassador
GoDaddy.com

  #3  
Old 06-28-2012, 12:25 PM
HostWinds HostWinds is offline
Corporate Member
 
Join Date: Nov 2010
Location: Tulsa, OK
Posts: 189
Quote:
Originally Posted by Gabe_GoDaddy View Post
Great advice! Lot's of truly useful tips here. Is WP Security Scan a 3rd part scan external from the host? If not That is the only additional things I would recommend. Thanks for posting this for the community.
Thank you very much! Yes, WP Security scan is a third-party WordPress plugin located here. Always glad to help.

__________________
Hostwinds Unlimited Web Hosting
Cpanel/WHM | Not Oversold | Low Server Loads | Reseller / Business Plans Available
VPS Hosting | OpenVZ | SolusVM | Popular Distributions | Windows VPS's

Sponsored Links
  #4  
Old 06-28-2012, 12:42 PM
Collabora Collabora is offline
Disabled
 
Join Date: Mar 2009
Location: Santa Monica, CA
Posts: 3,372
Has anyone tried password-protecting the wp-admin folder? I am wondering if that would create any problems.

  #5  
Old 06-28-2012, 02:19 PM
WorkerBees WorkerBees is offline
Junior Guru Wannabe
 
Join Date: Sep 2011
Posts: 60
Nice post. Some good info there. Hopefully people jump in and share their own tips.

I will never understand why some hosting companies think that updating to the absolute latest version of the wp core is the only thing that matters and is so important. Many wp version updates have absolutely nothing to do with security related patches or vulnerability fixes. Meanwhile most wp installs have huge gaping holes that you could drive a bus through regardless of having or not having the latest core updates.

The plugins and themes are most often the weakest link beyond brute force or stolen pw's, not hacked wp core files. The path to the core is started by first exploiting the plugins/themes.

The best thing you can do to secure your wp is to delete all the old themes and plugins that you are not using. Then update the ones that you are using. If there are no recent updates, or your plugin hasn't been supported for many moons, then de-activate and delete it. I'm always amazed at the ignorance shown by "admins" who have the latest version of wp, yet fail to deal with their themes and plugins.

Speaking of plugins, I highly recommend getting a few security plugins such as 'limit login attempts', 'wordpress file monitor' and 'bulletproof security' or similar that create hardcore htaccess, brute force protection, and file monitoring. Obscurity is a weak and easily foiled "protection" against hackers. The 'limit login attempts' shuts down brute force attacks without the need for any obscurity measures. The bps plugin automagically generates bombproof htaccess files that foil most nasties. The file monitoring is just common sense. If a file is changed, deleted, or added, then the admin should be notified.

Also Check and change your permissions. Beyond using the htaccess, you should be using the strictest possible permissions so important files cannot be viewed, changed, or executed.

Delete old themes. This is an extremely common problem. People try out many themes, then choose one and activate it. Then they leave the others and ignore them. There are many popular exploits that take advantage of un-activated themes. Even the themes that come pre-packaged with wordpress are often easily hacked.

Sure, update the core when there is a security related patch, but don't blindly ignore the real threats.

  #6  
Old 06-29-2012, 03:13 PM
cheapestoffshore cheapestoffshore is offline
Temporarily Suspended
 
Join Date: Jun 2012
Location: Canada
Posts: 12
Thank you for this advice actually wordpress is secured however there is many addons non secured

  #7  
Old 07-02-2012, 09:59 AM
Gabe_GoDaddy Gabe_GoDaddy is offline
Web Hosting Evangelist
 
Join Date: Mar 2012
Posts: 507
WorkerBees,

You bring up a really great point about removing inactive themes and plugins. Many people forget that even in an inactive state they can still provide entrance for malicious activity.

In addition, this removal of inactive themes should be performed server wide.

__________________
Gabe
Go Daddy® Hosting Ambassador
GoDaddy.com

  #8  
Old 07-05-2012, 11:37 AM
Zienxp Zienxp is offline
Newbie
 
Join Date: Jul 2012
Posts: 12
thank you man it was so helpful

  #9  
Old 08-03-2012, 02:52 AM
IndiaWilds IndiaWilds is offline
New Member
 
Join Date: Aug 2012
Posts: 0
Very informative post. I have implemented only some of the points. Very helpful to a beginner like me. Thanks for sharing.

  #10  
Old 08-26-2012, 11:35 AM
Yorf Yorf is offline
New Member
 
Join Date: Aug 2012
Posts: 0
Thanks for sharing these tips. You might also wana try better wp security plugin.

  #11  
Old 09-15-2012, 02:13 PM
b4uindia b4uindia is offline
Junior Guru
 
Join Date: Oct 2007
Location: Jaipur, Rajasthan, India.
Posts: 184
Thanks for sharing the good tips
We have been also getting many notices that Wordpress sites are getting hacked if you are using an older version, thus it is also necessary to make sure all plugins and Wordpress version is latest and up to date.

__________________
B4UIndia Web Technologies - Web Hosting India Service Provider.
Domain Name | Web Hosting | Reseller Hosting | VPS Hosting Specialist from India
99.9% Network Uptime, 24/7 Technical Support
Follow Us on Twitter @b4uindia More Info Visit: B4UIndia.com

  #12  
Old 09-18-2012, 12:12 PM
DavidBee DavidBee is offline
Web Hosting Guru
 
Join Date: Sep 2012
Posts: 260
Great tutorial here. Covered all areas!

Although each of the steps are equally important, steps 6,7,8 are my top 3.

  #13  
Old 09-18-2012, 12:15 PM
dareORdie dareORdie is offline
Disabled
 
Join Date: Nov 2011
Location: Nasik, MH,INDIA
Posts: 850
Hello,

Thanks for sharing the useful knowledge. It's really helpful for us..

  #14  
Old 09-23-2012, 12:17 PM
abitech abitech is offline
Newbie
 
Join Date: Sep 2012
Location: Cambodia
Posts: 9
Thanks for sharing. That's very useful information.

  #15  
Old 10-17-2012, 11:57 AM
TaikunInc TaikunInc is offline
Newbie
 
Join Date: Aug 2012
Posts: 7
This was great! I had some of the things done, but a lot of the htaccess stuff I had not done. Thanks.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
how do u use a design in wordpress so the website doesnt reveal as a wordpress site hostcheetah Web Design and Content 11 04-28-2011 08:01 AM
Securing my site Host4Geeks Hosting Security and Technology 10 09-02-2008 03:52 PM
Securing and protecting ecommerce ASP site joephill Hosting Security and Technology 2 09-14-2004 09:59 PM
Site or book on securing a box? recko11 Dedicated Server 36 06-11-2003 03:42 PM
securing virtual site on RaQ4 davea Dedicated Server 5 09-27-2002 03:17 AM

Related posts from TheWhir.com
Title Type Date Posted
Automattic Acquires BruteProtect to Block WordPress Brute Force Attacks Web Hosting News 2014-08-26 15:53:37
Media Temple Rolls Out Parallels Plesk 12 to VPS Hosting Accounts Web Hosting News 2014-07-21 12:58:47
WPTouch WordPress Plugin Vulnerability Allows Non-Admins to Take Over Website Web Hosting News 2014-07-14 16:17:19
Media Temple Launches Premium WordPress Hosting for Designers, Web Developers Web Hosting News 2014-03-04 14:24:41
The Host Group Launches Enhanced WordPress Hosting Plans Web Hosting News 2014-05-23 15:46:54


Tags
.htaccess, hacked, plugins, security, wordpress

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?