That is really a good question to reply How to secure wordpress to be hacked by hackers and here i would like to give you a lengthy but up to great extent effective answer.
In the world of information technology,we often hear a word HACKER and its threats.
What is a HACKER?
Hacker is a computer expert and GURU who can damage the information,can access your authority
without your permission for their own satisfaction and sometimes destroying the prestige of
your business.So if you ever have faced any such situation in your life and now wants to secure
your WEBSITE/BLOG more securer then its an article which can help you to know that how can it
is possible for you.
Well, if you think that you can manage your website/blog easily by yourself and you are good
for installing themes and plugins,Please read the section below.
Security Measurements:
Upgradation:
Upgrade your WordPress script to latest version when available at WordPress.org when possible.
it will enhance the protection by 80% because every version of wordpress filled with new
security features and patches.
Use another username rather than using ” admin ” as WordPress is an open source application
and now everyone knows that ” admin ” is the default username of WordPress.It makes too easy
for hackers to hack your password as the remaining work reduces at 50% as they your username
already.Avoid using default prefix ” wp_ ” as well.
Changing your username its not a difficult task.All you have to these small steps:
1- Go to phpMyAdmin
2- User’s Tables
3- Open it and paste the following SQL Commands and run.
update wpwins_users set user_login=’helloadmin’ where user_login=’admin’;
That’s it your username will be changed as per your desired one.
This is an example command which change the prefix to “wpwins” and your WordPress username to
” helloadmin “.Both are the values are for example and can be changed by your wish.
CHOOSING A PASSWORD:
Choose a password which is hard to guess and more unique.Changing your username is not a
guarantee that you are safe from hackers 100% and the others cannot crack into your security.
Choose a password with upper case letters,lower case letters and also characters and numbers.
CORRECTING FILE PERMISSIONS:
Hackers can easily crack your security if you don’t set correct permission for your files and
folders.Use always 0755 permission for your every folder and 0644 for your files.If you want
to edit a file in the WordPress Theme Editor then the permission will be 0666.
Don’t set permission as 0777 as it allows the Hackers access.
Editing with WordPress Keys:
WordPress scripts have some security keys which are normally same in all updates and releases.
No one trying to change these keys and some of us are unaware of it.So we did’nt notice to
change these keys.But you have to change these keys in the file wp-config.php to make a secure
database information.
Use the following link to generate new security keys, every time you open this URL,you have
new keys there:
https://api.wordpress.org/secret-key/1.1/
You can edit your wp-config and change your security keys as listed below:
define(‘AUTH_KEY’, ‘your unique value goes here’);
define(‘SECURE_AUTH_KEY’, ‘your unique value goes here’);
define(‘LOGGED_IN_KEY’, ‘your unique value goes here’);
define(‘NONCE_KEY’, ‘your unique value goes here’);
Secure Directory Listing:
WordPress is an open source application so anyone can know the structure of your files/folders
including hackers inside your hosting.They can gain access to your directories/files because
normally all the browsers show the directory structureof your script.To solve this issue,Put
a blank index.php file in each directory where index file is not placed by default.
Keep an updated Backup:
All the above steps can bring a peaceful state of your mind but keep in mind that security is
always for break so there’s a best suggestion for you all that take periodic backup of your
database and files and never trust completely on your security bars.There’s no one can claim of
having 100% secure WordPress/Blog website.
Keep regular backup of your Blog.If anything goes wrong due to successfull hacking you will
be able to recover the actual image of your website/blog.
Plugins Installation:
If you are new to WordPress then don’t be so worry about this.We are always there for you to
help you out.You may ask us or any other people who are familiar with WordPress organizing
to implement all the above mentioned steps for security purposes just to make it even more
securer.So perform every step with caution and carefully.Install these plugins steps given
below immediately for WordPress better security and safety.
1- WordPress Security Virus Scanning:
Install this plugin to know that whether all the securities related to your Website/Blog
have been implemented correctly?It provides you a detail information that which security is
implemented and which is working correctly.
2- Hidden URL:
Install this plugin to hide your URL Login.You can choose URL login as your desired one e.g.
(www.domain-name.com/abc) instead of (www.domain-name.com/wp-admin) will be same directs you
to website’s main/homepage.
3- Block failed login Attempts:
This plugin will help you out to block unwanted/fake login attempts to wordpress login page,
This plugin will block the IP’s of the failed login attempts made by any Hacker.
======================================================================
This is the extended version of the previous post (above to it). It is highly recommended that please
read all those precautions which is mentioned in our previous post before continue reading
this post.
1- Search engine Spiders:
Search engine Spiders crawl all over your website and content unless you block them not to do
so.We cannot allow spiders to crawl our index page as there are sensitive information related
to our website in this section.robots.txt is the file which can help you preventing the
crawlers (web boots) from collecting the information of your website.This file must be placed
in the root directory.When you want to create the robots.txt file make sure to put the
following code in it:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
2- Protection of .htaccess file:
.htaccess file in WordPress is responsible for configuration whenever it is placed in the
directory.It is also used for security restrictions,So this file is mostly a hacker’s first
choice to breech into your security.Put the following code into your .htaccess file to
make it more stronger and efficient.
# STRONGEST HTACCESS PROTECTION</code>
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
Add this code to disable directory listing after Pressing Enter:
# disable directory browsing
Options All -Indexes
3- IP Security:
This code will help you out to protect the IP over Wp-admin directory of your website.Put
this code in your .htaccess fie:
# deny access to wp-admin
order deny,allow
allow from x.x.x.x # its is your IP
deny from all
4- Script Security:
Now you are able to protect your WordPress blog /Website against Script injection and
unwanted modifications of GLOBAL and/or_REQUEST.A threat that is highly danger for
your blog / website.Just put the following command lines in your .htaccess file in the root
directory:
# Protection against SQL Injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
5- Changing your WP-CONFIG.php file Location:
You can change you wp-config file location to make your website/blog more securer and virus
proof.This file is hosted in the root directory normally.you can edit this file by accessing
APACHE but we advice you to move this file out of parent directory or web.Your script will
get disturbed as soon as you change its file location.Put the below mentioned script to make
it work again:
Default Code :
if ( file_exists( ABSPATH . ‘wp-config.php’) ) {
/** The config file resides in ABSPATH */
require_once( ABSPATH . ‘wp-config.php’ );
} elseif ( file_exists( dirname(ABSPATH) . ‘/wp-config.php’ ) && ! file_exists( dirname(ABSPATH) . ‘/wp-settings.php’ ) ) {
/** The config file resides one level above ABSPATH but is not part of another install*/
require_once( dirname(ABSPATH) . ‘/wp-config.php’ );
Code after you change file location:
if ( file_exists( ABSPATH . ‘wp-config.php’) ) {
/** The config file resides in ABSPATH */
require_once( ABSPATH . ‘../wp-config.php’);
} elseif ( file_exists( dirname(ABSPATH) . ‘..//wp-config.php’) && ! file_exists(dirname(ABSPATH) . ‘/wp-settings.php’ ) ) {
/** The config file resides one level above ABSPATH but is not part of another install*/
require_once( dirname(ABSPATH) . ‘../wp-config.php’);
These simple steps will move your wp-config.php file one directory higher.
Making this change you can guarantee proper functioning of your script.
I wish that this article will help you a lot to understand the threats of Website/Blog
hacking and how to prevent hackers to crack into your securities.
Add a Comment