Save your blog from Hackers
Dear clients/Reseller
"prevent word press hacking " is 5 million search in google. Now a days open source CMS programes are most popular in the world of internet. In open source CMS word press is most popular but its security is so week, and many wordpress sites are being hacked on daily basis.
There are many ways to secure the wordpress
Detail is as below
1- Backup
2- Wordpress version
3- Cchange your login and password
4- Wordpress keys in wp-config.php
5-Wordpress security scan
6- Table prefix
7- Blocking search engin spider from indexing the admin area
8- .htaccess hack
9- Protect your htaccess
10- Directory browsing
11- Secure wp-config
12- Protect wordpress admin files
13- wp-content directory
14- script injection
15- Wordpress fire wall
now we discuss step by step
Backup
Backup is the most important method. so on daily basis or weekly basis you can take backup of your word press site. Now you must take backup before you make any changes that I am suggesting.
version wordpress
Second crucial step after backing up your blog is to update it to the latest wordpress version. Because word press devolpment team is also updating security of wordpress
change your login and password
All hackers know about the word "admin" which is used in Control panel.
So please do not use word "admin" and for password please use capital words, small words, special characters and numbers to make complex password.
wordpress keys in wp-config.php
In word press it is the most important file.
Use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
Save and you are done!
wordpress security scan
Install wp security scan
This plugin is the real deal. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good.
Table prifix
It is another important securty point. All know including hackers wP prifix is wp_ so it should change and make another
Currently you can use plugin wp security scan for this. it is easy for all new babies
Blocking search engin spider from indexing the admin area
All seach engin bot crawal over your blog and index all files unless they are told not to do so. we do not want to index the main admin area files amd information.For that you create robot.txt file in your root directory
Here is code place in file
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
.htaccess hack
.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security. See them below
Protect the .htaccess
.htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.
# STRONG HTACCESS PROTECTION
order allow,deny
deny from all
satisfy all
Directory browsing
Do not allow the hackers and other people to browse your entire directory
so please add 2 line in .htaccess
# disable directory browsing
Options All -Indexes
Secure config.php
Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick
# protect wp-config.php
Order deny,allow
Deny from all
wp-content directory
Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.
Place the code below in the .htaccess file within the wp-content folder (not the root).
Order deny,allow
Deny from all
Allow from all
Protect wordpress admin files
Wp-admin should be accessed only by you and your fellow bloggers (if any). You may use .htaccess to restrict access and allow only specific IP addresses to this directory.
If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up.
Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)
# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all
The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.
There is another way you could restrict access to the directory and that is by using a password in the .htaccess. I am planning to write a detailed .htacess hack where I will include all of these.
Script injection
I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS.
Simple copy and paste the code below to your .htaccess in the root
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
WordPress Firewall 2
Last but not the least; you can install WordPress Firewall 2 which actually protects your blog from malicious hackers. It blocks the attempts of the hacker and notifies you when abused. Only the negative point of this plug-in is, it sometimes even blocks our action. This can really get annoying and I do not really recommend this plug-in unless you have SUPER Hackers and bots screwing up your blog. Stick with the .htaccess hacks since they do the job pretty well and your blog should be just fine.
File permission
Move wp-config.php up one level
The wp-config.php file contains all of your WordPress configuration information and settings. It’s game over if hackers gain access to this file—they would be able to inject malware into your blog pages, or *gulp* delete all of your blog content.
A little-known feature of WordPress is that you can move the wp-config.php file one level above the WordPress root. On most Linux servers, wp-config.php would be located in:
~/home/user/public_html/wp-config.php
Simply FTP into your server, and then move wp-config.php above the public_html directory so that it is located in:
~/home/user/wp-config.php
