The easiest, most effective way to secure WordPress Sites

WordPress Site security : How To Avoid hackers

1. Place the below on functions to hide WordPress version.
function remove_wp_version() {
return ”; //returns nothing, exactly the point.
}
add_filter(‘the_generator’, ‘remove_wp_version’);

2. Activate the plugin Better WP Security and configure it.

3. Change folder permission
For Directories:  755
For Files: 644

4. Protect config file on htaccess
php>
order allow,deny
deny from all
</Files>

5. No directory browsing. Add the below code on htaccess
# directory browsing
Options All -Indexes

6. Prevent Access To wp-content
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

7. Protect .htaccess
Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

8. Securing wp-includes
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

# BEGIN WordPress

9. Help Prevent “Content Scrapers”
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your “don’t hotlink” image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Make sure to replace “mysite” with your website’s URL and “/images/nohotlink.jpg” to the path of your image.

10. Protect Your WordPress Blog from Script Injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

11. Things to avoid when choosing a password:

Any permutation of your own real name, username, company name, or name of your website.
A word from a dictionary, in any language.
A short password.
Any numeric-only or alphabetic-only password (a mixture of both is best).

12. Change username of “admin.”  and Admin user id 1 to something else

13. Change the table_prefix: Many published WordPress-specific SOL-injection attacks make the assumption that the table_prefix is wp_, the default.
Changing this can block at least some SQL injection attacks.

14. Remove unused themes and inactive plugins from WP-content folder.

15. FTP : When connecting to your server you should use SFTP encryption if your web host provides it.
If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it transmitted between your computer and your website.
This means your password is never sent in the clear and cannot be intercepted by an attacker.

16. Scan your site frequently.
http://sitecheck.sucuri.net/scanner/

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: