'Privacy is not something that We merely entitled to, it's an absolute prerequisite'
Strong advocate of privacy, anonymity and network neutrality since 2009.
UpdateS and news
WEBCARE360 BLOG: GET ALL LATEST NEWS, UPDATES AND PROMOTIONS
18
Feb / 12

How To Secure Your WordPress – A Complete Guide


CATEGORY: Knowldge Base

— Why do hackers attack a website or blog?

Hackers attack your blog for so many reasons but the main one is because they want to hijack your Google ranking in order to promote (and increase) their own Google ranking. And as you can imagine, there are many different types of hacks. One of the most popular hacks is a Pharma hack where the hackers insert spam content into your site that is related to different types of medications. Other hacks are more obvious because they use adult content and software sales.

— How do I know if my blog or website has been hacked?

Although it’s usually obvious when a blog or website is hacked, there are times when you may suspect you’ve been hacked but just aren’t sure. Here are a few of the warning signs you’ve been hacked:

  • Your Google Page Rank starts to drop for no apparent reason.
  • Your blog loads more and more slowly (and you haven’t added a ton of plugins).
  • You notice strange links on your website.
  • Your Google webmaster tools show strange keywords to describe your site.
  • You perform a Google search for your site, the results show titles and descriptions that do NOT describe your site, yet still have your URLs.
  • Your website or blog traffic starts decreasing for no logical reason.

If you aren’t sure your site has been hacked (or just want to be sure), do a Google search for a spammy keyword like this keyword:yoursite.com. Try different spam keywords to make sure your site is clear.

— Keep Your WordPress and WordPress Plugins Updated to the Latest Version

The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times.

—  Hide your WordPress version

A large number of WordPress themes include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability for that version.
To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like this

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /

—  Change the WordPress admin username

Most hackers know that ‘admin’ is the username and then they only have to guess the password. Make it twice as hard and change the admin username to something other than ‘admin’

— Remove the Footer Credit

Most WordPress templates will come with a link back to WordPress in the footer saying, “Powered by WordPress”. If you don’t want to get hacked, this absolutely has to go. It is used as a marker by hackers who query search engines to compile lists of WordPress sites. This is known as dorking; implying that people who leave such footprints on their sites are dorks. Removing this will probably stop you from getting hacked as your site will probably not be found once it is removed. If you would like to give credit to WordPress for making a free publishing platform in some other way, you could link to them on your about page. To remove the footer credit, open up

wp-content/(name of the theme you are using)/footer.php

and delete the link to WordPress.

— Remove the Meta Generator Tag

Most WordPress templates will also come with a HTML tag in the head like this:

<meta name="generator" content="WordPress 3.2.1" />

This has to go too as it gives away what version of WordPress you are using. All a hacker would have to do is look up a hack for your version of WordPress and if you are vulnerable (some vulnerabilities require certain server settings or environments) they will take you down. To remove the meta generator, open up :

wp-content/{name of the theme you are using}/header.php

and delete the meta generator tag.

— Remove the Generator Tag in the RSS Feed

WordPress also gives away which version you are using in the RSS feed with a generator tag like this:

<generator>http://wordpress.org/?v=3.2.1</generator>

Again, this gives away the version you are using so is particularly dangerous. RSS feeds are another way in which hackers compile lists of sites which they might be able to attack.
To remove the RSS generator, open up wp-includes/general-template.php and search for the function called the_generator (around line 1858). It will look like this:

function the_generator( $type ) {echo apply_filters(‘the_generator’, get_the_generator($type), $type) . “\n”;   }

and place a hash (#) in front of the word echo, so it looks like this:

function the_generator( $type ) {#echo apply_filters(‘the_generator’, get_the_generator($type), $type) . “\n”;   }

 

— Avoid Using Free Themes (malicious code)

you can run into serious trouble by installing plugins and using themes without checking them for malicious code. If you don’t know PHP, I’d recommend only installing plugins and themes which are listed in the official WordPress directories

Encrypt Your Login

Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.

—  Use Strong Password

Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.

—  Protect wp-admin folder

Your wp-admin folder contains all the important information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.

—  Hide Your Plugin Folder

If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
Open your text editor. Save the blank document as index.html.
Using a ftp program, upload the index.html to the /wp-content/plugins folder.

—  Do Regular Security Scans

Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

—  Define User Priveleg

If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.

—  Use Strong Password

No matter how secure your site is, you still want to prepare for the worst.
make sure you back up EVERYTHING, including your posts, comments, files, images, logos, template, links, and HTML coding. That way, even if your blog does get wiped out, you’ll have everything you need for quickly putting it back together.

The best pluggin to do that : Backup Buddy.

If you want free plugin :Install the wp-database-backup plugin and schedule it to backup your database daily, but i must warn you this plugin only backup the database

— Analyze Server Logs

The best security tool, regardless of whichever plugin/software you install, is you. In order to be confident that you are completely protected, you have to take a proactive approach to your website’s security. Three times a day I check my server logs and web analytics to see if there is any unusual behavior.

 

— WebCare360


  • share on facebook
  • share on twitter
  • share via email