Have you ever asked yourself about your WordPress website’s security? How to keep your WordPress websites away from the bad guys for good? Lots of bloggers and website administrators fail to recognize the importance of securing their site.
From a few months ago, my website has hacked with a trojan, their made a backdoor then change .htaccess file to changed almost information about my website on Google search result to spam information.
After all this, I came to WordPress plugins website and had a look to some security plugins. If they were working fine then it’s can make my blog more secure from these type of attacks.
In this article, I’m going to show you some tweaks and plugins that you can do to block the holes that may occur during or after WordPress installation.
Ask Google about malware on your website
Google takes it very seriously if your site is spreading malware content (I’ve got this problem) and will post an advisory to such sites in the search engine results. Visitors will see the message “
This site may harm your computer
” when trying to get access to your website/blog and by that time the damage is done. The cascading effect on the search engine rankings, resulting in low traffic and money. So, the first thing to do is ask Google to check your website like anti-virus softwares
Here is it
http://www.google.com/safebrowsing/diagnostic?site=https://www.narga.net/
Manual install your WordPress, don’t use any auto-installation scripts
Almost Web Hosting Control Panel offer an installation scripts allow you install WordPress easier than normal way. DON”T USE IT While installing WordPress manually you get the chance to create your own database with custom prefix for various tables and create your own WordPress information just as username, strong password, settings…
Get WordPress, themes and plugins up-to-date
For starters, make sure you are always updated with the latest version of WordPress, themes, plugins. Since version 2.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates. Read the entry in the Dashboard or the WordPress Developer Blog to determine what steps you must take to update and remain secure. Don’t use any themes, plugins or add-ons if you don’t know it’s safe. When you installed it, if it’s not safe, it’s contain a lot of black holes allow another one can get access to into your website and do as they want.
Theme Authenticity Checker (TAC) is a useful plugin to searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code.
Delete any plugins or themes which doesn’t use
Using too many plugins and themes will increases the risk of security, especially when they stop update in a long time. There’s no reason for keep them to be on your server, and with the off-chance that they contain malicious code even if they’re deactivated.
Backup your database regularly
You should make your database backup regularly then keep it safe, it’s very important to turn back the time. A regular backup of your database could one day be THE BEST & FASTEST WAY to restoring your WordPress website should something go wrong such as web server crashed or MySQL database dropped by hackers.
BackWPup is a plugin that is allow you backup your database in separate format, auto run backup tasks with cron job, remote upload it to popular file hosting services like Dropbox, Amazon S3, Google Drive… and it’s FREE
Securing your WordPress Dashboard
There are several ways to securing your WordPress Dashboard: adds a second layer of protection around your blog’s admin area, the login screen, and your files; limit failed login attempts to WordPress Dashboard; force SSL usage when login to Dashboard, Hide all information about your WordPress …
Limit failed login attempts to WordPress Dashboard
By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. By use limit failed login attempts method, WordPress blocks an Internet address from making further attempts after a specified limit on retried is reached, making a brute-force attack difficult or impossible. I found 03 plugins from WordPress Plugins Repository will be done this task: Limit Login Attempts, Login Lockdown, User Locker. Install these 3 plugins (yes all of them) and they’ll work in concert to offer a triple layer of brick walls for any would-be hacker. If you’re wondering why you need to install all 3 when they essentially all do the same job, the simple answer is because they each work in different ways to offer the same protection, and the security benefit is exponentially greater with multiple redundancies.
Hide your WordPress information
Once your WordPress is installed, the search engine spiders will crawling your website then display your WordPress files structure. The structure of your website makes it easier for hackers to get access to into the system. To prevent the search engine spiders indexing of your website, you need to place robots.txt
file in the root directory and insert the code given below:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
Alternative ways to the same task by add the following line of code to the .htaccess
file in the root directory
Options All -Indexes
Remove WordPress Version and error message
WordPress vulnerabilities could be exploited by its version number or simply reading log-in error message when something goes wrong. By default, these features are enabled. To remove these error messages and WordPress version number in HEAD, add the following codes to your functions.php
file:
add_filter('login_errors',create_function('$a', "return null;")); //Remove all log-in error messages
remove_action('wp_head', 'wp_generator'); //Remove WordPress version information in HEAD
Protect your WordPress against hacking injections
The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess
file.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
I’ve found 5G Blacklist is an overall solution for reduce the number of malicious URL requests that hit your website and protect against evil exploits, bad requests, and other nefarious garbage.
Optimizing your wp-config file
Moving your wp-config file
You can move the wp-config.php
file to the directory above your WordPress install. WordPress will check automatically if the wp-config file is not found in the WordPress directory one directory above the current one.
Change the WordPress table prefix
Please understand that by default WordPress adds wp_
as the prefix to all WordPress tables. If you do not change this prefix then half the job for hackers is already done.
Define Your Secret Keys
When you look in your wp-config file you will find a section that says this:
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. A secret key is a hashing salt that is used against your password to make it even stronger. It’s that simple.
Limit access level to wp-config
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
Order Deny,Allow
Deny from All
Secure WordPress will be help you do almost tasks above. It hides unnecessary information from normal user just as themes, plugins, core updates, error information … Let’s try it, it’s very useful for beginner.
WordPress Security Scan and Solutions
There are many plugin attempts to both to audit your WordPress security vulnerabilities and suggests corrective actions such as: passwords, file permissions, database security, version hiding, WordPress admin protection/security and more.
So you need to install either one of these all-in one WordPress security solutions. Configuration is easy, and out of the box settings work great, but read everything on the download page and follow the instructions:
- Better WP Security: There are a lot of awesome features of this WordPress security plugin. It’s ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
- BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. The most secure and comprehensive plugin, with many built-in security features and checks that work great out of the box.
- Wordfence Security is a free enterprise class security plugin that includes a firewall and anti-virus scanning for WordPress websites. Wordfence is now Multi-Site compatible.
- Ultimate Security Checker identifies security problems with your WordPress Installation. It scans your blog for hundreds of known threats, then gives you a security “grade” based on how well you have protected yourself. You can fix the problems yourself
You can install one of them above to make WordPress more hack proof. I recommend first and third plugin.
Conclusion
While no website can ever be made 100% secure, if you follow this simple guide and implement the tips mentioned, you can easily see how adding a few extra layers of security easily adds a bit of extra time after the installation.