The easiest, most effective way to secure WordPress Sites


Site security : How To Avoid hackers

1. Place the below on functions to hide WordPress version.

function remove_wp_version() {
    return ”; //returns nothing, exactly the point.
    }
    add_filter(‘the_generator’, ‘remove_wp_version’);

2. Activate the plugin Better WP Security and configure it.

http://wordpress.org/extend/plugins/better-wp-security/

3. Change folder permission
For Directories:  755
    For Files: 644

4. Protect config file on htaccess
<Files wp-config.php>
    order allow,deny
    deny from all
    </Files>

5. No directory browsing. Add the below code on htaccess
# directory browsing
    Options All -Indexes

6. Prevent Access To wp-content
Order deny,allow
    Deny from all
    <Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
    Allow from all
    </Files>

7. Protect .htaccess
<Files ~ “^.*\.([Hh][Tt][Aa])”>
    order allow,deny
    deny from all
    satisfy all
    </Files>

8. Securing wp-includes
# Block the include-only files.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ – [F,L]
    RewriteRule !^wp-includes/ – [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
    RewriteRule ^wp-includes/theme-compat/ – [F,L]
# BEGIN WordPress

9. Help Prevent “Content Scrapers”
RewriteEngine On
    #Replace ?mysite\.com/ with your blog url
    RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
    RewriteCond %{HTTP_REFERER} !^$
   #Replace /images/nohotlink.jpg with your “don’t hotlink” image url
   RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Make sure to replace “mysite” with your website’s URL and “/images/nohotlink.jpg” to the path of your image.

10. Protect Your WordPress Blog from Script Injections

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

11. Things to avoid when choosing a password:

Any permutation of your own real name, username, company name, or name of your website.
A word from a dictionary, in any language.
A short password.
Any numeric-only or alphabetic-only password (a mixture of both is best).

12. Change username of “admin.”  and Admin user id 1 to something else

13. Change the table_prefix: Many published WordPress-specific SOL-injection attacks make the assumption that the table_prefix is wp_, the default.
Changing this can block at least some SQL injection attacks.

14. Remove unused themes and inactive plugins from WP-content folder.

15.  FTP : When connecting to your server you should use SFTP encryption if your web host provides it.
If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it transmitted between your computer and your website.
This means your password is never sent in the clear and cannot be intercepted by an attacker.

16. Scan your site frequently.
http://sitecheck.sucuri.net/scanner/

Advertisements
By dddoll28 Posted in home

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s