Technology

WordPress Security Tips

Leave a Comment on WordPress Security Tips

The past year and a half taught us that WordPress security is by no means to be taken lightly. Between 15% and 20% of the world’s high-traffic sites are powered by WordPress. The fact that it is an open source platform and everyone has access to its source code makes it tempting prey for hackers.

Most of the attacks come from Russia, Germany, Poland and India, including but not limited to:

SQL injections

clickjacking

Covert

Blackhole Exploit Kit Attacks

Password and login stop efforts

The truth is that if a capable master of the script targets your site, there really is no way to prevent an intrusion. What you are about to read below are some precautionary measures you can take to quickly minimize your risk to an acceptable level. If your WordPress site is well protected, chances are a hacker would prefer to choose another, easier victim.

Starting with the most obvious:

1. Forget about using “admin” as your username.

Many of the attacks target the default WordPress username with brute force, password cracking bots. The first step is to change your “admin” or “administrator” username from the WordPress Admin Panel.

– Go to the mysql tool (phpmyadmin)

– Find your database

– Go to wp_users and search for “admin”

– In the user_login column, change it to something else.

This naturally leads to the following…

2. Choose a strong password

Choose a password that includes multiple upper and lower case letters, as well as symbols such as “!@#$%^&*()”. Go to Users->Your Profile and change it via the “New Password” field at the bottom. This will make it much more difficult to take him down. Make sure you do the same with your ftp Cpanel hosting account password and don’t use the same one you used in WordPress.

3. Back up your database frequently

You’ve heard this before. Make regular backups or you will eventually regret it. You can lose all your work if you get hacked. Also, remember to make a backup every time you make changes. You can do it by using a plugin or manually.

4. Always update your WordPress

There is absolutely no reason to stay on older versions when a new one is available. WordPress updates contain bug fixes, vulnerability fixes, and cover security flaws discovered by the large WordPress community. The same goes for updating themes. It is easy and efficient. It’s actually the best and easiest way to prevent your page from malicious activities, which are most likely the result of a compromised and not fully up-to-date application, site, exploitable php scripts, etc. All old versions of your apps can be considered as potential security holes. They can simply be used by the attacker, who is (most of the time) an automated spider.

5. Protect your WP-CONFIG.PHP file.

Move your wp-config.php file one directory up from the WordPress root. WordPress will look for it there if it is not in the root directory. Also, no one else will be able to read the file unless they have SSH or FTP access to your server.

There are a number of important plugins you should consider installing:

6. Login Lockout

This is a very useful plugin that protects you against brute force password cracking attacks. Tracks the IP address of each failed login attempt. You can configure the plugin to disable login attempts for a range of IP addresses when a certain number of failed attempts is reached.

7. Secure WordPress

Secure WordPress is a comprehensive easy to install plugin that takes care of a number of things, including:

– Hide your WP version.

– Remove error information on login page.

– Remove main update, plugin update and theme update information for non-admins.

– Blocks potentially harmful queries for your WordPress website

– Add a plugin virtual directory index.php.

– Much others…

8. Bulletproof WordPress Security

Comprehensive crash resistant plugin, covering many aspects of an attack: XSS, RFI, CRLF, CSRF, Base64, code injection and SQL injection hack attempts. According to the official description: “The BulletProof Security WordPress Security plugin is designed to be a fast, simple, one-click security plugin to add .htaccess website security protection for your WordPress website.” This pretty much sums it up. A need!

9. Exploit scanner

Exploit Scanner checks the files in your website’s database, comments and post tables looking for anything suspicious. It also notifies you about unusual plugin names. It doesn’t remove anything, it just warns you of possible threats.

10. WordPress Firewall

This is another must-have security plugin.

– Investigates WordPress web requests in an attempt to block obvious attacks.

– Black and white lists of pathological looking phrases according to the field in which they appear, in a page request. (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).

Implementing all of the above will likely take less than an hour to complete, while making your WordPress site much more resistant to intrusions. More than 1 million WordPress sites were cracked last year, mostly due to easily preventable security breaches. Prepare yourself and you are likely on the safe side.

I hope we have helped. Please share your thoughts on tour blog WordPress security in the comments section below.

Leave a Reply

Your email address will not be published. Required fields are marked *