WordPress Hosting is most popular and extensively preferred hosting as well as blogging software all over world. Once your site is getting popular, intruders will always try to break your protection.
Below are few steps to secure our wordpress blog
Always Update:WordPress upgrade became easy now. If you are using old version of WordPress, you can use WordPress Automatic Upgrade plugins and update it to the latest version.
Rename wp-admin to any other folder:You need to replace wp-admin to new-folder-name in few files of wordpress and rename some css files from wp-admin/css/ to new-folder-name.css also wp-admin folder to new-folder-name folder.
Here are few commands to do it.
cd /home/username/public_html (Path wordpress)
find -type f -exec replace 'wp-admin' 'new-folder-name' -- {} \;
cd wp-admin/css
ll | grep wp-admin
mv wp-admin.css new-folder-name.css
mv wp-admin.dev.css new-folder-name.dev.css
mv wp-admin-rtl.css new-folder-name-rtl.css
mv wp-admin-rtl.dev.css new-folder-name.dev.css
cd ../../
mv wp-admin new-folder-name
Now wordpress admin URL should be http:// www. domainname .com/new-folder-name instead of http:// www. domainname .com/wp-admin with same login details.
Protect Admin Profile:Create a new user and give it administrator privileges. Once you create new administrator level user delete old "Admin" user's profile. By default "Admin user is automatically created by wordpress while installation.
Use Strong Password:Please setup password using special characters like (&@$^%_#!~#$) etc. It will make difficult for hackers to crack password. Do not use simple words, your names, number sequence, city, bike name, cell numbers etc. You'll find a lot of strong password generator websites on Google. Also keep this password changing at regular intervals as this will be more safe for you to protect your admin interface.
Protect Your wp-admin Folder:Add .htaccess file in wp-admin folder and block all IPs address except your own IPs of home/workstation.
deny from all
allow from your home IP
allow from your office IP
Backup Regularly:
Take regular backup of your working database and wordpress contents. Unfortunately if it got hacked then, you can easily restore your site from the latest backup you'll have for it.
Delete WordPress Version:Hackers are smart enough to crack the wordpress blog even if they came to know the wordpress version. so its always safe to remove your wordpress version. Here you go for it..
Go to Appearance > Editor and choose the Header.php file and delete below code from the source code to hide your WordPress version.
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” />
Protect WP-* Folders:Block wp-* folders from being crawled and index by search engines. This can be done by blocking access to wp-* from robot.txt. Add following line in your robot.txt
Disallow: /wp-*
Secure WordPress DatabaseWordPress is database dependent application for which you need to have a database and database user. For WordPress installation, you simply create a database with user but securing database is also useful for securing you WordPress Blog.
Following are a few tweaks to secure database
- Grant limited access to a database user: Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter).
- Pick a strong database password
Firewall PluginsThere are a few plugins that scans suspicious-looking requests based on rule databases and/or white-lists. BlogSecurity’s WPIDS plug-in installs “PHPIDS”, a generic security layer for PHP applications, while “WordPress Firewall” uses some WordPress-tuned pre-configured rules along with a whitelist to screen out attacks without much configuration
That's it.
