1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Securing Your WordPress Site

Discussion in 'Security' started by Hostwinds_Dan, Jun 29, 2012.

  1. #1
    We have been having some issues come up recently with clients not fully understanding or knowing exactly how to secure their WordPress site from being hacked. Here's a quick tutorial on how to do exactly that. Credits go to David from Hostwinds for writing this!

    Step 1

    Create a backup of your site.

    If you have cPanel you can do this with the backup manager.
    If not I would recommend "backup buddy", a WordPress plugin you can find with a google search.

    Step 2

    Update WordPress Version

    This is critical because WordPress issues updates that close security vulnerabilities; it's things like this that could keep your site healthy!

    Step 3

    Change Your Login/Password

    The default WP username is "admin" and hackers know this. So you should change it to something more personal EG "RocketRanger416" or "James86". Best thing to do is to add that new user and make it a admin the delete the original login of "admin"

    I would suggest really strong passwords (These should incluse UPPER and lowercase letters, numbers, and symbols) Like "Rocket!2@" or "jessieNOMAD12#4"

    Most hackers try to brute-force your passwords so if it is really strong you should be fine in that regard.

    Step 4

    Change your Wordpress Keys!

    Many people overlook this step but it is an important one as these keys work as salts for cookies and ensure better encryption of data.

    Use the Wordpress Key Generator to generate mentioned keys. Now edit your wp-config.php file and fine the lines that look like:

    and replace them with the ones from the Key Generator.

    Save and you're good to go.

    Step 5

    Install WP Security Scan

    This plugin is great and makes securing your site simple. It scans for security vulnerabilities and informs you of any malicious code.

    If the plugin shows your text as green you should be good. However, if they are not green you will have to fix the problem to make them green.

    Step 6

    Change Table Prefix

    -- Warning! Make a backup of your database before continuing. --

    The default prefix for a WP bsite is "wp_" This makes it so sql injection hacks are easy for the hacker because it is easy to guess.

    A good prefix would be "march26_" or "magnol1a_" this is a highly recommended change and you can do this with the WP Security Scan Plug-in.

    WP Security Scan has a tab called "Database". Once you open that tab you have the option to rename your entire prefix to something secure.

    Step 7

    Prevent WordPress hacks by blocking search engine spiders from indexing the admin area. Spiders crawl all over your site structure unless they are told not to, and we don't want that.

    The easiest way to prevent spiders from indexing the admin area is to create a robots.txt file in your public_html folder with the following lines of code.

    User-agent: *
    Disallow: /cgi-bin
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins/
    Disallow: /wp-content/cache/
    Disallow: /wp-content/themes/
    Disallow: */trackback/
    Disallow: */feed/
    Disallow: /*/feed/rss/$
    Disallow: /category/*

    Step 8

    Prevent .htaccess Hacks

    .htaccess (hypertext access) is the default name of directory-level configuration file that provides decentralized management of configuration while inside your web tree.

    .htaccess files are often used for security restrictions on a particular directory.

    So let's secure your .htaccess!

    First we want to protect the .htaccess file itself so add the following (Do this for all .htaccess files you have in root and or create)


    order allow,deny
    deny from all
    satisfy all

    Public_html .htaccess below

    Now lets secure your config.php by adding:

    # protect wp-config.php
    Order deny,allow
    Deny from all

    Now lets prevent the hacker from browsing your directory tree by adding

    # disable directory browsing
    Options All -Indexes

    Lets prevent some script injections now:

    # protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    Go to your /wp-content folder. Lets limit access to the wp-content directory by creating a .htaccess in the wp-content folder and adding:

    Order deny,allow
    Deny from all

    Allow from all

    Go to your /wp-admin/ folder. Now if you have a static IP I would recommend creating a .htaccess in your wp-admin folder with the following (replace x's with your STATIC IP)

    # deny access to wp admin
    order deny,allow
    allow from xx.xx.xx.xx
    deny from all

    Replace the X's with your IP.

    Step 9

    Last but not least!

    You can install Wordpress Firewall 2 - this actually prevents most hacking attempts. Use with care, however, because you can lock yourself out of your site!

    Hope this helps anyone having WordPress security issues, or people who DON'T want to have them.
    Hostwinds_Dan, Jun 29, 2012 IP
  2. HostingLynx

    HostingLynx Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    Really well written. These would be the exact same steps I would suggest. Something thats always good to do not just for wordpress blogs but any site is to talk with your hosting provider. Make sure their kernal versions are up to date and the same with what ever software they use (FTP, SSH, WHMCS, etc).

    Alot of the time if people really want to hack your site/blog they will attack the server if attacks direclty against your website are unsuccessful.
    HostingLynx, Jul 7, 2012 IP
  3. Cassandra_Rose

    Cassandra_Rose Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    Have to say thank you so much for this. I recently started my own blog on Wordpress and thought if I installed only a couple of plugins like Askimet and a SEO plugin I would be fine. Some of the things like changing the Wordpress keys wouldn't even have occurred to me.
    Cassandra_Rose, Jul 18, 2012 IP
  4. TechieH

    TechieH Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    Nice tutorial you got there. This should help most here. Good work!
    TechieH, Jul 23, 2012 IP
  5. events

    events Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    You could add only use plugins from reputable sources
    events, Jul 25, 2012 IP
  6. vcreationzz

    vcreationzz Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    Hey Dan, Many thanks for info. i was searching for this and found this thread very useful. Cheers!
    vcreationzz, Oct 3, 2012 IP
  7. RiotMan

    RiotMan Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    nice tutorial, i will try on my wordpress blog later on.
    RiotMan, Oct 3, 2012 IP
  8. stefxan

    stefxan Member

    Likes Received:
    Best Answers:
    Trophy Points:
    thx for your infos. im done with the most of this job but I have a question about the keys in wp-config.

    I use the plugin Infinitewp to manage all my blogs from one point.
    Therefor I have to enter my ftp data in wp-config.php (otherwise I cant install plugins)
    Can someone read this if my .htaccess is configured correct?
    stefxan, Apr 7, 2013 IP
  9. Sr33

    Sr33 Member

    Likes Received:
    Best Answers:
    Trophy Points:
    install Better Wp Security plugin
    • Remove the meta "Generator" tag
    • Change the urls for WordPress dashboard including login, admin, and more
    • Completely turn off the ability to login for a given time period (away mode)
    • Remove theme, plugin, and core update notifications from users who do not have permission to update them
    • Remove Windows Live Write header information
    • Remove RSD header information
    • Rename "admin" account
    • Change the ID on the user with ID 1
    • Change the WordPress database table prefix
    • Change wp-content path
    • Removes login error messages
    • Display a random version number to non administrative users anywhere version is used
    Sr33, Apr 20, 2013 IP
  10. humtuma

    humtuma Notable Member

    Likes Received:
    Best Answers:
    Trophy Points:
    I am not using wordpress due to security purpose. Blogger is better than wordpress, only few people knows this. Again global attack on wordpress in last 7 days.
    humtuma, Apr 21, 2013 IP
  11. tentwenty

    tentwenty Well-Known Member

    Likes Received:
    Best Answers:
    Trophy Points:
    tentwenty, Apr 24, 2013 IP
  12. healzer

    healzer Greenhorn

    Likes Received:
    Best Answers:
    Trophy Points:
    Good advice!
    Thank you for the useful information.
    But remember to set the CHMOD settings correctly (most ignore that).
    Also these settings do not secure your website from corrupt plugins, they can easily be exploited.
    healzer, May 10, 2013 IP