WordPress is although the most popular platform used for blogging website designing, but hackers’ threats are also there. It’s heard quite often that a WordPress blog is hacked. How to get protected from such attacks and how to keep a WordPress blog safe?
This writing will deal with the issue in a more technical way.
1- Use Email Address And Login As Subscriber
A user should use a unique username that can’t be easily guessed and then login by using an email address. In WordPress blog, the by default user is admin. It’s better to change that to subscriber. A user can use plugin to create email-based username for WordPress.
2- Be Cautious About Advertising WordPress Version
A designer, if doesn’t know, might not be cautious about this thing, but WordPress publishes the version number that helps in identifying the outdated WP version if used in the website. To remove the version number of WP, you need to delete the readme.html file from the installation directory of WP that actually publishes the WP version number to the world.
3- Don’t Give The Write Permissions To Others
Get list of open directories by entering the following command in WP Linux shell.
find . -type d -perm -o=w
To adjust the right permissions, following commands are required to execute.
find /your/wordpress/folder/ -type d -exec chmod 755 {} ;
find /your/wordpress/folder/ -type f -exec chmod 644 {} ;
755 (rwxr-xr-x) tells that the write permission is with owner and others have execute and read permissions.
644 (rw-r–r–) tells write and read permissions are with the owner and just read permission is for others.
4- Change The Tables Prefix
The defaults settings of WP allow the table names to be like wp-posts. Better to change it to some random value. There are plugins available to help change the table prefix. But, it is a good practice to change them yourseff using PHPmyAdmin for better security advantages.
5- Don’t Allow Users To Explore Your WP Directories
For this purpose, you need to add Options –Indexes line at top of the .htaccess file.
By doing this, no one could access the file listings in your WP directories, provided the default files are not present there.
6- Generate New Security Keys For WordPress Blog
You can create 6 new security keys to protect the WP blog, but these new keys need to replace the default ones. It will make the stored passwords more protected and no one could log into your WP account without your permission there by improving your security.
7- Keep Error Log
The log of PHP and database errors help in identifying the invalid queries of WP installation. The best option is Error Log Monitor that sends the error report through email and also shows them as widget in WP dashboard.
You can enable error logging of WP by entering the following code to the wp-config.php file
define('WP_DEBUG', true);
if (WP_DEBUG) {
define('WP_DEBUG_DISPLAY', false);
@ini_set('log_errors', 'On');
@ini_set('display_errors', 'Off');
@ini_set('error_log', '/path/to/error.log');
}
Don’t forget to replace the path to the error log to the path where the new error log file is located.
8- Protect The Admin Dshboard With Password
Keep the wp-admin folder password protected because no visitor of your WP website needs to view these files. After doing this, you will have to use two passwords to enter the WP Admin dashboard area.
9- Keep Track Of The Login Activity On WP Server
It’s easy to get the details of the user log into your WP server by entering “last-i-” command in Linux. If there is any dubious IP address in this list, it’s an alarming sign, change the passwords.
To know about the login activity of a user for longer time period, following command can be used
last -if /var/log/wtmp.1 | grep USERNAME | awk '{print $3}' | sort | uniq -c
Enter your own shell user name in place of the USERNAME mentioned in the command.
10- Use Plugins For Monitoring The WP Website
There are many security plugins available in WordPress that help in the monitoring task of the WP website. Some tried and tested security plugins include the following:
Exploit Scanner: Helps in identifying files and blog posts with malicious code.
Wordfence Security: Helps in detecting modifications in the repository files while comparing them with the core files.
WordPress Sentinel: Provides alerts when the files are added, deleted, or edited in the folders.
Wp Notifier: Provide alerts through email whenever the updates are available for the installed design themes.
VIP Scanner: Detects advertising code in the WP templates and any other problems by scanning the WP themes.
11- Keep The Login Page Protected
If your WordPress page is not protected, it can be accessed by anyone. Here are three options to protect the WordPress page from unauthorized use:
Protect With Password: Along with regular protection, the wp-admin folder can also be protected with a user name and password.
Google Autheticator: It provides verification of the WP blog entry in two steps. Password and time dependent code are required to enter. The time generated code is provided on the mobile phone.
Login Dongle: It involves a bookmarklet and a secret question. If you want to enter your WP page, you will have to enter the credentials and then press the bookmarklet.
Don’t you think your WordPress web design will be more protected after following the above mentioned tips? Try them out and make your WP website secure from unauthorized access.
Or you can install a plugin like Better WP Security that does all these things and a couple dozen more. You want to ban users the repeatedly try to break in, and scripts that scan your site for holes (which that plugin does).
Sameer Manas liked this on Facebook.
Sai Pratyush Kiran liked this on Facebook.