Is your WordPress website secure from unauthorized access? Do you want to make your WordPress even stronger and secure? Find out the following best and proven techniques help you keep your WordPress website protected from the hackers.
Few Tips to Ensure Your WordPress Website Is Secure
1. Change the File Permission
On computer filesystems, directories and files have permissions that indicate that who can read, write, modify and access them. This is certainly very important because WordPress may require writing to the files in your wp-content directory in order to enable certain functions.
Few important file permissions:
- For Folders : It would be 755: This set of permission is commonly use in web server. The website owner has all the permission to read, write and execute. User and groups can only read and execute, but don’t permit to make changes to the file.
- For Files : It would be 644: This means only the website owner can read and write. Users and groups can only read and no one can execute the file.
- Beware of CHMOD 777 : When using CHMOD in your WordPress files, be sure you know what you are doing and what changes you make. One of the dangerous CHMOD code is 777 which gives full permission to all groups and users full read, write and execute permission to folder and file. This is the level of access hackers would need in order to cause a lot of damage to your WordPress website.
2. Use Robots.txt to Disallow Access
Robots.txt is used to indicate search engines which folders of your website should not index. You need to tell them not to look into the folders that are unnecessary for them like “/plugins” and “/wp-admin” folders.
Simply copy and paste the below code into a Notepad, save it as “robots.txt”, then add it to the root directory of your WordPress website:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
3. Restrict the files using .htaccess
- Restrict wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
By copying and paste this code in your .htaccess file, you can restrict someone accesses (www.yoursite.com/wordpress/wp-config.php) directly. If someone tries to access will get the Forbidden error (You don’t have permission to access /wordpress/wp-config.php on this server).
- Allow login by specific IP
<files wp-login.php>
order deny,allow
deny from all
# whitelist Your First IP address
allow from xx.xx.xx.xx
</files>
Are you seeing an influx of attacks on your website? To protect your WordPress website from the eyes of hackers, you can limit access by IP to your wp-login.php file in WordPress. Copy the above code and put this code towards the top of your .htaccess file. Don’t forget to replace the IP address with your own.
4. Restrict admin-ajax.php and async-upload.php
- To Force SSL Logins (http://codex.wordpress.org/Administration_Over_SSL)
- Password Protection Directory (http://en.wikipedia.org/wiki/Basic_access_authentication)
<FilesMatch “^(admin-ajax|async-upload).php$”>
Order allow,deny
Allow from all
Satisfy any
</FilesMatch>
5. Securing wp-includes
Please write below code in .htaccess
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
# BEGIN WordPress
6. Securing Media directories with .htaccess
- Create an .htaccess file for your /uploads/ directory (or use existing file if present). In it, place the following code and upload to your server:
# secure uploads directory
<Files ~ “.*..*”>
Order Allow,Deny
Deny from all
</Files>
<FilesMatch “.(jpg|jpeg|jpe|gif|png|tif|tiff)$”>
Order Deny,Allow
Allow from all
</FilesMatch>
- If you’re working with other media types such as .zip, .mp3, .mov, or whatever, simply edit the FilesMatch pattern like so:
(jpg|jpeg|jpe|gif|png|tif|tiff|zip|mp3|mov)
7. Please delete/modify the default user “admin” and make a new user with super admin role
8. Disable file editing via the dashboard
define( ‘DISALLOW_FILE_EDIT’, true );
9. Disable Post Revision
define(‘WP_POST_REVISIONS’, false);
10. Please change prefix for database table, change the prefix form “wp_” to any other
11. Limit Login Attempts
http://wordpress.org/plugins/limit-login-attempts/
12. Don't use the default login URL
How to change the /wp-login.php page? (http://wordpress.org/support/topic/how-to-change-from-wp-loginphp-to-login)
13. Always keep your plugins and themes up to date
14. Hide Your WordPress Version
- To do this you need to place below code in function.php of your active theme.
remove_action(‘wp_head’, ‘index_rel_link’);
remove_action(‘wp_head’, ‘wlwmanifest_link’);
remove_action(‘wp_head’, ‘feed_links_extra’, 3);
remove_action(‘wp_head’, ‘start_post_rel_link’, 10, 0);
remove_action(‘wp_head’, ‘parent_post_rel_link’, 10, 0);
remove_action(‘wp_head’, ‘adjacent_posts_rel_link’, 10, 0);
remove_action( ‘wp_head’, ‘wp_shortlink_wp_head’, 10, 0 );
remove_action( ‘wp_head’, ‘adjacent_posts_rel_link_wp_head’, 10, 0 );
remove_action(‘wp_head’, ‘wp_generator’);
- You can go one step further and additionally remove it from RSS feeds using this:
function wpt_remove_version()
{
return ”;
}
add_filter(‘the_generator’, ‘wpt_remove_version’);
15. Keep a backup
16. Remove all “WordPress” References
Well, this is one of the easy task, you simply need to go into your footer.php file and remove anything that says “Powered by WordPress”. It is recommended to remove any script that might be displaying the version you have used. Mostly hackers search with the term “powered by wordpress” and try to attack everything that comes up.
17. Change your Default WordPress Database Prefix
$table_prefix = ‘wp_’;
When installing WordPress, you have option of using the default “wp_” as you table_prefix. You can change it to something else if you would like. This is another measure towards straying away from the default attributes.
You can do this easily; just open wp-config-sample.php file and find the prefix area as seen above and change “wp_” to something you would like, such as “me_” or “cool_”. This would make things harder for hackers. Make sure that this file has to be renamed with “wp-config.php” before you install WordPress.
18. Create separate .htaccess file for wp-admin
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# IP address of my 2nd home computer
allow from xx.xxx.xxx.xx
# IP addresses of my two work computers
allow from xx.xxx.xxx.xx
allow from xx.xxx.xxx.xx
# IP address at my friend’s house
allow from xx.xxx.xxx.xx
You can block the IP addresses except the ones you specify.
19. Install a security plugin
- Better WP Security (http://wordpress.org/plugins/better-wp-security/)
- Protects your site via .htaccess (http://wordpress.org/plugins/bulletproof-security/)
- Adds a firewall to your site (http://wordpress.org/plugins/all-in-one-wp-security-and-firewall)
- Scans your site for malware (http://wordpress.org/plugins/sucuri-scanner)
- Full-featured security plugin (http://wordpress.org/plugins/wordfence)
- Comprehensive security tool (http://wordpress.org/plugins/websitedefender-wordpress-security)
- Searches your database for any suspicious code (http://wordpress.org/plugins/exploit-scanner)
- Enhanced security plugin (http://wordpress.org/plugins/wp-login-security-2/)
- Protect WordPress against malicious URL requests (http://wordpress.org/plugins/block-bad-queries/)
- Monitors WordPress installation for added/deleted/changed files (http://wordpress.org/plugins/wordpress-file-monitor-plus/)
- Scans WordPress installation for security vulnerabilities (http://wordpress.org/plugins/wp-security-scan/)