By Sanjeev Shrivastava Our Bestseller: WordPress Themes
WordPress is the most used CMS in the world. Many important websites are using WordPress which encourages intruder’s interest in WP. Although WordPress is secure and robust but hackers always find a new method to hack into WordPress websites. Recently hackers exploited some vulnerability in WordPress which compromised thousands of WordPress websites. Continuously hackers are trying to break into your WordPress website further you can read here.
It’s time to protect your WordPress website from attackers. Here is the Ultimate Guide to Secure Your WP installation:
Some Quick WordPress Security Tips:You can use these tips as a check list, check whether you have implemented these small but effective security rules for your website:
1> Backup your data:I recommend everyone to take back up of your website regularly. This will help you a lot if your website gets hacked. If you have data then you have everything. Do not fully depend on your host for backups. You should take the backup yourself regularly. Save backups in a different server or save in your local machine.
2> Use strong passwords:Never use any external online password strength indicator to check your passwords strength. Most of online password strength checker website stores your tried passwords in their databases to build wordlist for brute force attacks. Just follow these simple rules to pick up a strong password:
a) Use alphanumeric characters (Alphabets and numeric).
b) Use both Uppercase and lowercase letters.
c) Use Special symbols in between.
d) If you know 1337 language then use it in your passwords. It would be really a strong password: D .
e) Your password must be at least 8 characters long.
3> Restrict Number of login attempts:Most of the time hackers try brute force attack to get your username and password. I suggest you to restrict number of login attempts from a particular IP. For this purpose there’s a cool plugin named Login Lockdown Plugin.
4> Use secure FTP to upload data:Whenever you connect FTP client to your FTP server use SFTP. Secure FTP is always recommended over FTP because it uses Secured version of FTP Protocol fordata transfer.
5> Try to avoid free themes and plugins:I suggest you to avoid free themes and plugins especially those which are downloaded from torrents etc. If you want to user free themes and plugins then official WordPress repository has thousand of them.
6> Use SSH:If your host offers SSH then install a SSH client on your machine (for windows users) and connect to your server using SSH. It is most secure way to transfer file using SFTP. If your host doesn’t offer SSH then you should ask them to provide.
7 > Login with account having least privilege:As you know WordPress provides facility to create users with different roles. So always create users with suitable role, if you just need to publish a post then login with the user account who is author. If want to make changes to your website then only use admin to login.
8> Keep your WordPress updated:Always keep your WordPress version updated. New WordPress releases have security patches.
9> U se .htaccess to protect your directories:Ensure your directories are protected and have correct permissions defined. You can defile rules in .htaccess file to prevent directory traversal.
10> K eep monitoring your WordPress site and block suspicious IP’s:Use a monitoring tool and immediately block any suspicious IP. You never know when your site becomes target of hackers so you need to be attentive from the start by monitoring visitor’s behavior.
11> Use some different prefix other than wp_:During installation of WordPress, choose a different prefix than wp_. It will decrease chances of getting names of your tables guessed by malicious attacker.
12> C hange default username from admin to something else:During installation of your WordPress always change the default username from “admin” to something else. Choosing a different username other than admin is equally important as choosing a strong password.
13> Prevent directory traversal:Put a blank index.html in every directory in your server it will help when your web server stops working or stops interpreting PHP. Then if anyone visits your directories in your server then he/she will not be shown all the files of that directory.
14> Set Correct File Permission:Check permissions in your file set by your host, there are chances that you need something else. Always give least permission to files and folder based on their purpose and use. I suggest for files use “644” or “640” and for folders use “750” or “755”.
Advance Ways:
For people who think their websites are really important and they care for the security of their website. Below are some security steps you should follow if you know what you are exactly doing else it may lead to something else that you never wanted to do.
WordPress can use custom HTML for various functions. May be in your website it is not really needed for the form and function of your website, you can disable unfiltered HTML by adding a single line in your wp-config.php file.
"define( ‘DISALLOW_UNFILTERED_HTML’, true ); "2: Keep WordPress Cookies Salted:WordPress uses cookies to track user’s login state etc, so it stores it in client side. If I know your salt then it would become easier for me to get into your WordPress administration. So it’s really important to keep your salts secret and unique. You can use this WordPress APIto generate salts for all Authentication keys and use them in your wp-config.php file. Open your wp-config.php file and replace the code block which is for authentication keys and salts with the code generated by WordPress API.
3. Disable Theme and Plugin Editing From WP Administration:If your Password gets compromised then also attacker should not be able to change your theme’s code. If attacker can change your theme’s file then it may end up with uploading a shell or putting a malware in your website. You should disable editing from wp-admin by placing a single line in wp-config.php.
define('DISALLOW_FILE_EDIT', true);
If you are a plugin lover guy then there are few good plugins for securing your WordPress site, you can try them if you want.
Akismet– To protect your WordPress from spamming. Duo factor authentication- Duo’s authentication service adds a second layer of security to your WordPress accounts like phone number verification etc. VaultPress- A good solution to take backup of your entire website. BulletProof Security- A plugin which checks your WP for security settings and fixes them. Limit Login Attempts- To limit number of login attempts from a particular IP.Just think if an attacker knows that you use WordPress then he will try to hack your theme, plugin etc. Then only he can get access, If you are using older version of WordPress then he will try to find exploits of that particular version to get into your website. But what if the hacker himself doesn’t know that you use WordPress? Yes There’s a cool plugin which creates a false impression on everyone that the site doesn’t uses Wodpress. Hide My WPis a plugin which can do the job for you.
At last I would say there are few attacks which you can not prevent at your level, these types of attacks can be prevented by your host. Your web-host should be attentive in order to patch all vulnerabilities in web server, and other applications which they offer. Sym-linking must be turned off. etc
Conclusion:They say WordPress is Secure, its hundred percent correct but its secure if you are aware of how to make it secure. This guide was for all beginners and website owners to re-check their security issues in website. If you want further explanation in any particular topic of attack and its prevention then do leave your comment here. I hope this post will help you in securing your web presence.
About Sanjeev Shrivastava
author
Sanjeev loves web and his blog InfoTuts. His curiosity to know how things actually work keeps him active and inspires him to learn new things. He loves to help people. You can join him Here
Comments and Responses
About Unknown
+rev.jpg)
0 nhận xét:
Đăng nhận xét