Step 1 : Update WordPress WordPress is updated at regular intervals to resolve security issues as they occur. So you should always keep it up to date with the latest version...
We are pleased to present the first of our guest blog posts from Richard Howell. Richard is a BWF client who currently works for the NHS in the UK as an IT Engineer at an...
Step 1 : Update WordPress
WordPress is updated at regular intervals to resolve security issues as they occur. So you should always keep it up to date with the latest version because older versions of WordPress are not maintained with security updates.
Also out dated plugins/themes are the most vulnerable to hacking. So Please make sure your plugins/themes are always updated. Also, if you are not using a specific plugin, delete it from the system.
NOTE: Please backup your site before you proceed with the WordPress site update. This ensures that you still have the working backup of your site which can be easily restored later if the update fails. To learn how to generate a backup to download and store locally, click here.
Step 2 : Change Your Login/Password
The default WordPress username is “admin” which is known to everyone (hackers). So you must change it to something different. For instance “David86“. Add this as a new user and allow admin privileges. Don’t forget to delete the default admin account.
Typically hackers will try to brute-force your passwords. So you should be fine if the password is strong enough.
We would suggest you to use strong passwords always (http://strongpasswordgenerator.com) such as UPPER and lowercase letters, numbers, and symbols. For instance “Fl@weRs#1$“.
Please don’t use the following when choosing a password
Step 3 : Change file permissions
Allowing write access to your files is quite dangerous, especially in a shared hosting environment. Please make sure the following permissions are set on your files:
Folders should have 755 whereas files should have 644 permissions.
If you have shell access to your account, you can change file permissions recursively with the following command:
*Please note if you are unsure about linux commands we recommend you open a ticket where we can complete this for you
For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;
For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;
Step 4 : Securing wp-config.php
Please make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).
Step 5 : Prevent .htaccess Hacks
To prevent .htaccess hack, You can put this in that file (at the very top) to deny access to anyone surfing for it.
<files wp-config.php> order allow,deny deny from all </files>
Step 6 : Disallow search engine
Most of the search engine spiders crawl your sites (including all its sub folders) unless they are told not to index them. For instance, there is no point in indexing your wp-admin folder of your site because it can lead to security issues.
So let’s block search engine spiders from indexing the WordPress admin area. Just add the following lines of codes to the robots.txt file in your public_html folder.
User-agent: Disallow: /cgi-bin Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/themes
Reference link : http://support.google.com/webmasters/bin/answer.py?hl=en&answer=156449
Step 7 : Install WP Security ScanPlugin and User locker
WP Security Scan(http://wordpress.org/plugins/wp-security-scan) checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as passwords, file permissions,
database security, version hiding, WordPress admin security and removes WP Generator META tag from core code.
This User locker (http://wordpress.org/plugins/user-locker) plugin locks user account after given number of incorrect login attempts. This makes brute force and dictionary attacks nearly impossible.
Step 8 : Change Table Prefix
Sometimes your WordPress site might be affected by SOL-injection attacks. It is because of SOL-injection attacks make the assumption of default table_prefix for a WordPress site is “wp_”. So changing this to be different prefix like “fish_” can block at least some SQL injection attacks.
Step 9 : Change your WordPress Keys
If your WordPress site gets hacked its very important to change the keys and wp-admin password immediately because a hacker can still login to your WP admin even after your admin password changes. In most cases when a WP gets hacked the hacker can still gain access to your WordPress admin area via the use of cookies (your old keys/salt). You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
You can use the WordPress Key Generator(https://api.wordpress.org/secret-key/1.1/salt) to generate the below keys. Edit wp-config.php file and find the following lines:
define(‘AUTH_KEY’, ‘copy and paste the unique key here’); define(‘SECURE_AUTH_KEY’, ‘copy and paste the unique key here’); define(‘LOGGED_IN_KEY’, ‘copy and paste the unique key here’); define(‘NONCE_KEY’, ‘copy and paste the unique key here’);
Save it.
Step 10 : Remove vulnerabilities on your computer
EXTRA: Only Allow Admin Login From 1 IP Address
If you’re completely sure you have a dedicated (static) IP address from your ISP you may want to restrict access to your WordPress admin interface to your IP address only.
To do this simply edit the .htaccess file in the public_html folder and add the following code at the top.
<Files wp-login.php>
order deny,allow
Deny from all
# whitelist First IP Address
allow from xx.xxx.xx.xx
#whitelist Second IP Address
allow from xx.xxx.xx.xx
</Files>
Note: If a brute force attack were to occur on your site we recommend that you change the permissions on the wp-login.php file to completely hide it. This will stop the attack as the page being hacked will be inaccessible. To do this simply set the permissions to 000.
Then when you need to log in to your WordPress admin area again just revert the permissions back to 644.
Note: We have started the process of upgrading all our Shared Servers to use CloudLinux for added protection against Symlink and other WordPress hacks. This process will be completed by the summer. Details on what additional security Cloudlinux brings can be found here.