WordPress is the most used blogging platform in the world. World’s top blogs like Tech Crunch, Mashable etc. use WordPress as platform. The main reason behind that is WordPress provides a well structured and secured blogging interface for you. But hackers are not spending their holidays. They are also trying to hack the WordPress blogs every time. They always search for security holes in your WordPress blog and if they are successful, you are failure.
So why not to protect your blog to prevent them from such actions? Well, let me tell some useful things that you must apply in your WordPress blog for the security.
1. Move the WordPress core file in different location. Do not keep them at the root drive. Read more about how to move the WordPress core file in different location.
2. Do not keep your user name as “admin”. Chose a different user name such a way that any body can’t guess that. If you have the user name as admin then make another administrator account with a secured user name and log-in to WordPress with that account and delete the admin account. when deleting, make sure to assign all the post of the admin to the current user.
3. Remove the WordPress version number. Open the functions.php from your wp-include directory with note pad and add the following code:
remove_action('wp_head', 'wp_generator');
4. Prevent indexing of your WordPress core files through robots.txt. Add the following in to robots.txt.
Disallow: /wp-*
5. Protect your .htaccess file. Just paste the following lines in the .htaccess file belonging at the root directory (Always keep a backup of the .htaccess file before editing it).
# STRONG HTACCESS PROTECTION
order allow,deny deny from all satisfy all
6. Protect the wp-config.php file so that nobody can view that. Add the following in your .htaccess.
# protect wpconfig.php
order allow,deny deny from all
7. To disable directory browsing add the codes in .htaccess file.
# disable directory browsing
Options All -Indexes
8. Protect the spammers by adding the codes in .htaccess file
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
9. Prevent the hackers from script injection to your WordPress blog. Adding the following codes you can protect your blog from script injection and any type of modification of PHP GLOBALS and _REQUEST variables.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (< |%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
10. Block suspicious users to visit your site. Learn about how to block a user.
Except all above you must update maintain your WordPress and the plug-ins to be more secured.
Useful tips :)first things to do when you install your WP blog.
@Shabnam: Yes you can install wordpress keeping the core files in different location. But If you have already installed it at the root dir, you can still move them. Follow the given link.
hey bro…great tips…yeah security matters a lot…..it really hurts a lot if one lose something on which a lot of hard work is put on due to security vulnerabilities
Thanks for sharing…. 🙂
One more basic thing one should do always download WordPress theme from reliable source. Very useful share 🙂
Thanks Harsh. Very happy for your complement. Thanks again for your valuable advise. Hope our readers will be benefited.
Using the code you provided to Prevent hackers from script injection caused my site to have server errors and would not load the site! so i had to block it out — why did this happen?
#Options +FollowSymLinks
#RewriteEngine On
#RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
#RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
#RewriteRule ^(.*)$ index.php [F,L]
fyi: I also have come across this strong htaccess protection code; do you think this makes sense to also include in htaccess file?
# STRONG HTACCESS PROTECTION
order allow,deny
deny from all
satisfy all
order allow,deny
deny from all
Order Allow,Deny
Deny from all
# end STRONG HTACCESS PROTECTION
thanks
note all the brackets and other code marks are removed from my post so i hope no one else tries to copy as is since it’s incomplete.
will try wrapping code/code around it below ….
[code]
# STRONG HTACCESS PROTECTION
order allow,deny
deny from all
satisfy all
order allow,deny
deny from all
Order Allow,Deny
Deny from all
# end STRONG HTACCESS PROTECTION
[/code]
[code]
#Prevent hackers from script injection
#Options +FollowSymLinks
#RewriteEngine On
#RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
#RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
#RewriteRule ^(.*)$ index.php [F,L]
[/code]
Will the code in “8. Protect the spammers” prevent regular users from commenting if they directly accessed a page?
No…
Hey,
Thanks so much for this post! I am always looking to fortify my WordPress websites. These are some great tips, and I really appreciate that you included the code!
Best,
Dennis