ARY Digital
HUM TV
GEO Entertainment
TV One
PTV
Express Ent.
APlus
LinkBack URL
About LinkBacks
0
I was just compiling the wordpress security tutorial for my clients so, just going to share here. If anyone have his/her own personal wordpress blog, this tutorial will surely gonna to help you to secure your blog. This is actually not written by me, just complied it and find it worth sharing.
– Why do hackers attack a website or blog?
Hackers attack your blog for so many reasons but the main one is because they want to hijack your Google ranking in order to promote (and increase) their own Google ranking. And as you can imagine, there are many different types of hacks. One of the most popular hacks is a Pharma hack where the hackers insert spam content into your site that is related to different types of medications. Other hacks are more obvious because they use adult content and software sales.
– How do I know if my blog or website has been hacked?
Although it’s usually obvious when a blog or website is hacked, there are times when you may suspect you’ve been hacked but just aren’t sure. Here are a few of the warning signs you’ve been hacked:
- Your Google Page Rank starts to drop for no apparent reason.
- Your blog loads more and more slowly (and you haven’t added a ton of plugins).
- You notice strange links on your website.
- Your Google webmaster tools show strange keywords to describe your site.
- You perform a Google search for your site, the results show titles and descriptions that do NOT describe your site, yet still have your URLs.
- Your website or blog traffic starts decreasing for no logical reason.
If you aren’t sure your site has been hacked (or just want to be sure), do a Google search for a spammy keyword like this keyword:yoursite.com. Try different spam keywords to make sure your site is clear.
– Keep Your WordPress and WordPress Plugins Updated to the Latest Version
The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times.
– Hide your WordPress version
A large number of WordPress themes include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability for that version.
To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like this
– Change the WordPress admin usernameCode:<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /
Most hackers know that ‘admin’ is the username and then they only have to guess the password. Make it twice as hard and change the admin username to something other than ‘admin’
– Remove the Footer Credit
Most WordPress templates will come with a link back to WordPress in the footer saying, “Powered by WordPress”. If you don’t want to get hacked, this absolutely has to go. It is used as a marker by hackers who query search engines to compile lists of WordPress sites. This is known as dorking; implying that people who leave such footprints on their sites are dorks. Removing this will probably stop you from getting hacked as your site will probably not be found once it is removed. If you would like to give credit to WordPress for making a free publishing platform in some other way, you could link to them on your about page. To remove the footer credit, open up
and delete the link to WordPress.Code:wp-content/(name of the theme you are using)/footer.php
– Remove the Meta Generator Tag
Most WordPress templates will also come with a HTML tag in the head like this:
This has to go too as it gives away what version of WordPress you are using. All a hacker would have to do is look up a hack for your version of WordPress and if you are vulnerable (some vulnerabilities require certain server settings or environments) they will take you down. To remove the meta generator, open up :Code:<meta name="generator" content="WordPress 3.2.1" />wp-content/{name of the theme you are using}and delete the meta generator tag.er.php
– Remove the Generator Tag in the RSS Feed
WordPress also gives away which version you are using in the RSS feed with a generator tag like this:
Again, this gives away the version you are using so is particularly dangerous. RSS feeds are another way in which hackers compile lists of sites which they might be able to attack.Code:<generator>http://wordpress.org/?v=3.2.1</generator>
To remove the RSS generator, open up wp-includes/general-template.php and search for the function called the_generator (around line 1858). It will look like this:
and place a hash (#) in front of the word echo, so it looks like this:Code:function the_generator( ) {echo apply_filters(‘the_generator’, get_the_generator(), ) . “n”; }
– Avoid Using Free Themes (malicious code)Code:function the_generator( ) {#echo apply_filters(‘the_generator’, get_the_generator(), ) . “n”; }
you can run into serious trouble by installing plugins and using themes without checking them for malicious code. If you don’t know PHP, I’d recommend only installing plugins and themes which are listed in the official WordPress directories.
– Encrypt Your Login
Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.
– Use Strong Password
Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.
– Protect wp-admin folder
Your wp-admin folder contains all the important information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.
– Hide Your Plugin Folder
If you go to your http:/urwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
Open your text editor. Save the blank document as index.html.
Using a ftp program, upload the index.html to the /wp-content/plugins folder.
– Do Regular Security Scans
Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.
– Define User Priveleg
If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.
– Use Strong Password
No matter how secure your site is, you still want to prepare for the worst.
make sure you back up EVERYTHING, including your posts, comments, files, images, logos, template, links, and HTML coding. That way, even if your blog does get wiped out, you’ll have everything you need for quickly putting it back together.
The best pluggin to do that : Backup Buddy.
If you want free plugin :Install the wp-database-backup plugin and schedule it to backup your database daily, but i must warn you this plugin only backup the database.
– Analyze Server Logs
The best security tool, regardless of whichever plugin/software you install, is you. In order to be confident that you are completely protected, you have to take a proactive approach to your website’s security. Three times a day I check my server logs and web analytics to see if there is any unusual behavior.
Reply With Quote
