I havent posted anything from a very long time here. So i thought I should share my own written article on WordPress Security. The tutorial is not well written because of lack of time but you can still actually make it hack proof :p
I'll be teaching you many ways to secure your WordPress site including securing admin area, vulnerable plugins, playing with .htaccess codes and much more. There are some plugins related to security and they can help you secure your site but just don't rely on plugins they can be bypassed easily and sometimes the plugin itself is vulnerable.images
Don't worry I'm here to help you and if you haven't installed WordPress yet so lets first secure it from the very beginning of the installation you can continue reading here for this. This tutorial ill teach you how you can install WordPress from scratch with security. If you've already installed WordPress I advice you to change the Database prefixes, by default it is wp change it to whatever you want.
Never use username admin, if you're using this username then immediately change this to something unique and hard to guess! Brute forcers will first try this username.
As explained above there are many ways a malicious user can get into your website and Brute forcing is one of them and very common. It's better to have a very strong password not one that is very hard to remember. Make it at least 9 characters long mixed with uppercase,lowercase,symbols and numbers. Brute forcers work with password list so make it unique also and it's very easy to make strong passwords.
I love this thing :p as I told you above about Brute force method, they will just enter random password until the correct password guess so in this case we can use plugins to make login form secured. Use to plugins to put Captcha and Login tries, what it will do is brute forcers can't enter captcha and after few failed login attempts user will be locked out from logging in again.
By default, WordPress Admin login URL is wp-admin and everyone can access it and if someone manages to crack your password then he knows what to do next :p In that case, we can change the URL to whatever we want and trick them. You don't have to do this manually because there some paid and free plugins for this job.
Works like additional login panel. To view or login to Admin Panel user will be asked to enter password to unlock the page and on wrong password user will not be able to login. You can do this by uploading AskApachePassword plugin and the plugin will do the rest! You can download it from the link below.
By doing this you can easily prevent Username Disclosure Vulnerability. what actually happen is when someone enters a wrong username and tries to log in, form will come up with an error message saying Wrong username and this thing can help him identify the correct username and on a correct username it will come up with "The password you entered for "username" is wrong". Navigate to => Appearance => Editor and open functions.php file and add this code:
addfilter('login_errors',create_function('$a', "return null;"));
Works just like a computer firewall and it's a great plugin and really helps.Some features are listed below.
- Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
- Also protect most WordPress plugins from the same attacks.
- Optionally configure as the first plugin to load for maximum security.
- Respond with an innocuous-looking 404, or a home page redirect.
- Optionally send an email to you with a useful dump of information upon blocking a potential attack.
- Turn on or off directory traversal attack detection.
- Turn on or off SQL injection attack detection.
- Turn on or off WordPress-specific SQL injection attack detection.
- Turn on or off blocking executable file uploads.
- Turn on or off remote arbitrary code injection detection.
- Add whitelisted IPs.
- Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.
Keep your WordPress updated on time because it fixes vulnerability and after the update you will see all previous bugs are fixed.
This is also important one can easily your plugin files and wp-includes folder or theme files. Disabling Directory listings can help you prevent FPD (Full Path Disclosure) vulnerability. You can do this by adding this one line of code in your .htaccess file.
By doing this you can disable all already uploaded php backdoors or shells and this can really help you in many ways. Most of the backdoors and shells are coded in PHP that's why it' very useful. Do this by creating a new file and name it .htaccess and upload it to wp-content and wp-includes folders after adding this code.
deny from all
This is very important as I explained above if one website is vulnerable, so you are. you can prevent Symlink attack by just securing the config. We have to secure it so no one can see whats inside wp-config.php and we can protect our Database credentials. Add this code into your .htaccess file.
deny from all
Original article can be viewed from here will see you guys next time with another amazing tutorial!