Jump to content


Hardening Wordpress Site

security site wordpress

  • Please log in to reply
No replies to this topic

#1 Bonar


    Advanced Member

  • Members
  • PipPipPip
  • 181 posts
  • Location/home

Posted 17 February 2015 - 12:39 PM



One of our friend's site is hacked, he lost his database. To prevent this happens to you (who is of course using Wordpress), let me advise you to secure your Wordpress which is published on the internet. All credits should belong to the original poster.


Changing Default "Wp_" Prefixes
Your website might be at stake if you are using the predictable wp_ prefixes in your database. The following tutorial teaches you how to get them changed via phpMyAdmin in 5 simple steps.
You can also get this done with WP Security Scan plugin.
Hide Login Error Messages
Error login messages may expose and give hackers an idea if they’ve gotten username correct/incorrect, vice versa. It is wise to hide it from unauthorized login.
To hide login error messages, simply put the following code in functions.php
add_filter('login_errors',create_function('$a', "return null;"));


Keep Wp-Admin Directory Protected
Keeping "wp-admin" folder protected adds an extra layer of protection. Whoever attempts to access files or directory after "wp-admin" will be prompt to login.
Protecting your "wp-admin" folder with login and password can be done in several ways:
  • WordPress plugin – Using the WordPress AskApache Password Protect plugin.
  • cPanel – If your hosting supports cPanel admin login, you can set protection easily on any folder via cPanel’s Password Protect Directories graphical user interface. Find out more from this tutorial.
  • htaccess + htpasswd – Creating a password-protected folder can also be done easily by setting the folders you want to protect inside .htaccess and users allowed to access inside .htpasswd. The following tutorial shows you how to do it in 7 steps.



Maintaining Backups

Keeping backup copies of your entire WordPress blog is as important as keeping the site safe from hackers. If the latter fail, at least you still have the clean backup files to revert.

We’ve previously covered a list of solutions to backup your WordPress files and database, including both useful plugins and backup services.
Prevent Directory Browsing
Another big security loophole is having your directories (and all its files) exposed and accessible to public. Here’s a simple test to check if your WordPress directories are well protected:
If it shows blank or redirect you back to home page, you are safe. However, if you see screen similar to the image below, you are not.
To prevent access to all directories, place this code inside your .htaccess file.
# Prevent folder browsing
Options All -Indexes
Keep WordPress Core Files & Plugins Updated
One of the safest ways to keep your WordPress site safe is to make sure your files are always updated to the latest release. Here are couple of ways (practices) you can do:
  • Login to Dashboard often – A yellow notification will appear at the top of the Dashboard if update is available. Login often and keep yourself updated to the latest copy of WordPress core files.
  • Deactivate and remove unused plugins – Unused plugin will eventually get outdated and may pose a security risk. If you are not using it, delete it.
  • Subscribe to WordPress Releases RSS.
Pick A Strong Password
Is your password safe? A strong and safe password is more than just something memorable with numbers (e.g., john123). For starters, it should consist of more than 12 characters with the combination of numbers and alphabets in lower and uppercases.
Here are some applications that allow you to generate strong password:
Alternatively you can also check how strong (and safe) your current password is with howsecureismypassword.net.
Remove Admin User
A typical installation of WordPress comes with a default user named "admin". If that’s the username to your WordPress site, you are already making hacker’s life 50% easier. Using user "admin" should be avoided at all times.
A safer approach to logging into your admin securely is to create a new administrator and have "admin" removed. And here’s how you do it:
  1. Login to WordPress admin panel
  2. Go to Users -> Add New
  3. Add a new user with Administrator role, make sure you use a strong password.
  4. Log out of WordPress, re-login with your new admin user.
  5. Go to Users
  6. Remove "admin" user
  7. If "admin" have posts, remember to attribute all posts and links back to the new user.


More Useful Resources:

  • Perwiz likes this

Nothing to display at the moment. RIP

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users