Your aim is to make your WordPress site a hostile environment for hackers so they bugger off and go and try and make somebody else’s life difficult! Here’s some tips and tricks showing you how to do this.
1. Upgrade your version of WordPress to the latest version
WordPress makes it easy for you to upgrade to the latest version. There are three main ways to upgrade your WordPress installation and protect your energies and livelihood.
- You may see a message at the top of your WordPress Dashboard prompting you to upgrade to the latest version. This is an automatic upgrade for dummies step that takes less than one minute. Do it!
- If you aren’t running a more recent version of WordPress, there are plugins available that help you automatically upgrade WordPress to the latest version with the click of a button.
- Your server (if you are using Fantastico scripts to install WordPress in the first place) will have a link to click to upgrade to the latest version it supports.
Sometimes your Web Host Provider may take a while to upgrade your cpanel and you won’t see an upgrade or update link for sometime after the official latest release of WordPress message appears in your Dashboard messages.
2. Keep your plugins upgraded
Plugins get upgraded to match the latest version of WordPress.Make sure you upgrade your plugins whenever you get an alert (red circle with a number beside the “Plugins” tab in your dashboard).
- Any security vulnerabilities that are fixed by the latest version of WordPress should be matched, if not already compatible, with a good plugin.
- Some plugins may not support the more recent version of WordPress – continue to use them at your own risk!
3. Install the WP Security Scan plugin
Do this via your plugins panel …using the Plugin Browser/Installer functionality, or by browsing the WordPress Plugin Directory directly and installing manually.
WP Security Scan scans your WordPress installation for security vulnerabilities and suggests corrective actions for: passwords, file permissions, database security, version hiding and WordPress admin protection/security.
Once you upload and activate this plugin, you will benefit instantly. The first thing this plugin does is hides the version of WordPress you are using.
- You may also want to consider unchecking the option to display the version of Thesis as well.
Go to your new Security tab and you will get something like this…
You’ll see that the initial scan error message alerts you to the fact that your table prefix should not be wp_.
This is because all hackers know that this is the default. For detailed instructions on how to address this, please go to Guvnr.com and follow his reliable instructions.
This step is beyond my level of expertise and I had trouble understanding how to do this at first (…and second).
4. Change your user name
The default of Admin makes it easy for hackers.
- Change your user name to something other than the default AND
- Change your displayed publicly user name to something other than your new ‘secret’ user name
You can choose something other than ‘Admin’ when you first set up your WordPress installation in Fantastico/cpanel. Otherwise, go to your Dashboard/Users/Profile and make the changes.
- You may have to create a new user and delete the old one, depending on what version you are using.
5. Use a difficult password
This is obvious BUT often overlooked.
Mix up your password with special characters, numbers, letter and upper-case letters.
You might want to use the “!” and a trick for using special characters easily is to hold down the shift key and use some numbers you can remember. Eg Mymum!(#(! is simply MYmum followed by the year 1939 holding down the shift key and followed by the exclamation mark above the 1.
6. Stop flashing your plugin details to the world
In the screenshot below, I am showing you how my plugin data was displayed to anybody by them simply typing in the url
http://yoururl.com/wp-content/plugins
While it might not be too big a deal for people to know what plugins you use – it can be damaging for hackers to know what version of a plugin you use, when it was last updated and access the individual files that make it up.
Who knows what gems of code they have ready to attack your “Akismet” plugin for example. How would you feel with a denial of service attack with thousands of inapproriate and offensive comments spamming your pages. The best way to get indexed or banned by search engines when they visit (daily in my case!).
I used the following fix beautifully.
Go into your cpanel (server files) if you have access – and create a file called “.htaccess” in /wp-content/themes/thesis/ and paste the following code into it.
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress
If you have trouble creating a file in your theme directory, create it in the main root directory and drag and drop it into the theme folder after it is created. You may not be able to see if after you refresh your server browser but if you search for it you will see that it is there. It depends on your server settings.
Now save the file, refresh your server browser and refresh your page with your plugins on show. After I did this simple step I got this screen instead of the one above.
I made sure I tested this before recommending it!
This post is inspired by Guvnr.com and his videos on YouTube.
Add a Comment
Hi there,
Big cheers for the compliment… mighty pleased you liked my post.
Best wishes.
the_guv’s latest artistic creation..Set Up Unmanaged VPS (4 Newbies) – Part 12: Setup FileZilla for Secure FTP (SFTP)
catalog movie
Can you tell me who did your layout? I’ve been looking for one kind of like yours. Thank you.
Imdb´s last blog ..Wildboyz (2003) [Adventure, Comedy, Documentary], s04e07
Imdb – I cobbled the design together myself with css and photoshop for background and logo images. You’re welcome to take a peek at the custom css and use it as a basis to design your own look. The Thesis Forum and other Thesis rockstars showed me the way :-)
OK thanks.
Imdb´s last blog ..Wildboyz (2003) [Adventure, Comedy, Documentary], s04e07
Nice detailed article, all wordpress users should follow these as basics.
Dragon Blogger´s last blog ..Google Searching and Auto-Complete
Having just been hacked and having to redo half my websites from db backups this is a useful piece and well worth everyone noting!
I wish I could figure out how to get the wp security scan to change my database prefixes without doing it manually! Ah well, all good fun.
“I wish I could figure out how to get the wp security scan to change my database prefixes without doing it manually! “… you can’t it’s a glitch it’s hopeless. The plugin will only change database prfixes in a new installation!
This tutorial seemed great. I have done every step here and then some more to hack proof my wordpress installation. I have 3 well ranking sites and do well with seo. Every damb time I set up a wordpress blog the same thing happends….With in a few weeks my blog ranks firts or amongst first for given key words….Bam I get hacked every f’ing time.
Doen’t happen with my sites only wordpress blogs….They are too opensource and easy for commoners to understand and hack…None of these steps will prevent sql injections!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I hate Wordpress, it turns out to be a waste of time in the long run…
OOhhhh after 2 days of searching what went wrong I got it! A hacker was able to inject malicious code in my database through a post rating plugin! How do I know? Because I tried to install my back up on a local install of wordpress. I fetch my plugins via ftp one by one. When I activated post ratings I got my same problem redirected to a white page with some crappy message…So I was harsh on WordPress, the install was fine and the backup is functional it’s those damb plugins that are not safe!!!
@Code Moi Ca Those plugins are a problem. I’m having problems keeping my cpu usage down on my server and apparently it’s the sql queries on the database by the plugins. Problem is I don’t want to stop using my plugins I have. I need to find out how to lower my cpu usage.
I had this problem a year ago, and I tried everything to reduce the cpu usage, incl. optimizing MySQL, compressing javascript files, using wp supercache and gzip etc you name it, I’ve tried it all, however, my blogs and web hosting account still got suspended by the shared hosting company, namely Bluehost.
My solution: I switched to a VPS, and I’m loving it.
However, I recently learned about CDN. You might wanna try it out too, it helps a lot! Yeah, a whole lot! There’s this easy-to-use plugin, Free CDN, just search, install and activate it, and you’re done. This wonderful creation helps reduce server load and bandwidth by rewriting your statis files and have ‘em served from Coral servers instead of your own. I’m not the owner of the plugin, nor an affiliate, I’m simply a happy user of the plugin.
I came to your blog while googling for thesis theme tutorials, and your blog deserves a constant visit. Keep up the good work, and please post more thesis theme tutorials, I’m sick and tired of tweaking the theme, still getting nowhere. =p Take care, mate, cheers
Sounds good. I’ll look into it. Any particular tutorials that you are interested in?
Thank you so much for the offer. Well, I’m so used to editing codes in the traditional way, you know, editing header.php, index.php/home.php, footer.php, and I get lost when I can’t find those in the Thesis’. It only gives me 3 css files and a custom functions php, and I have no idea where to cut into. I know I can put what I want into the Site/Design/Page Options, but everything seems already preset and I can’t do much other than fill in the blanks. And I get pissed when I have to go option by option to find and test what I want.
Well I found that moving the wp-config file one folder higher helps protect it. You can also rename or disabling the wp-admin folder and creat a secret mirror folder…I tried a few extra steps and I did delete some useless plugins. I am not getting hacked any longer. I do have more than one site and I was not refering to the one linked with my name.
Having had a whole host of my wordpress blogs hacked a few months ago I now understand that you can’t get complacent about security. The WP Security Scan sounds good so I’ll be giving that ago.
Kazzie´s last blog ..How Not To Buy Property
Oh my, the 6th point. I usually create an “images” folder on the root of my blog and put general images in it and always make sure to redirect it to homepage through the Cpanel link redirection option:
blog.com/images/ —> blog.com/
But never knew that even plugins folder looks like that. I’m not sure if the plugins folder can be redirected through the cpanel “without” harming the looks and functionality of the blog. Thesis theme has always lured me and here is another reason that suggests me to use it for my next blog.
So far, I have been using the Lifestyle theme by Brian Gardner of StudioPress but it doesn’t really offer any SEO advantages. I love the Thesis theme’s clean and fast layout, you guys have created a marvel. Thanks guys.
Re: 6. Stop flashing your plugin details to the world
I normally create an index.html and upload it to the /plugins folder, so visitors will get a blank page instead. I wondered if your suggested method had more advantages over it.
Sounds like a good alternative. It depends what message you want to give to your ‘hacker’ visitor.
Thanks for the article, was interesting reading the comments as well.
I wrote an article similar to this, but offering tips of website hosting instead. Have a read if you want, it’s at http://exeter-web-hosting.co.uk/blog/2010/07/make-your-website-hacker-proof/ . Let me know what you think.
Good article. I especially like the bit, “If your site has been hacked, the first and foremost step would require you to switch off the FTP access. …Once you have switched off the FTP access, you should then instantly modify your log in details and carry an effective scanning of your personal computer in order to ensure the protection of your data.”
Many people don’t think about what to do if their site is hacked until after it happens.