Your aim is to make your WordPress site a hostile environment for hackers so they bugger off and go and try and make somebody else’s life difficult! Here’s some tips and tricks showing you how to do this.
1. Upgrade your version of WordPress to the latest version
WordPress makes it easy for you to upgrade to the latest version. There are three main ways to upgrade your WordPress installation and protect your energies and livelihood.
- You may see a message at the top of your WordPress Dashboard prompting you to upgrade to the latest version. This is an automatic upgrade for dummies step that takes less than one minute. Do it!
- If you aren’t running a more recent version of WordPress, there are plugins available that help you automatically upgrade WordPress to the latest version with the click of a button.
- Your server (if you are using Fantastico scripts to install WordPress in the first place) will have a link to click to upgrade to the latest version it supports.
Sometimes your Web Host Provider may take a while to upgrade your cpanel and you won’t see an upgrade or update link for sometime after the official latest release of WordPress message appears in your Dashboard messages.
2. Keep your plugins upgraded
Plugins get upgraded to match the latest version of WordPress.Make sure you upgrade your plugins whenever you get an alert (red circle with a number beside the “Plugins” tab in your dashboard).
- Any security vulnerabilities that are fixed by the latest version of WordPress should be matched, if not already compatible, with a good plugin.
- Some plugins may not support the more recent version of WordPress – continue to use them at your own risk!
3. Install the WP Security Scan plugin
Do this via your plugins panel …using the Plugin Browser/Installer functionality, or by browsing the WordPress Plugin Directory directly and installing manually.
WP Security Scan scans your WordPress installation for security vulnerabilities and suggests corrective actions for: passwords, file permissions, database security, version hiding and WordPress admin protection/security.
Once you upload and activate this plugin, you will benefit instantly. The first thing this plugin does is hides the version of WordPress you are using.
- You may also want to consider unchecking the option to display the version of Thesis as well.
Go to your new Security tab and you will get something like this…
You’ll see that the initial scan error message alerts you to the fact that your table prefix should not be wp_.
This is because all hackers know that this is the default. For detailed instructions on how to address this, please go to Guvnr.com and follow his reliable instructions.
This step is beyond my level of expertise and I had trouble understanding how to do this at first (…and second).
4. Change your user name
The default of Admin makes it easy for hackers.
- Change your user name to something other than the default AND
- Change your displayed publicly user name to something other than your new ’secret’ user name
You can choose something other than ‘Admin’ when you first set up your WordPress installation in Fantastico/cpanel. Otherwise, go to your Dashboard/Users/Profile and make the changes.
- You may have to create a new user and delete the old one, depending on what version you are using.
5. Use a difficult password
This is obvious BUT often overlooked.
Mix up your password with special characters, numbers, letter and upper-case letters.
You might want to use the “!” and a trick for using special characters easily is to hold down the shift key and use some numbers you can remember. Eg Mymum!(#(! is simply MYmum followed by the year 1939 holding down the shift key and followed by the exclamation mark above the 1.
6. Stop flashing your plugin details to the world
In the screenshot below, I am showing you how my plugin data was displayed to anybody by them simply typing in the url
http://yoururl.com/wp-content/plugins
While it might not be too big a deal for people to know what plugins you use – it can be damaging for hackers to know what version of a plugin you use, when it was last updated and access the individual files that make it up.
Who knows what gems of code they have ready to attack your “Akismet” plugin for example. How would you feel with a denial of service attack with thousands of inapproriate and offensive comments spamming your pages. The best way to get indexed or banned by search engines when they visit (daily in my case!).
I used the following fix beautifully.
Go into your cpanel (server files) if you have access – and create a file called “.htaccess” in /wp-content/themes/thesis/ and paste the following code into it.
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress
If you have trouble creating a file in your theme directory, create it in the main root directory and drag and drop it into the theme folder after it is created. You may not be able to see if after you refresh your server browser but if you search for it you will see that it is there. It depends on your server settings.
Now save the file, refresh your server browser and refresh your page with your plugins on show. After I did this simple step I got this screen instead of the one above.
I made sure I tested this before recommending it!
This post is inspired by Guvnr.com and his videos on YouTube.
{ 10 comments… read them below or add one }
Hi there,
Big cheers for the compliment… mighty pleased you liked my post.
Best wishes.
the_guv’s latest artistic creation..Set Up Unmanaged VPS (4 Newbies) – Part 12: Setup FileZilla for Secure FTP (SFTP)
catalog movie
Can you tell me who did your layout? I’ve been looking for one kind of like yours. Thank you.
Imdb´s last blog ..Wildboyz (2003) [Adventure, Comedy, Documentary], s04e07
Imdb – I cobbled the design together myself with css and photoshop for background and logo images. You’re welcome to take a peek at the custom css and use it as a basis to design your own look. The Thesis Forum and other Thesis rockstars showed me the way :-)
OK thanks.
Imdb´s last blog ..Wildboyz (2003) [Adventure, Comedy, Documentary], s04e07
Nice detailed article, all wordpress users should follow these as basics.
Dragon Blogger´s last blog ..Google Searching and Auto-Complete
Having just been hacked and having to redo half my websites from db backups this is a useful piece and well worth everyone noting!
I wish I could figure out how to get the wp security scan to change my database prefixes without doing it manually! Ah well, all good fun.
“I wish I could figure out how to get the wp security scan to change my database prefixes without doing it manually! “… you can’t it’s a glitch it’s hopeless. The plugin will only change database prfixes in a new installation!
This tutorial seemed great. I have done every step here and then some more to hack proof my wordpress installation. I have 3 well ranking sites and do well with seo. Every damb time I set up a wordpress blog the same thing happends….With in a few weeks my blog ranks firts or amongst first for given key words….Bam I get hacked every f’ing time.
Doen’t happen with my sites only wordpress blogs….They are too opensource and easy for commoners to understand and hack…None of these steps will prevent sql injections!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I hate Wordpress, it turns out to be a waste of time in the long run…
OOhhhh after 2 days of searching what went wrong I got it! A hacker was able to inject malicious code in my database through a post rating plugin! How do I know? Because I tried to install my back up on a local install of wordpress. I fetch my plugins via ftp one by one. When I activated post ratings I got my same problem redirected to a white page with some crappy message…So I was harsh on WordPress, the install was fine and the backup is functional it’s those damb plugins that are not safe!!!
@Code Moi Ca Those plugins are a problem. I’m having problems keeping my cpu usage down on my server and apparently it’s the sql queries on the database by the plugins. Problem is I don’t want to stop using my plugins I have. I need to find out how to lower my cpu usage.