FaFaWorld by Fremenda

10 Tips To Make WordPress Hack-Proof

Having your blog hacked isn’t fun, and the standard WordPress installation is not impermeable. Not only does a hacked blog result in downtime, while you work with your ISP to track the problem and ensure it doesn’t happen again, it can also mean you spend time, for instance, getting your email client resolving properly once more. All in all, valuable time wasted.

Prevention is better than cure. Here are 10 Tips To Make WordPress Hack-Proof.

What You Need

* a WordPress installation
* the WordPress plugin, wp-phpmyadmin
* the WordPress plugin, wp-security-scan
* ftp access to the server on which your blog resides

Before You Begin

* backup your files, using your ftp client
* backup your database, using wp-phpmyadmin.

1. Upgrade WordPress. To the latest version. If you’re using 2.7 or later, this can be done from your admin dashboard, at the click of a button, automatically. Just look for the “upgrade” button. If you’re using an earlier version, read this.

2. Update Plugins. Make sure all are upgraded to their latest versions. If they’re not, you are notified on your plugins admin page. Old versions can present a security risk.

3. Change “wp_” Database Table Prefix. I use wp-security-scan, from the same guys that developed the super-handy All In One SEO Pack, Semper Fi Web Design. Once activated, on the left-hand menu, click on “Database” in the “Security” drop-down. The page that loads allows you to easily change the prefix. If that doesn’t work, instead throwing an error, do this:-

* i. Deactivate all WordPress plugins, as a precaution.
* ii. Backup the database, as explained in Guvnr’s video tutorial.
* iii. Open the downloaded *.sql file with a text editor (where * is the name of your database.)
* iv. Find and replace all instances of your “wp_” prefix with your new prefix.
* v. Within your WordPress database, drop all the tables. DO NOT DROP THE DATABASE itself, only the tables. wp-phpmyadmin is a great plugin to use.
* vi. Still within your WordPress database, import your newly-amended *.sql file, the one you edited by changing the prefix. wp-phpmyadmin or similar again.
* vii. Open and edit your wp-config.php file, in the root blog folder, changing the “$table_prefix = ‘wp_’;” to “$table_prefix = ’yourNewPrefix_’;”.
* viii. Reactivate your plugins.

4. Delete “Admin” User. Just to make hackers work harder, bin this. Create a new user with administration rights, and give the user a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original “admin” user.

5. Use a Stronger Password. Bit obvious, this one. Mix it up with letters, digits and special characters, upper and lower case. I use RoboForm to remember (and encrypt) my passwords, and that’s free.

6. Hide your WordPress version. From your theme’s folder, open “header.php”, search for the line…
view sourceprint
1. 2.content=”WordPress ” />

…and delete it. It has no useful purpose.

7. Ensure WordPress Database Errors Are Turned Off. In recent WordPress versions, they are turned off by default. So upgrade.

8. Remove WP ID META Tag. Delete this tag from the WordPress core. After you activate and run wp-security-scan, this is done automatically.

9. Create an .htaccess File in “wp-admin/” Open a new text file and paste this…

1.# BEGIN WordPress
2.RewriteEngine On
3.RewriteBase /
4.RewriteCond %{REQUEST_FILENAME} !-f
5.RewriteCond %{REQUEST_FILENAME} !-d
6.RewriteRule . /index.php [L]
7.# END WordPress

… Save the file as .htaccess and upload it to your “wp-admin/” folder, ie, to http://myblog.com/wp-admin/

10. Hide Your Plugins. If you’re not sure whether they’re hidden or not, navigate to http://myblog.com/wp-content/plugins. If you see a 404 error page, they’re hidden. Otherwise, you’ll see them listed. In that case, copy the following into a new .htaccess file, adding the file to your wp-content/ folder…

01.# BEGIN WordPress
02.RewriteEngine On
03.RewriteBase /
04.RewriteCond %{REQUEST_FILENAME} !-f
05.RewriteCond %{REQUEST_FILENAME} !-d
06.RewriteRule . /index.php [L]
07.# Prevents directory listing
08.IndexIgnore *
09.# END WordPress

Some web hosts don’t allow you to administer .htaccess files. If that’s the case, instead of using an .htaccess file to hide the list of plugins, create an index.html file. You can write something about restricted access in there, if you like. Either way, this file will prevent a plugin listing.

Now navigate to http://myblog.com/wp-content/plugins. They should be hidden.
After You’re Done

Just to be thorough, and because a few things have changed…

* Backup your files again, using your ftp client.
* Backup your database again, using wp-phpmyadmin.

That’s it. Your blog is more secure, and way less hackable. Go make content!

Share on Facebook