FaFaWorld by Fremenda

It is a nightmare if your blog was being hacked. Sure, WordPress improves its standard installation security with every new version it comes out with, but new versions are not invincible and they’re not impermeable.

5 ways you can make your blog more secure.

1. Upgrade your WordPress. Hate the thought of saying goodbye to WordPress 2.6? Don’t. You need upgrade to the latest WP version, and you need to do it now.  Just look for the Upgrade button in Tools or your dashboard.

2. Update your plugins. Anything old is a security risk. Keep your plugin versions up-to-date.

3. Delete the default user. In this case, it’s Admin so bin this. Replace it with a new user (naturally, this user has admin rights) and create a nickname for this user.

4. Limit the access to wp-admin. This restricts .htaccess of your wp-admin to your IP. The downside to this security measure, though, is that you will need to update the .htaccess folder whenever you move to another area. You may need another website walkthrough for this; but obviously, this step is out of the question for you if your IP address is dynamic.

5. Install the plugin Login Lockdown. This plugin records the time stamp and IP address whenever someone tries to log in to WordPress and fails. It works great at preventing attempts to discover your password through brute force attacks. If attempts to log in by one IP range exceed the maximum number of tries allowed, the plugin automatically disables the login function.

Of course, there are many more ways you can make your blog hack-proof.We’ll come back for more….

Share on Facebook

10 Tips To Make WordPress Hack-Proof

Having your blog hacked isn’t fun, and the standard WordPress installation is not impermeable. Not only does a hacked blog result in downtime, while you work with your ISP to track the problem and ensure it doesn’t happen again, it can also mean you spend time, for instance, getting your email client resolving properly once more. All in all, valuable time wasted.

Prevention is better than cure. Here are 10 Tips To Make WordPress Hack-Proof.

What You Need

* a WordPress installation
* the WordPress plugin, wp-phpmyadmin
* the WordPress plugin, wp-security-scan
* ftp access to the server on which your blog resides

Before You Begin

* backup your files, using your ftp client
* backup your database, using wp-phpmyadmin.

1. Upgrade WordPress. To the latest version. If you’re using 2.7 or later, this can be done from your admin dashboard, at the click of a button, automatically. Just look for the “upgrade” button. If you’re using an earlier version, read this.

2. Update Plugins. Make sure all are upgraded to their latest versions. If they’re not, you are notified on your plugins admin page. Old versions can present a security risk.

3. Change “wp_” Database Table Prefix. I use wp-security-scan, from the same guys that developed the super-handy All In One SEO Pack, Semper Fi Web Design. Once activated, on the left-hand menu, click on “Database” in the “Security” drop-down. The page that loads allows you to easily change the prefix. If that doesn’t work, instead throwing an error, do this:-

* i. Deactivate all WordPress plugins, as a precaution.
* ii. Backup the database, as explained in Guvnr’s video tutorial.
* iii. Open the downloaded *.sql file with a text editor (where * is the name of your database.)
* iv. Find and replace all instances of your “wp_” prefix with your new prefix.
* v. Within your WordPress database, drop all the tables. DO NOT DROP THE DATABASE itself, only the tables. wp-phpmyadmin is a great plugin to use.
* vi. Still within your WordPress database, import your newly-amended *.sql file, the one you edited by changing the prefix. wp-phpmyadmin or similar again.
* vii. Open and edit your wp-config.php file, in the root blog folder, changing the “$table_prefix = ‘wp_’;” to “$table_prefix = ’yourNewPrefix_’;”.
* viii. Reactivate your plugins.

4. Delete “Admin” User. Just to make hackers work harder, bin this. Create a new user with administration rights, and give the user a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original “admin” user.

5. Use a Stronger Password. Bit obvious, this one. Mix it up with letters, digits and special characters, upper and lower case. I use RoboForm to remember (and encrypt) my passwords, and that’s free.

6. Hide your WordPress version. From your theme’s folder, open “header.php”, search for the line…
view sourceprint
1. 2.content=”WordPress ” />

…and delete it. It has no useful purpose.

7. Ensure WordPress Database Errors Are Turned Off. In recent WordPress versions, they are turned off by default. So upgrade.

8. Remove WP ID META Tag. Delete this tag from the WordPress core. After you activate and run wp-security-scan, this is done automatically.

9. Create an .htaccess File in “wp-admin/” Open a new text file and paste this…

1.# BEGIN WordPress
2.RewriteEngine On
3.RewriteBase /
4.RewriteCond %{REQUEST_FILENAME} !-f
5.RewriteCond %{REQUEST_FILENAME} !-d
6.RewriteRule . /index.php [L]
7.# END WordPress

… Save the file as .htaccess and upload it to your “wp-admin/” folder, ie, to http://myblog.com/wp-admin/

10. Hide Your Plugins. If you’re not sure whether they’re hidden or not, navigate to http://myblog.com/wp-content/plugins. If you see a 404 error page, they’re hidden. Otherwise, you’ll see them listed. In that case, copy the following into a new .htaccess file, adding the file to your wp-content/ folder…

01.# BEGIN WordPress
02.RewriteEngine On
03.RewriteBase /
04.RewriteCond %{REQUEST_FILENAME} !-f
05.RewriteCond %{REQUEST_FILENAME} !-d
06.RewriteRule . /index.php [L]
07.# Prevents directory listing
08.IndexIgnore *
09.# END WordPress

Some web hosts don’t allow you to administer .htaccess files. If that’s the case, instead of using an .htaccess file to hide the list of plugins, create an index.html file. You can write something about restricted access in there, if you like. Either way, this file will prevent a plugin listing.

Now navigate to http://myblog.com/wp-content/plugins. They should be hidden.
After You’re Done

Just to be thorough, and because a few things have changed…

* Backup your files again, using your ftp client.
* Backup your database again, using wp-phpmyadmin.

That’s it. Your blog is more secure, and way less hackable. Go make content!

Share on Facebook