14
Apr

Protect your blog against hackers

Since a lot of wordpress sites got hacked in the last months, i wrote some tips, and collected some from other blogs on how to secure your wordpress from getting hacked.

  • First of all, you must keep your wordpress and the plug-ins up to date, because mostly it will prevent the bad guys from using known vulnerabilities to hack your site

there is a great plugin that automatically upgrade the wordpress installation to the latest one provided by wordpress.org u can find it here

  • Use a strong password :) check this meter out
  • Use a different prefix for your wordpress Database tables to mitigate zero-day SQL Injection attacks.
  • Disable directory browsing , attackers will know what u got on your site [files etc] , so just write this to your .htaccess file

Always take backup before modifying or editing any files!

 Options All -Indexes 
  • Also write this code to your robots.txt file to prevent bots from indexing your sub-folders contents
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-*
  • Protect your wp-config.php file, wp-config.php file contains all your database login information, it should be protected well, this code will prevent anyone from looking at it, write it to your .htaccess file
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

or u can just move it, the wordpress has the ability to check for wp-config.php in your root directory,
which will make it harder to find or access your wp-config.php file
So you can change the location of your wp-config.php file from

/public_html/wordpress/wp-config.php

To

/public_html/wp-config.php

  • Limit login attempts, Sometimes the hacker might think they know your password, or they might develop a script toguess your password. In that case what you need to do is limit the login attempts. You can easily do so by using a plugin called Login Lockdown

which will lock a user out if they entered the wrong password more than the specified time. They will be locked out for a specified time. You can control the settings via your wp-admin panel.

  • Limit the access to the admin panel, if you got a static IP address this will be helpful, with this code you will be the only one who can access the admin area , write this to the .htaccess in your wp-admin folder,
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx

replace the xxx.xxx.xxx.xxx with your IP address

  • Use secret-key, security keys, AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY, were added to insure better encryption of information stored in the user’s cookies. A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password, In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.To add security keys, open your wp-config.php
    Visit this URL to get Security Keys: click here [random keys <-]
    Find these lines in wp-config.php

    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
    

    And insert the keys you got from the generator, ex:

    define('AUTH_KEY', 'GJ--Vxy|sNmv8J4XS-o]={]O90_kK%ns,hsZ*hMpq+)y?aZc$,[s`I{Qh-?P22kd');
    define('SECURE_AUTH_KEY', '&#+Rlm?<lAKdDa(k2MFU|3antMQb@f,<[m?$9D5BukX6+B?@$ViR*o8oA)T&3J$e');
    define('LOGGED_IN_KEY', ')r#Nz2iJ)%k-8OZCAKVEFi=D&c?Z}$g0gYc/iD[;j-%G:GSz)9!mtoytR=3DB]?k');
    define('NONCE_KEY', 'uaH+~&_bTd)*bkopQ aM=zN]9&,[V_N=WX$UDx}>xb?1]#w-v|W||H[!_ev@KMrP');
    
  • WordPress Anti-virus Protection, is a smart and effective solution to protect your blog against exploits and spam injections. Special feature of this plugin is Manual testing with immediate result of the infected files, and Daily automatic check with email notification. with this Plugin
  • Protect your blog from malicious URL Requests with this simple plugin just Paste the following code into a text file, and save it as blockbadqueries.php. Once done, upload it to your wp-content/plugins directory and activate it like any other plugins. That's all!

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
	if(!current_user_can('level_10')) {
		if (strlen($_SERVER['REQUEST_URI']) > 255 ||
			stripos($_SERVER['REQUEST_URI'], "eval(") ||
			stripos($_SERVER['REQUEST_URI'], "CONCAT") ||
			stripos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
			stripos($_SERVER['REQUEST_URI'], "base64")) {
				@header("HTTP/1.1 414 Request-URI Too Long");
				@header("Status: 414 Request-URI Too Long");
				@header("Connection: Close");
				@exit;
		}
	}
} ?>

  • Hide Plugins : Create an empty index.html file and upload to wp-content/plugins/. By this you are protecting your WordPress plugins directory. In other words, no one can access your plugins. Hackers can easily hack your blog if they discover an out-of-the-date or vulnerable plugin. You can also create .htaccess file and upload.
  • Akismet : Automattic Kismet (Akismet for short) is a collaborative effort to make comment and trackback spam a non-issue and restore innocence to blogging, so you never have to worry about spam again. If your blog is not protected by Akismet, download it now. it comes to your wordpress by default anyway
  • Remove or Disable non used plugins : Youwould have tried lot of them for checking the functionality, but you would not have disabled or removed it. Remove all those craps at once. Hackers can find a way exploit to them, even if you are not using them.
  • Backup : Always keep back up of your blog’s files and database, backup the blog contents to your system regularly. Taking manual backups are tedious tasks. So I recommend you to use WP Database Backup. Even if your database is compromised, you can restore it with the help of this plugin.
  • Use the : This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities.

This plugin is an effort to combine some of the best security features from numerous projects into a single easier to manage plugin.

Better WP Security Provides numerous options to increase the security of your WordPress installation.

a great plugin with many features, you’ll be 95% secure with this plugin :) download

example of a good  htaccess and robots.txt files (119)

if u got more tips u can post them on comments , or just email them to me and ill add them here

happy safe blogging every1 :P

  • Facebook
  • Twitter
  • Digg
  • StumbleUpon
  • del.icio.us
  • Google Bookmarks
  • LinkedIn
  • Technorati
© Copyright 2010-2014 d3mha. All rights reserved.