If you are a professional blogger then the worst thing in your blogging life will be your blog getting hacked. These attacks are occasionally undertaken by people themselves (or hackers), but they are mostly performed by “bots” (or robots, which are really just computer programs written by hackers) that scan sites for vulnerabilities. Recently many popular blogs had been hacked and it is the time to implement some steps to build a protective wall for your blog. Consider the following tips if you want to strengthen your blog.
1. Do not use default “admin” username:
Make sure usernames are unique and never use the “admin” default for
Administration accounts. The main reason you want to change your username is that it’s well known as the default one for WordPress, which makes brute force attempts on your site even easier as the hacker only has to guess your password. The Brute Force attacks are very common and consist simply of a person or a computer program trying to access your admin dashboard by repeatedly trying different passwords until the correct one is found. This becomes even easier if you still use the default “admin” username.
To change the admin username you have to log in to your phpMyAdmin. Make sure you have a backup of entire database. Once you have a backup safely stowed on your local machine, go back to the“Structure” tab, open up the wp_users table and find the admin user. The user is one row in the wp_users table. Change the user_login field to something other than “admin” and click Go. We now should be able to login to WordPress using our new username. Remember, pick a unique username that isn’t in the dictionary and would be very difficult to just guess!
Alternatively you can use the plugin WP-Optimize to change the username.
2. Hide the version string in Meta Tags:
A large number of WordPress themes have the WordPress Meta Tag that shows the version of WordPress that is running on your blog. Unless you are updating your WordPress versions regularly this may create problems for your site. Hackers can easily find the WordPress you are using and utilize loop holes in that particular version to hack into your site.
To remove the version strings open the header.php file of your theme and look for these lines:
<meta content="WordPress <?phpbloginfo(’version’); ? />" name="generator" />
Remove this line from the file and save the file. Alternatively you can use a plugin to do this task.
If you are using a newer theme, just add the following in your theme’s functions.php file:
3. Protect Directories from Public Browsing:
In many cases, the default WordPress installation allows hackers to use their browser as a file browser to look through the contents of the folders on your server. There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage.
To check whether you blogs directories are left open for public browsing type your WordPress blogs URL in the address bar followed by “wp-content/plugins”.
If you see a blank page or a 404 file not found page then you can have some relief, you are almost safe. If you see some file names displayed as links then you certainly need some fixes.
The first thing you have to do is to create a blank index.php file and upload it to your wp-content/plugin directory and wp-content/themes directory. This will solve the problem to a certain extend. But if you need a complete protection you need to edit .htaccess file in your WordPress root directory.
• Open your .htaccess file in a text editor (sometimes this file may be hidden in FTP, make sure set your FTP app to “show hidden files”).
• Add the following two lines in the bottom and then save the file.
# prevents directory listing
Options All -Indexes
4. Block WP- folders from the Search Engines
There is no need to have all of your WordPress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list:
5. Change default database prefix
The default database prefix for WordPress is “wp”. It is a good idea to change this to improve security. You can easily do this with WordPress Security Scan plugin.Install this plugin. Then a new Security tab will appear in the Admin panel. Go to Security >>Database Security. There you can give the new database prefix. The plugin will automatically change the prefix of all WordPress tables.
6. Use correct file permissions
Make sure your WordPress blog uses following permissions:
• All folders should be set to 755.
• Files should be set to 644.
• Files that you want to edit in the WordPress Theme editor should be 666.
• In no case you should use 777 for WordPress, using 777 means you are letting all users on the server do whatever they want with your site.
You can use a plugin called WP-Security-Scan to check the file permissions. The plugin will report problems if you set any wrong file permissions.
7. Limit WordPress Admin access by IP address.
This method allow wp-Admin folder to be accessed from a particular set of IP addresses and all others will get a forbidden error message. If you access your blog from one or two computers regularly then this method will be very effective. Create a new .htaccess file in wp-admin folder and add the following piece of code in to it.
order deny, allow
deny from all
Replace all those X’s with your IP address. You can obtain your IP address from websites like whatismyip.org
Note that this method may not work for everyone. Some ISP’s will provide dynamic IP’s instead of static IP’s for its users. As a result the IP address may get changed each time you connect to the internet. This may lock out you from your admin area. If such a situation occurred then use your FTP to browse to your wp-admin folder and delete the .htaccess file.
8. Protect Wp-config.php file:
The wp-config.php file contains sensitive information’s like your database username, password etc. You can edit the .htaccess files to protect config file from unauthorized access. Add the following code snippet in to your .htaccess file.
# protect wpconfig.php
order allow, deny
deny from all
9. Use SSL for your blog:
If you run a popular blog and making some profits from it then don’t hesitate to invest some bucks in buying SSL certificates. SSL or Secure Socket Layer is encrypting your data. This eliminates any third party attacks between the connection and all the data that is transmitted to and from the site will be encrypted for better security.By default WordPress password is being sent with no protection at all and so could be intercepted with relative ease by a hacker. By using SSL we can encrypt these data and thus ensure protection.
10. Use secure password, update and backup regularly:
This may sound simple but believe me there are still many people who use their girlfriend’s name or a dictionary word as password. The Brute Force attacks are very common and consist simply of a person or a computer program trying to access your admin dashboard by repeatedly trying different passwords until the correct one is found. This becomes even easier if you still use the default “admin” username. The software’s using for Brute Force attack is loaded with dictionary words and thus they can easily hack your site if you still use a dictionary word as password. Use passwords at least 12 letter in length and change your password regularly.
Always try to keep an updated version of WordPress. Every WordPress version comes up with fixes for security loop holes of previous versions and so keeping an updated version is necessary. Use only essential plugins and try to keep your plugins updated. Also don’t forget to keep regular backups for your files as well as database. You can use plugins like WP-DBManager and Automatic WordPress Backup for this purpose.
There is no way we can get rid of hackers. They will come up with new loop holes each day. But if we try to spend some time in fixing the security loop holes then we can make sure the path for hackers to crack our site will not be easy. Do you implement any other security measures in your blog? Please share your experiences.