Years ago only hackers were able to damage a website. Recently everyone can find a tutorial on how to hack a vulnerable script.
We take security very seriously, that’s why we have implemented a system to avoid your application being hacked. In any case we can’t guarantee a complete protection of your account as it may depend from non secure code on your account.
Here we explain how to protect your wordpress install.
- Always keep wordpress updated at the last version, the same goes with themes and plugins
- Avoid using admin as administrator username
- Change your administrator password periodically
- Only use plugins that are mantained from the developer
- Change the default prefix of wordpress tables, instead of using “wp_”. If you have already installed wordpress you can use this plugin
Increase WordPress security
Here is a list of improvements to make wordpress more secure.
1) Hide wordpress version. You can use this plugin: http://wordpress.org/extend/plugins/hide-wordpress-version/
2) Limit access protecting “wp-admin” folder with a password
For the step 3 you will have to edit the .htaccess file. make this modification outside tags # BEGIN WordPress and # END WordPress. Everything included inside these 2 tags will be overwritten from wordpress.
3) Protect wp-includes access. This is usually used from hackers to upload malicious files on your account. You can add the following code:
# Block include-only files. RewriteEngine On RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # End block include-only files
NOTE: this will not work with wordpress multisite since the row
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
will not allow the file ms-files.php to generate images. You can eliminate this row if you have a multisite install.
4) Don’t allow search engines to look in your directories. Google and other search engine may index urls that you don’t want to be found. You can add this code to the robots.txt file (not all robots follow the instructions) inside public_html folder (if the file is not present you can create it:
User-agent: * Crawl-delay: 5 Disallow: /feed/ Disallow: /trackback/ Disallow: /wp-admin/ Disallow: /wp-content/ Disallow: /wp-includes/ Disallow: /xmlrpc.php Disallow: /wp-*
This kind of attack is getting more and more common and is also a cause for temporary account blocks from our automated system.
To solve this issue you should:
- Access to wp-admin
- Install and activate the plugin wp-login
The plugin will ask you to use a custom url, for example /securelogin
once set you will be able to access your website from mydomain.com/securelogin
Tha you have to edit your .htaccess file adding:
<FilesMatch "wp-login.php"> Deny from All ErrorDocument 403 "Forbidden"
As an additional security you can use the plugin Bruteprotect.
You may also want to install the following plugins for further security, only the one that are good for your needs:
- http://wordpress.org/plugins/login-security-solution/ – Login Security Solution: Block the Ip after failed logins
- http://wordpress.org/extend/plugins/stealth-login-page/ – Edits the login page url and only you will know it
- http://wordpress.org/extend/plugins/bulletproof-security/ – WordPress Website Security Protection: protect your website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts.
- http://wordpress.org/plugins/ultimate-security-checker/ – Ultimate Security Checker will scan your blog and informs you about the security level.
- http://wordpress.org/plugins/block-bad-queries/ – Block Bad Queries (BBQ) is a simple script that protects you from malicious url requests
http://wordpress.org/plugins/bruteprotect/ mitigates bruteforce attacks