Secure your WordPress Site [A Guide]

Tuesday, 17 September 2013
I've seeing a lot of people in technical community forums and other places keep on complaining about their WordPress sites are getting hacked. Even i have been a victim of this, in past. So i have collected some info about this a have come up with some tips and tricks.
In this post i will be sharing my tactics of securing a WordPress blog/site.

#1 Better Host

We all tend to choose the cheapest host, we can get. And this is the first move towards letting your site hacked by hackers.
Most of the cheap hosting (free hosting) providers do not have the folders Chmoded properly. You can actually enter another user's FTP using a shell script hosted on your folder. At-least 30 - 40% websites are hacked because of this vulnerability. Some of the well known Hosts like HostGator and GoDaddy have very strict Folder permissions. So, go with them if you can't afford a dedicated Server.


#2 WordPress Installation

When you install WordPress on server, please DO NOT, Actually NEVER choose the default Username (admin) and database prefix (wp). Instead user a unique username, so it's hard to guess for anyone trying to mess around with your site.
Password should be long, Alpha-Numerical and special character included.
Remember Password hacking is increasing now a days. Because hackers are using GPU instead of CPU, which is 1000 times faster than CPU. So choose your password carefully.

#3 Limit Logins

This plugin locks down login for the particular IP who is trying to login again and again with different username password combination. Which is called brute-force.
This plugin make hackers frustrated and they give up trying.

Click here to learn more about this plugin and install it from WordPress repository.

#4 Password Protect WP-ADMIN Directory

When you apply password to your wp-admin directory, you kind of adding an extra layer of security to your site. To make your directory password protected, you need to have a htpasswd file.

www.htaccesstools.com/htpasswd-generator/

Go to this site, Enter your username and password. It will create the htpasswd file for you. Once again choose unique, long, hard to guess, alpha-numerical and special character added password. Now save this file to your file manager outside the public_html folder.
Now placing this file outside if public_html makes it no accessible via web.
Create a .htaccess file if you don't have one with the following rule and upload the .htaccess file under your wp-admin folder.

AuthUserFile /full/path/to/your/htpasswd/folder/.htpasswd
AuthGroupFile /dev/null
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>


#5 Maintenance & Backup

Maintenance is important, keep an eye on your apache log files, to see something wrong happening with your site. Do regular backups. When you ever you update content, make a backup of your database and full site. So if something goes wrong, you can always revert back to the last working stage.

Keep the web secure.

Thank you!

0 comments:

Post a Comment