There are over 5 million results in google for the keyword “prevent wordpress hack“. Everyone has their own opinion and I don't think all of these posts are updated frequently.In this post i will tell you about how to prevent your wordpress blog from being hacked as there are many wordpress blog which are hacked daily.Check out the following tips to prevent your wordpress blog from being hacked..
15 tips to prevent your WordPress blog from being hacked.
Backup
This is the first step if you plan to make any changes , make sure you backup your entire DB.You can do this manually or use available plugin. I recommend backup buddy which backs up your entire wordpress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder.
Update WordPress Version
This is the second step after Backup you should always Update WordPress Version due to some security reasons.You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow WordPress feed to find out about the latest updates or you could simply login to your admin.
Always remember to change the default admin login of your blog.25% wordpress blogs are just vulnerable to password guess attack.The default wordpress login is Admin or Admin123 and most of the hackers know them.I suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like “m3h4r4d1L19!@” is a great example of a strong password.
Most of the easy method of hacking wordpress blogs is Symlink.Hackers hack the blogs hosted on the same server by doing symlink.The hackers make symlinks and get into blog's Database easily.Most easy way to prevent Symlink is to change your Database Config wp-config.php file permission. Another way to prevent symlink is to use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones:
Admin Login
Always remember to change the default admin login of your blog.25% wordpress blogs are just vulnerable to password guess attack.The default wordpress login is Admin or Admin123 and most of the hackers know them.I suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like “m3h4r4d1L19!@” is a great example of a strong password.Symlink
Most of the easy method of hacking wordpress blogs is Symlink.Hackers hack the blogs hosted on the same server by doing symlink.The hackers make symlinks and get into blog's Database easily.Most easy way to prevent Symlink is to change your Database Config wp-config.php file permission. Another way to prevent symlink is to use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones:For Example :-define(‘AUTH_KEY’, ‘put your unique phrase here’); Wp Security Scan
This plugin is the real deal. It’s simple and automates stuff. It will scan your WordPress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good.
BruteForce Attack
You should always use strong passwords to prevent BruteForce attacks on your WordPress blogs.Another way to prevent Bruteforce attack is to use Captcha to protect you blog's logis.The more the stronger password would be the less will be chances of your blog's password from being guessed !Hosting
Never use free hosting.Always use good and paid hosting e.g HostGator,LiteSpeed and CloudFlare i suggest you to use paid hosting because when hackers hacks into database on one's blog then they try to Root whole sever if server's security is less then it might be rooted easily and then all the websites on that server are in the hands of hackers for example if a hacker hacks a website and there are total 1450 websites on that server and if hacker Root that server so then by giving commands they can hack all 1450 websites on that server and might be your blog on that low security server so use paid and highly secured hosting..htaccess hacks
.htaccess is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security.After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.
# STRONG HTACCESS PROTECTION</code>
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>Script Injection
Now you can protect your WordPress blog from script injection, and unwanted modification of REQUEST and/or GLOBALS.Simple copy and paste the code below to your .htaccess in the root
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]Full Path Disclosure
WordPress Is Full of FPDs Attack
look at this => hacker comes and check source code of your Wordpress Website
and he got your template name than he do something like that
www.yourwordpressblog.com/wp-contents/themes/themename/functions.php.
FPD also reveals your cPanel(Control Panel) Username :How To Prevent it ? Ans - Change File And Directory Permissions From cPanel.
File Permissions
Use the below file permission for optimal file system security:-
Themes and Plugins
Yes, WordPress Plugins are vulnerable to SQL Injection , LFi ,RFI , RCE.Before Installing Any Plugins , Use Google and search for its exploits and Patch It.
you can run into serious trouble by installing plugins and using themes without checking them for malicious code. If you don't know PHP, I'd recommend only installing plugins and themes which are listed in the official WordPress directories.
Make the plugins list secret from others
Don’t let others know about the list of your plugins you’re using, this may also caused your WordPress site hacked. The reason of that is, many of the plugins are free at WordPress plugins directory and most of the people have the codes of them. This will not any harder to hijack your blog.
The default table prefix for WordPress is wp_ . I know that, you know it and I am sure the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. A good prefix would be “mashjg23_” or “sasdoe265_”. Changing your database table prefix is highly recommended and you can do this in two ways. The manual way requires some work and is not suitable for newbie; here’s when WP Security Scan Plugin makes your work much easier. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess. Do this and you will be a step closer to strengthening your blog’s security.
Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.
In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.
Change Table Prefix
The default table prefix for WordPress is wp_ . I know that, you know it and I am sure the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. A good prefix would be “mashjg23_” or “sasdoe265_”. Changing your database table prefix is highly recommended and you can do this in two ways. The manual way requires some work and is not suitable for newbie; here’s when WP Security Scan Plugin makes your work much easier. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess. Do this and you will be a step closer to strengthening your blog’s security.
Directory Browsing
Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.
# disable directory browsing
Options All -Indexes