Let’s assume, you start a blog, write articles, do promotions, do SEO and wait for the results and a stable source of income but as soon as the blog starts to get famous and earn you a good amount of cash you notice that your blog has been hacked, now what?
Is all your hard work gone in vain? Might be if you don’t have a habit of maintaining backups, but why let these situations arise? Why not work on preventing such situations beforehand and get a feel of security. Nowadays people start a blog, work hard on it but forget about its security which isn’t a good practice, security is a very significant factor that must be looked at and worked upon and negligence of security might end up as your blog/website getting hacked, all data compromised and yeah you might even end up losing all that data of
yours.
Today we are here to let you know how you can strengthen the security of your WordPress-based website or blog, so let’s start with it.
Contents
- Code-Based Security Enhancements For WordPress
- 1. Starting with Log-in Security [WordPress]
- 2. Adding Security Keys To The wp-config.php File To Further Enhance The Security :
- 3. Change The Database Prefix
- 4. Protect Your “.htaccess file”, Restrict access to the “.htaccess file”
- 5. Restrict Access To Your “wp-config.php” File
- 6. Tweak Your “functions.php” To Hide The Version Information (i.e WordPress 3.4.2)
- 7. Hide Login Error Messages
- Plugin Based Security Enhancements
- General But Tips Of Utmost Importance For WordPress Security
Code-Based Security Enhancements For WordPress
1. Starting with Log-in Security [WordPress]
Force SSL On The Login Screen Or On Both, The Admin Pannel & The Login Screen :
To secure your WordPress Login, Add the below line of code to your wp-config.php file. (Note: This would only force SSL on the login page, not on the whole admin panel.)
define(‘FORCE_SSL_LOGIN’, true);
To secure both your Login and the Admin Panel, Simply add the below line of code to your wp-config.php file instead of the above one. (Note: This method is the more secure one as it forces SSL on both login and admin so that both the passwords and the cookies are never sent in the clear.)
define(‘FORCE_SSL_ADMIN’, true);
2. Adding Security Keys To The wp-config.php File To Further Enhance The Security :
Folks at WordPress have added four different keys to the wp-config.php file to enhance the security of the WordPress CMS, with the addition of these four security keys they added a corresponding salt to each security key.
You should add a random alphanumeric + special character value to each of the keys and salts fields, just remember you need to make it a bit long.
3. Change The Database Prefix
Stop hackers from getting their hands on your database by changing the database prefix. By default, WordPress puts wp_ as the database prefix for your blog so change it to something else, here is how you can change your database prefix.
$table_prefix = ‘wp_’;
Change wp_ in the above code to something else in order to change your database prefix but remember, only follow this if you are going on with a new installation. If you try this at an already installed WordPress blog, you’ll be greeted with an “error establishing database connection error” error. To change the database prefix for an already installed WordPress blog, use the Change DB Prefix WordPress plugin.
4. Protect Your “.htaccess file”, Restrict access to the “.htaccess file”
Your .htaccess file controls a lot of things – all the redirections and lots of other things, what if the hacker gets access to it? He can redirect the whole of your traffic to his website or somewhere where it shouldn’t be going.
So how to protect the .htaccess file, well that’s pretty easy just put this line of code into your .htaccess file and it will protect itself, the code works like our body’s immunization system.
# protect wpconfig.php
<files wp-config.php>
order allow, deny
deny from all
</files>
5. Restrict Access To Your “wp-config.php” File
wp-config.php is a very important file of your WordPress installation and contains very sensitive information which no one should know other than the admin himself.
Speaking of sensitive information, it contains your :
- Database Name
- Database User Credentials
- Security Keys And Salts
You could imagine how dangerous it would be if someone gets his hands on your wp-config.php, so you must think about its security, right? Here is how you can protect it.
Place the below piece of code into your .htaccess file and restrict access to the wp-config.php:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
6. Tweak Your “functions.php” To Hide The Version Information (i.e WordPress 3.4.2)
Hackers use different-different techniques for hacking different-different types of sites, they have different techniques for hacking WordPress-based websites, and blogs, and if they come to know that your blog is WordPress based and the what version of WordPress you run they can simply get through the loophole by using the particular exploits. So it’s better to hide the Version information. To hide it place the following piece of code into the functions.php file.
To Remove It From The Blog/Site :
remove_action(‘wp_head’, ‘wp_generator’);
To Remove It From The RSS Feed :
function wpt_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpt_remove_version’);
7. Hide Login Error Messages
If someone tries opening your WordPress admin panel using a certain username and password and gets anyone of that wrong, WordPress notifies the user that he/she is entering the wrong username, or password in respective cases, these notifications can give hackers an idea if they have got their hands on the right username. Hence it’s better to hide those notifications, here is how you can hide them.
Open you functions.php and add the below piece of code :
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Plugin Based Security Enhancements
1. Use Bullet Proof Security (WordPress Plugin)
Bullet Proof Security WordPress Security Enhancement Plugin WordPress Security Enhancement Guide Tips And Plugins
It’s a must-have security plugin that every WordPress-based user must use, it protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection, and SQL Injection hacking attempts. Provides one-click .htaccess protection for some really important files which include wp-config.php, bb-config.php, php.ini, php5.ini, install.php, and readme.html.
It has got more to show, check more of its features and download it from here.
2. Use Simple Login LockDown (WordPress Plugin)
This is another awesome security plugin for WordPress, what id does is – registers the IP of the user whose login attempts failed keeps an eye on the failed login attempts, and after a certain amount of failed login attempts it locks down the access to the login page for that particular IP for a certain amount of time.
Note The time until which the lockdown will be in effect and the no of failed attempts that proceed to lock down can be edited from the back end panel of the plugin.
Visit this page to download and know more about the plugin.
3. Use WP Security Scan (WordPress Plugin)
WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
- Passwords
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
Download WP Security Scan – WordPress Plugin.
4. Use One Time Password (WordPress Plugin)
This simple-to-use plugin enables you to log in to your WordPress weblog using passwords that are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments like internet cafés, etc.
Download One-Time Password – WordPress Plugin.
General But Tips Of Utmost Importance For WordPress Security
1. Always Stay Updated To The Latest Version
Make sure to update your plugins, themes, and the WordPress cms itself to the latest version present, I am suggesting you stay updated because each new update brings a whole lot of security enhancements, fixing the known loopholes, etc.
2. Never Forget To Backup Your Files And The Database
Say your Blog gets hacked, the hacker removes every trace of data present on the server, what now? in that case, anything which can help you is your blog’s backup. So never forget to back up your WordPress blog files and databases.
3. Use A Very Strong Password
Use a password that contains alphabets, numerals, and special characters and is a bit long at least 8-10 chars in that way hackers will have a really tough time breaking it, at least via Brute Force Attack.
If you share your password with every other person you see then everyone knows what’s gonna happen, right? To maintain privacy, keep your credentials with yourself.
5. Use SSL
SSL (Secure Sockets Layer) is a protocol that encrypts data transmitted between your site and its visitors. You can purchase an SSL certificate and install it on your site to enable SSL. A wildcard SSL certificate is a type of SSL certificate that allows you to secure multiple subdomains under a single domain.
That’s all you need to do and I am darn sure that you’ll have a very secure blog/website running on the web which would make almost everyone who’s trying to break in sweat. So try these and provide your feedback.