WordPress is one of the most popular self hosted content management system (CMS) on the Internet and therefore most popular target of hackers. WordPress software is open source, hosted on GitHub and hackers are always looking for bugs and vulnerabilities that can be exploited to gain access to other WordPress website or blog.
An investigation revealed that about 70% of WordPress website or blog are vulnerable to hacker attacks.To ensure your WordPress website or blog security, Keep updated version of WordPress installation, Themes and plugins. Here are some other things to improve the security of your WordPress website or blogs.
Rename your WordPress tables prefix
By default the WordPress tables have names like wp_posts or wp_users, to change the prefix of tables in WordPress to some random value use Change DB Prefix plugin.
To make your WordPress Admin Dashboard more secure, create a password in wp-admin folder to protect it. Once protected, authorized users will have to enter the two passwords to log in to their WordPress Admin dashboard.
You can use the “last -i” command in Linux to get a listing of all users who have logged into your WordPress server along with their IP addresses. If you find an unknown IP address in this list, it is definitely time to change your password.
Also, the following command will show the user login activity for a longer period of time grouped by IP addresses (replace USERNAME with your shell user name).
last -if /var/log/wtmp.1 | grep USERNAME | awk '{print $3}' | sort | uniq -c
Also See : Best WordPress web hosting providers for Bloggers
Open the .htaccess file in your WordPress root directory and add the following line at the top.
Options -Indexes
It will prevent the outside world from seeing a listing of files available in your directories in case the default index.html or index.php files are absent from those directories.
Go here to generate six security keys for your WordPress blog. Open the wp-config.php file inside the WordPress directory and overwrite the default keys with the new ones.
These random salts make your stored WordPress passwords more secure and the other advantage is that if someone is logged into WordPress without your knowledge, they will get logged out immediately as their cookies will become invalid now.
An investigation revealed that about 70% of WordPress website or blog are vulnerable to hacker attacks.To ensure your WordPress website or blog security, Keep updated version of WordPress installation, Themes and plugins. Here are some other things to improve the security of your WordPress website or blogs.
Secure WordPress account Login
When you install a WordPress blog, the default username is "Admin". You can either create a completely random username or enable single sign on with Jetpack.
Don't show your WordPress version
When you install WordPress blog, it shows the WordPress version that make it easier for people to determine if you are running an outdated non patched version of WordPress. To remove WordPress version, delete the readme.html file from your WordPress installation directory.
Also See : Most Essential WordPress Plugins
Also See : Most Essential WordPress Plugins
Don't allows others to "Write" to your WordPress directory
To see a list of all open directories where any other user can write files, Login to your WordPress Linux shell and execute the following command.
find . -type d -perm -o=w
To set the right permission for all your WordPress files and folders, use these two command in your WordPress Linux shell.
find /your/wordpress/folder/ -type d -exec chmod 755 {} \;
find /your/wordpress/folder/ -type f -exec chmod 644 {} \;
For directories, 755 (rwxr-xr-x) means that only the owner has write permission while others have read and execute permissions. For files, 644 (rw-r–r–) means that file owners have read and write permissions while others can only read the files.
find . -type d -perm -o=w
To set the right permission for all your WordPress files and folders, use these two command in your WordPress Linux shell.
find /your/wordpress/folder/ -type d -exec chmod 755 {} \;
find /your/wordpress/folder/ -type f -exec chmod 644 {} \;
For directories, 755 (rwxr-xr-x) means that only the owner has write permission while others have read and execute permissions. For files, 644 (rw-r–r–) means that file owners have read and write permissions while others can only read the files.
Rename your WordPress tables prefix
By default the WordPress tables have names like wp_posts or wp_users, to change the prefix of tables in WordPress to some random value use Change DB Prefix plugin.
Password Protect the Admin Dashboard
To make your WordPress Admin Dashboard more secure, create a password in wp-admin folder to protect it. Once protected, authorized users will have to enter the two passwords to log in to their WordPress Admin dashboard.
Track Login activity on your WordPress server
You can use the “last -i” command in Linux to get a listing of all users who have logged into your WordPress server along with their IP addresses. If you find an unknown IP address in this list, it is definitely time to change your password.
Also, the following command will show the user login activity for a longer period of time grouped by IP addresses (replace USERNAME with your shell user name).
last -if /var/log/wtmp.1 | grep USERNAME | awk '{print $3}' | sort | uniq -c
Also See : Best WordPress web hosting providers for Bloggers
Prevent users from browsing your WordPress directories
Open the .htaccess file in your WordPress root directory and add the following line at the top.
Options -Indexes
It will prevent the outside world from seeing a listing of files available in your directories in case the default index.html or index.php files are absent from those directories.
Update the WordPress Security Keys
Go here to generate six security keys for your WordPress blog. Open the wp-config.php file inside the WordPress directory and overwrite the default keys with the new ones.
These random salts make your stored WordPress passwords more secure and the other advantage is that if someone is logged into WordPress without your knowledge, they will get logged out immediately as their cookies will become invalid now.