Yes the Wordpress core is secure, but only after you have taken the necessary precautions.
You’re most likely reading this article because a) you own/manage a website that is built in Wordpress and b) you are concerned about your website getting hacked. Well, I’ve got a few tips to help you out. And trust me these tips come from experience in dealing with Wordpress hackers head-on. If you follow each of these 10 steps you’ll decrease your odds of getting hacked dramatically.
1. Remove WP Version generator from header
Wordpress by default tells the entire world through your source code, the exact version of Wordpress you are currently running. This of course is an incredibly helpful piece of information for all hackers. A simple snippet of code added to your theme’s functions.php file will remove your version number from your site’s header.
See 'How to remove WordPress Version'
2. Password protect wp-admin with htaccess
Using htaccess you want to password protect your wp-admin directory. This will essentially create a powerful 2-step authentication for getting into your administration backend. Blocking hackers at the “apache” level with htaccess rather than just the Wordpress login page will secure your site tremendously.
Tutorial found here.
3. Protect all wp-include files with htaccess
Because Wordpress core files are all standardized, Hackers know the location of all your core files once they hit your server. Use htaccess to block their ability to access those files. Tutorial found here.
4. Move the wp-config file
Wordpress gives you the ability to move your wp-config.php file up one directory, effectively moving it out of the docroot and making it difficult for hackers to locate and access. Since this is your most critical Wordpress file you’ll want to make sure you follow this step carefully. Tutorial found here.
5. Install the (BBQ) Block Bad Queries plugin
Without getting into any crazy details, the basic explanation of this plugin is that it scans all incoming traffic and blocks all bad and malicious requests. This in my opinion is the single most powerful Wordpress security plugin you can install on your site. Plugin found here.
6. Disable core plugin and theme updates
Once a hacker is able to get into your Wordpress admin panel, by default Wordpress gives him the ability to edit theme and plugin files. This snippet of code, when added to your wp-config.php file, prevents the hacker from editing these files. Tutorial found here.
7. Create new author slugs for all users
Unfortunately by default, all users you create in Wordpress are given an author “slug” which just so happens to be exactly the same as the username of the user. So for example you can access sitename.com/author/username. Hackers now have 50% of the equation figured out because they now have a users’ username. Now all that’s left is the password. This plugin called the Edit Author Slug plugin allows you to manually edit that “slug” so that it’s different from the username of the user. Plugin found here.
8. Shut down XML RPC
XML RPC is the “pinging” technology built inside of Wordpress. Unfortunately, this technology is what is being leveraged by hackers these days to perform massive DDOS attacks. You DO NOT want your site or your server participating in one of these DDOS attacks without you even knowing it. This plugin will turn of XML RPC for you. Plugin found here.
9. Make your passwords more complex
I like to use a free tool called Random.org/passwords to generate random, complicated passwords for each user inside Wordpress. Just make sure you store these passwords securely somewhere so you can remember them. Also make sure to change your passwords at least a couple times each year.
10. Setup a security scanning service
There are two really good Wordpress security scanning services out there, Vaultpress and Sucuri. Both of these services are great and will get the job done for you. You need a service that will proactively monitor your Wordpress files and alert you when a hacker may be doing damage. That’s what these services are well known for doing.
Hope these tips help!
No comments:
Post a Comment