TechEveryTime

Your Complete Technology Guide

  • Home
  • Contact Us
  • About Me
  • Advertise with us
  • Suggestions
You Are Here : TechEveryTime » Security » How To Secure WordPress Blog From Hackers in 10 Easy Steps

How To Secure WordPress Blog From Hackers in 10 Easy Steps

February 29, 2012 By: Ankur Chauhan10 Comments

Protect & Secure WordPress from Hackers: I have been researching a lot these days to find ways to protect and secure my WordPress site from hackers. Since no website can be perfectly secured, its important that you take necessary steps in order to protect WordPress from any intrusion possible.

 

Steps To Secure & Protect WordPress Blog From Hackers

 

1. Don’t Use “admin” Username for WordPress Administrator

Starting with the Basic step of securing your WorPress site is to NOT use the username “admin” for your administrative purpose. The various scripts which are available in Hosting site use admin as a default username. Most users also use admin username ( since it come first to mind ).

Brute Force attack would surely try this username in its initial attempt to crack Username-Password combination. Hence try to use a different and unique (preferable difficult)  username because the hacker will now have to guess both username and password to access the site.

Change “admin” username through SQL

wp_users admin change username security

In case you are already  using admin username then you can easily change it by going to your PhpmyAdmin and then wp-users table -> Browse and edit the username admin with a new one.

 

2. Secure Login via SSL or Encrypted Channel

SSL secures you data stream to your server by encrypting its content. If your hosting provider supports Shared SSL then you can always use SSL security while logging in your admin area in WordPress.

To do that , simply paste the following code in your wp-config.php file:

define(‘FORCE_SSL_ADMIN’, true);

 

3. A Strong Password Is The Key To Security

Always use strong password for your admin account. A strong password should be combination of Uppercase,Lowercase characters ,numbers ,Special Character’s and preferable be more than 10 characters

 

4. Password Protect wp-admin Folder

Its always better to have multiple layers of security. You can have additional layer of security if you have password protection enabled  for your wp-admin folder which contain most important and sensitive information for your site.

Most hosting providers have an option of protecting Folders through cPanel. The same can be done using a .htaccess file.

 

5. Limit Login Attempts and Block IP Address of Intruders

A very useful plugin called  Login Lockdown helps to protect from unauthorized access to your admin panel. It stores IP address of every failed login and blocks the access to that IP range if the no. of login attempts cross beyond a threshold.

Features:

  • Login Lock provides a number of security enhancing features:
  • Enforces strong password selection policies.
  • Monitors login attempts.
  • Blocks IP addresses for too many failed login attempts.
  • Lets you manually unblock IP addresses at any time.
  • Lets you forcibly log out all users immediately and require that they all change their passwords before logging back in.

Download Login Lockdown

 

6. Secure WP-CONFIG.PHP File

The following code will encrypt the information which is stored by cookies. If your cookies are hacked or compromised and some hacker gets access to your admin panel then there is no way to stop him from accessing your complete site.

Insert the code in your wp-config.php file. Do not copy the same code as above. Use your unique code for the keys.

Get you Unique code from HERE

define('AUTH_KEY',         'jh%889E');
define('SECURE_AUTH_KEY',  'knKIHk');
define('LOGGED_IN_KEY',    'dfskk(*&T');
define('NONCE_KEY',        '3kk&^=KN');
define('AUTH_SALT',        'svjjjbdfsj’);

This code is the solution to above problem. Just change the values in the keys when you doubt that someone has access or is logged in your admin panel and the hacker would be automatically logged out of the admin panel of WordPress. Change your Admin Password immediately after this.

 

7. Hide WordPress Version in Header

Add following code to your WordPress function.php  file in order to hide your WordPress version in header tags.

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

It will prevent anyone from discovering if your WordPress is updated or not.

 

8. Custom URL for Login Using Stealth Login

Everyone know that the default login page is www.yousite.com/wp-login.php.  A plugin called “stealth Login” is used to create custom login page for your WordPress site. Hence, instead of wp-login.php,  your login page could be anything like yoursite.com/MyNewSafeLogin. The hacker would then have to guess and look for your login page in order to attack.

Get Stealth Login Plugin For WordPress

 

9. Hide WordPress Directories From Public Access

Your WordPress directories and subdirectories could be visible to public  due to improper setting and permissions. Add following code in your .htaccess file in your WordPress Installation location to Hide directories like wp-includes  etc.

Options –Indexes

 

10. Update And Backup (WP-DB Manager Plugin)

Always update your WordPress and Plugins. This eliminates any security vulnerabilities which could be exploited by any smart hacker.

Backup is the ultimate solution. If anything goes wrong then backup would help you to restore and correct things. Although there are many plugins available for WordPress for automated and scheduled backups, a great plugin for automated backup is WP- DB MANAGER.

This plugin could be used to do automated backup of your WordPress site and send it to your email at a scheduled time.

Download and activate the Plugin

http://downloads.wordpress.org/plugin/wp-dbmanager.zip

Browse to wp-content/backup-db folder and upload the .htaccess from plugin directory.

In your admin panel, a Database link would be visible. Click it and then click on DB-Options.

DBManager for emal automated backup wordpress secure

You can then schedule your Backup interval ( everyday etc. ) and enter your email where your backups are sent.

Do not use very frequent backup as it would create  problems for your hosting server due to excessive cron jobs.

 

No technique is perfect. There are always some loop-holes. If you know some other great tips to secure your WordPress Blog then do comment below and let others know how to prevent hackers from attacking your site.

About Ankur Chauhan

Ankur Chauhan is a Computer Science Engineer. His interests lies in software, Internet , Gadgets and Technology. Ankur has written over 400 articles on various websites. He is the owner of ankurchauhan.net & techeverytime.com You can catch him on twitter @ankurandu

Comments

  1. Ari Arsyadi says

    March 1, 2012 at 11:53 am

    Nice work Ankur. Very useful and well documented indeed. Would these tips work better without any additional plugins? Also, just curious, should I just do all these steps? Or just combinations of two or three of them would do the trick? Would love to hear your thought.

    Again, nice work! Keep up the good work 🙂

    Reply
    • Ankur Chauhan says

      March 1, 2012 at 12:45 pm

      Hi Ari,
      You don not need to implement each of these steps. I personally use few of the above mentioned measures for securing my site.
      Thanks for your comment. 🙂

      Reply
  2. Amit Shaw says

    March 3, 2012 at 11:20 pm

    Its a really Greate and Awesome Work Ankur. Really you did a awesome job.

    Reply
    • Ankur Chauhan says

      March 4, 2012 at 9:15 am

      Hi Amit,
      Welcome to the site. I am glad you like my post. Thanks for your comment.

      Reply
  3. Kuldeep Khatri says

    March 4, 2012 at 10:28 am

    Great Tips Buddy. Thanks for sharing.
    I secured my blog.

    Reply
    • Ankur Chauhan says

      March 5, 2012 at 7:46 pm

      Hi Kuldeep,
      Thanks for stopping by and caring to comment 🙂

      Reply
  4. Naser @ Tech Blog says

    March 25, 2012 at 9:40 pm

    Thanks for sharing the tips Ankur. Login Lock Down and password protecting wp-admin are not new to me, but different URL for WordPress Login is new. I saw that you didn’t implement “Stealth Login”. Any reason for that? Any problems with WordPress Login?

    Reply
    • Ankur Chauhan says

      March 26, 2012 at 7:04 pm

      Actually, Stealth Login is not working for me for some reason. I am looking to implement much more strong restriction through .htaccess

      Stealth Login also does the same but .htaccess provides whole new choices.

      Reply
  5. raj says

    April 5, 2012 at 9:14 am

    very useful information.I am designing a new WordPress site .Will surely use these tips..Thanks

    Reply
  6. Rohit says

    May 8, 2012 at 7:39 pm

    Thanks for The advise. Because I’m new with wordpress.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Archives

Copyright © 2019 · TechEveryTime.com · All Rights Reserved · Crafted By Ankur Chauhan