So, over the last 6 months, every WordPress blog I’ve set up has been hacked in one way or another. It sucks. I thought I was doing everything right, but apparently I didn’t do enough when it comes to security (you can never do enough!) The following are some of the things I did to help secure my sites from malicious evil bastards. Keep in mind that these things can help secure your site, but as far as we know there is no way to keep hackers 100% from getting into your site. These measures merely make it harder for them, which will hopefully persuade them to move on to another WordPress Blog that isn’t as secure as yours.
CAUTION: Look at the date of this post. This information is accurate (to our knowledge) as of December 8th, 2010. We are not responsible for any damage any of our suggestions may cause. We merely compiled and used the following methods to help protect our sites, and so far it’s working.
1. If on a shared hosting server, make sure your host has security. If one site is compromised, many others can be as well.
2. Look into SSH/Shell access instead of FTP uploads.
OK, now to get into it. Many of the below items I mention are handled by the plugins listed below.
3. Secure your wp-config as well as any other sensitive files with .htaccess by adding these lines:
# SECURE WP-CONFIG.PHP <Files wp\-config\.php> Order Deny,Allow Deny from all </Files> Options All -Indexes
4. Make sure your files and folders have the correct permissions set. Some of the more important ones are:
the root, wp-admin, wp-includes, wp-images, wp-content, themes, plugins, upgrade, uploads, etc…
5. In search.php change: <?php echo $_SERVER ['PHP_SELF']; ?> to: <?php bloginfo (‘home’); ?>
6. In your themes header.php file, get rid of the name=”generator” line.
7. Add a .htaccess file to the wp-admin folder and wp-content/plugins and add this: IndexIgnore *
8. Replace the secret keys in your wp-config.php file with new ones. Visit this URL to generate new ones and cut and paste them. https://api.wordpress.org/secret-key/1.1/ Each time you refresh the page, it will come up with new, unique keys.
9. Some people suggest password protecting your wp-admin directory.
10. Change your default table prefix from wp_ to something crazy like meKH2332m23m324_ The easiest way to do this is to add a line to your wp-config.php like: $table_prefix = ‘meKH2332m23m324′; // custom table prefix
11. Change the “Upload” directory to something more obscure, like “Putapic” or something. You need to understand where to make all of these changes though (you can’t just change the name of the file.
12. You can also use an apache declaration to disable script in the uploads folder.
13. install a Fresh Installation. Download the most recent version of WordPress.
14. Make sure wp-config.php has it’s permissions set to 400 immediately (or 0). This holds all of your password info. Also check for permissions on all upload, upgrade and backup directories.
15. Move wp-config.php one level above your root directory.
16. Turn off the option to organize installed uploads by month and year.
17. Use STRONG PASSWORDS and change them as often as you can. Use 12-13 character passwords with capitals, lowercase letters, numbers, and different characters like &%*.
18. Disable user registration of not needed.
19. Get rid of your admin account! Add a new user (with a more complex name) and give them the admin role with full privileges. Use a different name for the user. Then sign in with it and change the admin role to subscriber. This will limit your vulnerability to Brute Force password attacks.
20. Make sure roles and permissions are all low-access.
21. Set up your settings in the strictest ways. You only want users to comment and add content that you truly trust.
22. In the dashboard, secure your general settings. Have the new user default role be a subscriber and uncheck the ability for anyone to register under Membership. You only want users to comment and add content that you truly trust.
23. Don’t give anyone your admin passwords! Keep them in a safe place. Don’t discuss them over the phone or on emails. Make sure to change them periodically too. WP Security Scan plugin has a tool to check and see if you’re password is strong enough.
24. Make sure your computer doesn’t have any spyware, malware, adware or viruses. Sometimes this is where your security issues originate from.
25. Install Security, Back Ups and Antispam Plugins
These are the ones we’ve heard are the best. Keep in mind that some of these won’t work with others. Also, many don’t work with the most recent update of WordPress. Make sure you only use plugins that you trust. If you only download a few, do the first 4.
26. Make sure the most recent version of WordPress is installed at all times. These new updates usually have security features that can help against current threats.
27. Same with Plugins and Themes. Make sure everything is up to date at all times!
28. Make sure all of your Plugins are trusted. Seriously, this is dumb of me to say. How in the heck do you know if a Plugin is trusted? Amount of downloads? Ratings? I guess those help, but if anyone has any other ideas on how to measure a plugin’s trust, I’m all ears. Hopefully they implement some kind of Trust Certificate someday.
29. Have regular backups automatically ran for the whole site including database. And don’t keep the back ups on your server.
30. Watch for new files that are suspicious looking. WP File Monitor is good for this. A lot of hackers hide backdoors in files that look like img1.jpg or similarly unsuspicious-looking generic files.
31. When adding files, consider using FTP instead of uploading from your WordPress uploader.
32. Report bugs to WordPress https://codex.wordpress.org/Submitting_Bugs WordPress can’t get any better without your help!