Recently I found that many wordpress based websites got hacked or compromised. So, I started searching Internet for security measures which can be took to protect WordPress based websites. Following are some points which I found common on various websites.
1. Vulnerabilities in the WordPress
Vulnerabilities of WordPress could be defined as program or script that allows an attacker to bypass normal wordpress settings. To avoid such problems, keep your blog updated to latest versions. Older version of WordPress contains old functions and scripts which can be easily hacked.
Also keep your all plugins updated and if you are not using any specific plug-in, delete it from the system.
2. Secure wp-config.php
wp-config.php file contains database information like database name, database username, password. By default wp-config.php has 644 permission which means a normal user can easily read your wp-config.php. So, set the permission of the file to 750 which will disable other users to read it.
3. Rename the administrative account
When WordPress is installed on a System by default, it uses and sets username “admin” as the administrator of the blog. For better security it’s not suggested to use “admin”. After installation you can create a new user with administrator rights and delete “admin”.
4. Hide WordPress version
If you are running a wordpress version which has know vulnerabilities, then its not a good option to keep your wordpress version open to public. There are many plugins which hide the wordpress version from public OR you can simply add “<? php remove_action(‘wp_head’, ‘wp_generator’.; ?>” in function.php of your theme.
5. Protect WP-* Folders
Block wp-* folders from being crawled and index by search engines. This can be done by blocking access to wp-* from robot.txt. Add following line in your robot.txt
6. Firewall Plugins
There are a few plugins that scans suspicious-looking requests based on rule databases and/or white-lists. BlogSecurity’s WPIDS plug-in installs “PHPIDS”, a generic security layer for PHP applications, while “WordPress Firewall” uses some WordPress-tuned pre-configured rules along with a whitelist to screen out attacks without much configuration
7. Secure WordPress Database
WordPress is database dependent application for which you need to have a database and database user. For WordPress installation, you simply create a database with user but securing database is also useful for securing you WordPress Blog.
Following are a few tweaks to secure database
7.1. Grant limited access to a database user: Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter).
7.2. Pick a strong database password
Always make habit of taking backup of your blog and database at regular intervals and do not depend upon your hosting company’s backups as it might be possible that the backup they have contains the hacked data. (if the backup run after your blog was hacked) There are many plugins provided by WordPress with the help of which one can take backups.
9. Strong Passwords
Creating a Strong Password is another option to protect your blog from getting hacked. Also changing the passwords on weekly or monthly basis will be added protection.
10. Monitoring Blogs
As a user/admin of the blogs you will have to regularly monitor your blogs for changes, like any suspicious user get registered or any file of your blog gets changed or you find any suspicious activity contact our support team for deep investigation.