We very often hear that someone has hacked or stolen the Blog user information and get into it and made a lot of changes which result in providing the ownership to the hacker. But you can secure your blogs by following some security measures using WordPress security features.
Lets discuss on those 'Always' protection methods which will secure your WordPress blogs:
1. Always use latest WordPress version :
First and foremost thing you should is that update your WordPress to latest. If you are not using the the up-to-date version will cause a lot of trouble. Currently, the version is 2.3. So better to install the latest version and we need to keep track on the newest releases. Some releases were there recently for just security fixes like, SQL Injection. It may seem like doing a hectic job but in reality upgrading is really good for your blogs.
2. Always change your default password :
If you are using the same password provided via email to you at the time of installation to log into your wp-admin page then definitely we would suggest to change it now. Because the password provided is only 6 characters and it's alphanumeric. So there is a high possibility that your password may be hacked and you are in trouble. Better to avoid any kind of pain change the password to a complex string and keep more than 10 characters. DO NOT use words used in blog title, make it a nice mixture of letters, numbers, and special characters. One more thing you have to remember is that you should keep changing your password at the hosting site for your account login and the control panel logins, like cPanel. Make it a practice once in a month so your password will be secured.
If you are using the same password provided via email to you at the time of installation to log into your wp-admin page then definitely we would suggest to change it now. Because the password provided is only 6 characters and it's alphanumeric. So there is a high possibility that your password may be hacked and you are in trouble. Better to avoid any kind of pain change the password to a complex string and keep more than 10 characters. DO NOT use words used in blog title, make it a nice mixture of letters, numbers, and special characters. One more thing you have to remember is that you should keep changing your password at the hosting site for your account login and the control panel logins, like cPanel. Make it a practice once in a month so your password will be secured.
3. Always use SSH/Shell instead of FTP :
The most important and widely used option. We would say that this one is the best option among all as we all know that SSH is a secured method of accessing files. In any case, if someone gets your FTP login information (usually not encrypted and easy to get) then they can do modifications to your files and add spam to your site without your knowledge. So better disable FTP (recommended) and start using SSH. Yo uwill find everything is encrypted including the transfer of files,and of course the login.
The most important and widely used option. We would say that this one is the best option among all as we all know that SSH is a secured method of accessing files. In any case, if someone gets your FTP login information (usually not encrypted and easy to get) then they can do modifications to your files and add spam to your site without your knowledge. So better disable FTP (recommended) and start using SSH. Yo uwill find everything is encrypted including the transfer of files,and of course the login.
4. Always install LoginLock plugin :
Out of all available plugins, we would like to suggest you to use this plugin as this will automatically block the source IP address if somebody tries to log in your WordPress admin area after a certain number of attempts. LoginLock prevents spammers from continuously trying different combinations to crack your account password. It's the similar algorithm in which Windows works if you’re added in domain. LoginLock's locked out time is 1 hour default.
Out of all available plugins, we would like to suggest you to use this plugin as this will automatically block the source IP address if somebody tries to log in your WordPress admin area after a certain number of attempts. LoginLock prevents spammers from continuously trying different combinations to crack your account password. It's the similar algorithm in which Windows works if you’re added in domain. LoginLock's locked out time is 1 hour default.
5. Always create a blank index.html file in your /Plugins/ directory :
WordPress plugins folder is completely visible to anyone by going to http://www.domainname.com/wp-content/plugins. Go ahead and create a blank document in your favorite editor and save it as index.html and upload it to the plugins directory. Now when you try to access it, you only get a blank screen. This prevents hackers from finding out a security hole in one of your plugins.
WordPress plugins folder is completely visible to anyone by going to http://www.domainname.com/wp-content/plugins. Go ahead and create a blank document in your favorite editor and save it as index.html and upload it to the plugins directory. Now when you try to access it, you only get a blank screen. This prevents hackers from finding out a security hole in one of your plugins.
6. Always use .htaccess file to control access of wp-admin :
You can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. In this case if you (only) access your blog from one or two places routinely, it’s worth implementing. Here you are supposed to create a new .htaccess file inside your wp-admin folder but do not replace the one at the root.
You can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. In this case if you (only) access your blog from one or two places routinely, it’s worth implementing. Here you are supposed to create a new .htaccess file inside your wp-admin folder but do not replace the one at the root.
7. Always remove the version string from your header.php file :
It should be a normal practice to remove the version string so that in case you are running version 2.2 and the current release is 2.3, by default your blog always shows the used version i.e. 2.2 on every page and here it will be very easy job for any hacker or spammer to crack into wp-admin.
It should be a normal practice to remove the version string so that in case you are running version 2.2 and the current release is 2.3, by default your blog always shows the used version i.e. 2.2 on every page and here it will be very easy job for any hacker or spammer to crack into wp-admin.
8. Always block WP- folders from the search engines :
Needless to say this but sometimes we forget to do this. It is not required to have all of your Wordpress files to be indexed by Google. Therefore, the best thing would be blocking them in your robots.txt file. Add Disallow: /wp-* to your list.
Needless to say this but sometimes we forget to do this. It is not required to have all of your Wordpress files to be indexed by Google. Therefore, the best thing would be blocking them in your robots.txt file. Add Disallow: /wp-* to your list.
Hope the above steps will be useful to customize, maintain and protect your blogs. If you find some more additions to the above tips with more security measures which can be implemented for better protection of your blog, please share with us.
Recent
Tags
Popular
