How to Prevent Wordpress Hacking
WordPress is a free open-source blogging tool and also the most SEO-friendly CMS on the Internet. A great deal of bloggers from amateur to professional are using self-hosted WordPress as their blog publishing platform. This explains why WordPress is the main target of hackers €™ attacks. Earlier this year, numerousblogs using the WordPress platform has been hacked to infect visitors all over the world.
In the mass attacks on websites using WordPress, hackers do not change or create new files on that website, they just injected a web address into the database. Entire website visitors will be redirected to the malicious site injected. My blog was also a victim of these attacks and I even didn €™t notice it until I received a warning from Google. Somehow hackers injected a malicious script to the footer and my blog just came back to normal after I removed this script from the footer.php file of my theme. It left extremely serious consequences to my blog, I lost many visitors and Google hadn€™t indexed it for a few weeks. I have learned a valuable lesson from this incident, €œPrevention is better than cure€œ.
Therefore, in this article I want to share with you 4 tips I have done to protect my WordPress blog from hacker€™s attacks.
1. Limiting Access to WordPress files and folders.
- In the mass attacks I mentioned above, a number of security weaknesses contributed to the WordPress vulnerability, including the fact that WordPress stores the database information in plain text at the wp-config file, which many WordPress users allow it to be readable by anyone. So the first thing is you need toChmod the file wp-config.php and. Htaccess to 404 (allow read-only) so that if there are any problems, the information of the database will not be revealed, and your important data will not be lost or stolen.
- We also need to limit access to our wp-admin folder by using .htaccess and assigning specific IPs that can access it. Firstly, open your .htaccess file located in your /wp-admin folder (Do not edit your root .htaccess file), and make a backup. Then paste the following code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName €œWordPress Admin Access Control€
AuthType Basic
order deny,allow
deny from all
# whitelist Tuan€™s IP address
allow from xx.xx.xx.xxx
# whitelist Brian€™s IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
Replace xx.xx.xx.xxx with your IP Addresses and save the file. You can add more IPs if needed by creating a new line with: €œallow from xx.xx.xxx.xx€ inside. This solution will absolutely keep your wp-admin folder safe. The only downside of this tip is that if you access your wp-admin panel in somewhere else, you will have to add an extra IP address.
- If you don€™t want to change .htaccess file, try to chmod WordPress folders to 101 so that no one can see its content. When you want to edit these folders, chmod them to 701 and remember to chmod to 101 again when you are done.
2. Keep WordPress up-to-date
Updating WordPress has become very easy, the newest version automatically notify you in your dashboardif there is any updates for your WordPress and plugins. Since WordPress 3.0, Tools->Upgrade menu option is moved to Dashboard->Updates and themes, plugins, and core upgrades are under one panel. Now you can now update WordPress and plugins with just a click. Don€™t be lazy upgrading your WordPress, themes and plug-ins as soon as possible or you leave yourself open to being hacked.
3. Use Captcha whenever possible
Try to use Captcha for comments, login form and contact forms. I don€™t recommend you to use Captcha for comments as it doesn€™t encourage readers to leave comments on your blog. There is a plug-in that virtually eliminates spam comments and can save you a lot of time moderating comments, it is theConditional Captcha. After installing this, Captcha will only show up for comments that are suspicious as spam by Askimet. Joe Boyle did a very good tutorial of this plug-in, you can check it out here: Eliminate Spam With Conditional Captcha.
4. Hide WordPress version
Hackers may find out your WordPress version and exploit its security holes. You might don€™t want to display the WordPress version from your website source. WordPress themes have a line in the header.phpto display the current version. To protect your blog, go to header.php file and find the following code:
and replace with:
name="generator" content="WordPress" />