How to Prevent Hacking of WordPress Blogby Varun Yadla, July 5, 2011
WordPress is a free open-source blogging tool and also the most SEO-friendly CMS on the Internet. A big deal of bloggers from unpaid to professional is using self-hosted WordPress as their blog publishing platform.
This makes clear why WordPress is the main target of hackers’ attacks. Earlier this year, numerous blogs using the WordPress platform has been hacked to infect visitors all over the world.
Limiting access to use WordPress files and folders
In the mass attacks and mentioned above, a number of security weaknesses contributed to the WordPress vulnerability, including the fact that WordPress stores the database information in plain text at the wp-config file, which lots of WordPress users let it to be readable by anyone. So the first thing is you need to Chmod the file wp-config.php and. Htaccess to 404 (allow read-only) so that if there are any problems, the info of the database will not be revealed, and your important data will not be lost or stolen. Here We also require to limit right to use to our wp-admin folder by using .htaccess and assigning specific IPs that can access it. Firstly, open your .htaccess file located in your /wp-admin folder (Do not edit your root .htaccess file), and make a backup.
Then paste the following code:
AuthName “WordPress Admin Access Control”
AuthType Basic order deny,allow
deny from all
# whitelist Tuan’s IP address
allow from xx.xx.xx.xxx
# whitelist Brian’s IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
Replace xx.xx.xx.xxx with your IP Addresses and save the file. You be able to add more IPs if needed by creating a new line with: “allow from xx.xx.xxx.xx” inside. This answer will absolutely keep your wp-admin folder safe. The only downside of this tip is that if you access your wp-admin panel in somewhere else, you will have to add an extra IP address. If you don’t want to change .htaccess file, try to chmod WordPress folders to 101 so that no one can see its content. When you want to edit these folders, chmod them to 701 and remember to chmod to 101 again when you are done.
Maintain WordPress up-to-date
WordPress has become very easy to updating, the most recent version automatically notify you in your dashboard if there is any updates for your WordPress and plugins. Since WordPress 3.0, Tools->Upgrade menu option is moved to Dashboard->Updates and themes, plugins, and core upgrades are under one panel. Now you can now update WordPress and plugins with just a click. Do not be lazy upgrading your WordPress, themes and plug-ins as soon as possible or you leave yourself open to being hacked.
Use Free Secure Captcha whenever possible
Try to use free secure Captcha for comments, login form and contact forms. There is a plug-in that virtually eliminates spam comments and can save you a lot of time moderating comments, it is the Conditional free secure Captcha. After installing this, Captcha will only show up for comments that are suspicious as spam by Askimet.
Disabling indexes means that when somebody navigates to a directory on your server, it will not give them an output of the folders and files in that directory. This is particularly important as a number of WordPress hacks target vulnerabilities in plugins. So if your wp-content/plugins/ directory is browsable, you are going to be giving away what plugins you are using. This may well be used to target sites that use a particular plugin or if you have enemies someone might use it to find a vulnerability specific to one of your plugins. Due to lack of security, many sites have their plugins directory indexed: Plugin directories.
If you are making use of Apache as a web server (the most popular choice) you can disable indexes by adding one line to .htaccess in the root of your WordPress install – that is the main directory with index.php in it. Only add Options -Indexes anywhere in the .htaccess file. If you ever need to enable indexes in a directory, all you need to do is add Options Indexes to a .htaccess file in that directory. For those who are not using Apache, other options will be available for your sever. Alternatively, if you are partial to botches, you can put an index.html file in all directories you do not want people to be able to browse. So, when someone loads a directory, they will just be shown the index.html.
Remove or Hide WordPress version number
Open any WordPress blog and as you will view its source code then you will find this code. Hackers may find out your WordPress version and exploit its security holes. You might do not want to display the WordPress version from your website source. WordPress themes have a line in the header.php to display the current version.