Enhancing your site’s security

July 16, 2012
| Tips

Taking time to secure your site is one of the most important things you can do to protect your site from being hacked and dealing with the headaches and lost time trying to fix it. Built into our themes is already an additional layer of security that will automatically help protect your site on web hosts that allow the changes and server instructions we’ve built in. By no means should you rely on this solely, as the modifications we’ve made only scratch the surface.

We’ve compiled a list of tips and plugins that you can use to help take your site’s security to the next level. Please note that some of these tips require changing server configurations and modifications to files that should only be attempted by those familiar with the files they are changing, use at your own risk.

 

General Tips:

 

  1. Always keep WordPress up to date by upgrading to the newest version – While an obvious tip, it is one of the best ways to protect your site. Many of the ways hackers gain access to your site/blog is by vulnerabilities found and exploited in the core of WordPress. These updates fix these vulnerabilities and help keep your blog safe.
  2. Always keep your plugins up to date – This goes hand in hand with the above tip. When WordPress updates their software plugins many times need to be updated to stay functional and bug free. Keeping them updated ensures your site stays secured and up to date.
  3. Get rid of the “admin” user – Many people use the “admin” username for their admin panel because it’s typically the default username created by many one-click installers. Since this default user exists on most WordPress sites, it’s very easy for hackers to get into your dashboard because all they have to do is to get your password. The solution is simple. Create a new user with “administrator” privileges, then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.
  4. Use  a strong and secure password – This is almost a no-brainer but needs to be addressed. Many people use a simple and common password for their site just because they think their site will never be a target. That is very far from the truth, many hackers do what they do just because they can and will target anyone. Save yourself the time and headache of dealing with a hacked site by using a strong password that includes lowercase letters, uppercase letters, numbers and symbols. Make sure to not use it anywhere else and change it frequently. A highly recommended software program for generating and storing your passwords is 1Password by Agilebits. You can check out their website at: https://agilebits.com/onepassword

Plugins:

 

  1. WP Security Scan Plugin – WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as: passwords, file permissions, database security, version hiding, WordPress admin protection/security and more.
  2. Ultimate Security Checker  – Ultimate Security Checker helps you identify security problems with your wordpress installation. It scans your blog and give a security grade based on passed tests.
  3. BulletProof Security – BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts by modifying your servers .htaccess files which is essentially the gatekeeper for your site.
  4. Limit Login Attempts – By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
  5. WP-DB-Backup – WP-DB-Backup allows you easily to backup your core WordPress database tables. You may also backup other tables in the same database.
  6. WordPress Backup to Dropbox – WordPress Backup to Dropbox makes it easy to backup your site  to Dropbox. Just select the a day, time and how often to backup and you’re all set.

Manual Tweaks:

 

  1. Protect wp-config.php-wp-config.php is one of the most important files in your WordPress installation. It holds the credentials for your database and if accessed can give a a hacker all the info they need to access your site’s data. A couple of the plugins above add this code automatically, but if you are not using one of the above plugins we suggest we add this piece of code into your .htaccess file: 
    # protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

    The .htaccess file will be available in your www root directory (many times this is also called public_html). If it is not there, then you can create the file and add the above code to it.

     

  2. Deny comment posting to no referrer requests – Tired of all the spam comments on your blog? You should always use the Akismet plugin first, but to help that along there a .htaccess trick to prevent spammers posting on your blog. Since most spammers uses bots comming from nowhere. This code will look for the referrer (the page from where the commentator come from) and will deny commenting if the commentator try to access the wp-comments-post.php file without directly comming from your blog. Be sure to change *yourblog.com* on line 4 to your blog’s URL. 
    RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]