In this Tutorial we will learn to Harden WordPress Account Security:
1. Keep WordPress Account Updated: Kindly set automatic update for WordPress in your account settings and Also update Themes and Plugins on regular intervals. You can insert this code into your wp-config.php file for automatic update:
For WordPress:
define( 'WP_AUTO_UPDATE_CORE', true );
For plugins:
add_filter( 'auto_update_plugin', '__return_true' );
For themes:
add_filter( 'auto_update_theme', '__return_true' );
In your WordPress Admin dashboard you will find notification on top regarding updates as like shown below:
2. Install From Trusted Sources: Always install themes and plugins from trusted sources like Wordpress.org and Wordpress.com. Do not use nulled themes or Plugins as they have malicious code hidden in them.
3. Remove Unwanted/Unused Themes & Plugins: There may be some Themes or Plugins in your WordPress account which are not used and are still there in your account. You should remove them to make your site much more secure and fast
4. Use Security Plugin: You can install security plugin to your WordPress account so that it will protect from external threats. Some of the very popular and effective Security Plugins are:
· Bullet-proof security plugin
· Timthumb Vulnerability Scanner
5. Use Strong Passwords: In today’s world most of the accounts are hacked due to weak or easily guessable passwords. Hackers are now smart enough to guess your passwords by getting few information regarding your domain.
You should always use STRONG and COMPLEX passwords for your WordPress login, FTP, cPanel and Database. We recommend you to use passwords generated by any Password Generator. You can also force your users to use strong passwords by using Force Strong Password Plugin.
6. Delete the ‘admin’ account: As we all know that the default WordPress Administrator account has a username of ‘admin’. So using ‘admin’ as the username is very much like opening a backdoor for hacker. You should avoid using it and choose a different username while installing WordPress
· If you are already using the “admin” username and then first you have to create a new user with administrator role.
· Go into the WP Dashboard » Users » Add New User screen. Create a new user with the role of Administrator.
· Now log out form your account and login again with newly created user with administrator role.
· Now delete the “admin” User from account but before that confirm to transfer all of the content created by ‘admin’ to your new user account before deletion.
7. Secure your ‘wp-config.php’ file: This file contains all your site and database configuration details. You must secure the same for better security.
· First, restrict access of your ‘wp-config’ file fully through .htaccess file. You can put the below code in your .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
· Second, move the ‘wp-config.php’ file one level up. In most of the linux server the location of ‘wp-config.php’ file is /home/username/public_html/wp-config.php You have to move it one level up so that it’s path become /home/username/wp-config.php.
· Third, set file permission 600 for wp-config.php
8. Disable File Editing: WordPress by default allows admin user to edit themes and Plugins files. You have to restrict it as hackers mostly use this for file exploit. Kindly put the below code in ‘wp-config.php’ file.
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true );
9. Update your wp-salts: wp-salts are the constants which are defined in your ‘wp-config.php’ file and they should be updated regularly to optimize your security. You can use Salt Shaker plugin for the same
10. Restrict ‘wp-admin’ folder: You can restrict wp-admin folder to specific ip range from which you are accesing it and deny from rest of the world using .htaccess file. You have to create a .htaccess file inside your ‘wp-admin’ folder and put this code.
Order Deny,Allow
Deny from all
Allow from <your-ip-range>
11. Limit Login Attempts: By default WordPress account has no limit to guess password. It is quite dangerous as hacker may attempt to login unlimited times using brute force attack. You can limit the login by using WP Limit Login Attempts Plugin
12. Securing wp-includes: You can secure your wp-includes folder by placing the below code in .htaccess file.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
13. Change the’wp_’ table_prefix: Most of the SQL injection attacks done on WordPress site have the assumption that table name starts with ‘wp_’. So you should not use this default table prefix. This will definitely blocks a lot of attempts.
14. Change wp-admin login: You can use Change WP Admin Plugin to change the login path of the wp-admin area to minimize the brute force attack to a limit.
15. Remove Readme file: You should remove readme.html file from your WordPress installation as it tells your WordPress account version information and let hacker attacks you as per it’s version vulnerability if any.
Are your WordPress account is getting hacked again and again and you are unable to find the real cause this article may help you out: http://wordpress.org/support/topic/website-repeatedly-hacked
Step 1 – Login to your WordPress dashboard as an administrator and go to Appearance -> Widgets. In my case, the two widgets I was using had been moved to the Inactive Widget box and replaced with a Text Widget in the sidebar.
Step 2 – Open the Text widget and click the Delete link on the bottom left. Once you’ve deleted it, reset your widgets to the way they were prior to the hack.
Step 3 – Next go to settings -> Reading. Change your character encoding back to UTF-8. This will fix any lingering issues with your RSS feed and IE.
Step 4 – Lastly, reset the Site Title & Tagline for your site. The location for this will vary based on your theme. For my site, I selected Appearance -> Themes and then clicked the Customize link for my theme.
That will fix your site immediately. Clear out your cache and confirm that everything works.
Now that your site is up and running, you will need to make it more secure so that this problem does not happen again.
Step 1 – Change your passwords for your hosting service, WordPress, etc.
Step 2 – Upgrade to the latest version of WordPress.
Step 3 – If you have a backup of your site, do a restore to a version prior to the attack just for good measure.
Step 4 – Login to your WordPress dashboard and install the plugin Better WP Security and resolve issues 1-19 on the dashboard. For item 20, you will need to enable/purchase SSL from your hosting provider. NOTE – some of the changes the plugin makes will break links or images on your website. You will need to go back and update all of them, but that is a small price to pay for having your site more secure. The easiest way to fix all of the links at once is to download an export of your blog’s content (Tools -> Export), open it in Notepad and do a find and replace.
Step 5 – Move your wp-config.php up one level.
Step 6 – Change your database password and make a note of it. How to do this will vary by host.
Step 7 – Go to your wp-config.php and open it in your favorite code editor. Update your database password to your newly updated password. Then go to the Secret Keys section and follow the instructions to update your keys.
Important:
It add a "widget_text" under the wp_options table.
is also in the wp_options table under "blogname".
The hack changes your character encoding from UTF-8 to UTF-7. You can fix this through the WordPress Admin Dashboard/Panel by going to Settings -> Reading and setting it back to UTF-8.