Prevent Your WordPress Blog From Being Hacked

SHARE:

Prevent Your WordPress Blog From Being Hacked - solutionrider

1. Backup

This is the first step and the most important. Before you plan on making any changes, make sure you backup your entire DB. You can do this manually or use an available plugin. I recommend backup buddy which backs up your entire wordpress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder- Pretty sweeet!

2. Update WordPress Version

Prevent Your WordPress Blog From Being Hacked -solutionrider
Second crucial step after backing up your blog is to update it to the latest version. You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow wordpress feed to find out about the latest updates or you could simply login to your admin.
I would also recommend that you follow WordPress Development and BlogSecurity as they will inform you whenever a new patch/fix is released.

3. Change your Login/Password

The default wordpress login is “admin” and most hackers know that. We should change this to something else that would be difficult to guess. Something like “rogers12” or “donhoe2” is good examples. The best thing to do is delete the default admin and create a new custom login.
I suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like “rockSTAR19!@” or “Anabel2@!” is a great example of a strong password.
Most hackers try to brute force the password so if your password is really strong as I mentioned earlier, you should be fine.
Note:- Do not use birth days, names, pet names or hobbies as passwords. People who are close to you know a little more about you; you don’t want any wild guesses 🙂

4. WordPress Keys in wp-config.php

I didn’t know much about wordpress keys but it is another important security measure. These keys work as salts for WordPress cookies thus, ensuring better encryption of user data.
Use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones:
define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

Save and you are done!

5. Install WP Security Scan


Wp Security Scan Prevent Your WordPress Blog From Being Hacked - solutionrider
This plugin is the real deal. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good. However, they will not just be green; sometimes you have to make them :). And I will tell you how.

6. Change Table Prefix

How to Change WordPress Table Prefix using Wp Scan Prevent Your WordPress Blog From Being Hacked - solutionrider
The default table prefix for wordpress is wp_ . I know that, you know it and I am sure the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. A good prefix would be “mashjg23_” or “sasdoe265_”. Changing your database table prefix is highly recommended and you can do this in two ways. The manual way requires some work and is not suitable for newbie; here’s when WP Security Scan Plugin makes your work much easier. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess. Do this and you will be a step closer to strengthening your blog’s security.
Note:-DB Password: How strong is your database password? Both your wordpress login password and database password should be strong. Include upper/lower keys, numbers and symbols.

7. Prevent WordPress Hack by Blocking Search Engine Spiders from Indexing the Admin Section

Search engine spiders crawl over your entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file:
#

User-agent: *

Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

8. .htaccess Hacks

.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security. See them below

9. Protect your .htaccess

After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.
# STRONG HTACCESS PROTECTION</code>

<Files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny
deny from all
satisfy all
</Files>

10. No Directory Browsing

Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.
In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.
# disable directory browsing

Options All -Indexes

11. Secure wp-config.php

Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick
# protect wp-config.php

<files wp-config.php>

Order deny,allow
Deny from all
</files>

The code denies access to the wp-config.php file to everyone (including me :()

12. Limit Access to the Wp-Content Directory

Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.
Place the code below in the .htaccess file within the wp-content folder (not the root).
Order deny,allow

Deny from all

<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

13. Protect WordPress Admin Files

Wp-admin should be accessed only by you and your fellow bloggers (if any).  You may use .htaccess to restrict access and allow only specific IP addresses to this directory.
If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up.
Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)
# deny access to wp admin

order deny,allow

allow from xx.xx.xx.xx # This is your static IP
deny from all

The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.
There is another way you could restrict access to the directory and that is by using a password in the .htaccess. I am planning to write a detailed .htacess hack where I will include all of these.

14. Prevent script injection

I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS.
Simple copy and paste the code below to your .htaccess in the root
# protect from sql injection

Options +FollowSymLinks

RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Bonus

Take a note at the files permission. Wp Security scan shows this in a nice way. Browse the specific files on your root using your favorite ftp client and Chmod the files if required.
Prevent Your WordPress Blog From Being Hacked -solutionrider
Last but not the least; you can install WordPress Firewall 2 which actually protects your blog from malicious hackers. It blocks the attempts of the hacker and notifies you when abused. Only the negative point of this plug-in is, it sometimes even blocks our action. This can really get annoying and I do not really recommend this plug-in unless you have SUPER Hackers and bots screwing up your blog. Stick with the .htaccess hacks since they do the job pretty well and your blog should be just fine.

COMMENTS

Name

11th,2,12th,20,12th Chemistry,5,12th Computer Science,7,12th Physics,1,5th Sem CSE,1,AAI ATC,2,Android,18,Banking,1,Blogger,41,Books,5,BTech,17,CBSE,22,CSE,4,ECE,3,Electronics,1,English,2,ESE,1,Ethical Hacking,61,Exams,5,Games,9,GATE,1,GATE ECE,1,Government Jobs,1,GS,1,How To,27,IBPS PO,1,Information,52,Internet,24,IPU,8,JEE,8,JEE Mains,8,Jobs,1,Linux,65,News,18,Notes,23,Physics,3,Placement,10,PO,1,Poetry,3,RRB,1,SEO,11,Softwares,38,SSC,2,SSC CGL,1,SSC GS,2,Tips and Tricks,46,UPSC,1,Windows,46,
ltr
item
SolutionRider- One Stop Solution for Notes, Exams Prep, Jobs & Technical Blogs.: Prevent Your WordPress Blog From Being Hacked
Prevent Your WordPress Blog From Being Hacked
1. Backup This is the first step and the most important. Before you plan on making any changes, make sure you backup your entire DB. You can do this manually or use an available plugin. I recommend backup buddy which backs up your entire wordpress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder- Pretty sweeet! 2. Update WordPress Version Second crucial step after backing up your blog is to update it to the latest version. You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow wordpress feed to find out about the latest updates or you could simply login to your admin. I would also recommend that you follow WordPress Development and BlogSecurity as they will inform you whenever a new patch/fix is released. WordPress Development BlogSecurity.net 3. Change your Login/Password The default wordpress login is “admin” and most hackers know that. We should change this to something else that would be difficult to guess. Something like “rogers12” or “donhoe2” is good examples. The best thing to do is delete the default admin and create a new custom login. I suggest that you use strong passwords which include upper/lower keys, numbers and symbols. Something like “rockSTAR19!@” or “Anabel2@!” is a great example of a strong password. Most hackers try to brute force the password so if your password is really strong as I mentioned earlier, you should be fine. Note:- Do not use birth days, names, pet names or hobbies as passwords. People who are close to you know a little more about you; you don’t want any wild guesses 🙂 4. WordPress Keys in wp-config.php I didn’t know much about wordpress keys but it is another important security measure. These keys work as salts for WordPress cookies thus, ensuring better encryption of user data. Use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones: define(‘AUTH_KEY’, ‘put your unique phrase here’); define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’); define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’); define(‘NONCE_KEY’, ‘put your unique phrase here’); Save and you are done! 5. Install WP Security Scan Wp Security Scan This plugin is the real deal. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good. However, they will not just be green; sometimes you have to make them :). And I will tell you how. 6. Change Table Prefix How to Change WordPress Table Prefix using Wp Scan The default table prefix for wordpress is wp_ . I know that, you know it and I am sure the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. A good prefix would be “mashjg23_” or “sasdoe265_”. Changing your database table prefix is highly recommended and you can do this in two ways. The manual way requires some work and is not suitable for newbie; here’s when WP Security Scan Plugin makes your work much easier. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess. Do this and you will be a step closer to strengthening your blog’s security. Note:-DB Password: How strong is your database password? Both your wordpress login password and database password should be strong. Include upper/lower keys, numbers and symbols. 7. Prevent WordPress Hack by Blocking Search Engine Spiders from Indexing the Admin Section Search engine spiders crawl over your entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file: # User-agent: * Disallow: /cgi-bin Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: */trackback/ Disallow: */feed/ Disallow: /*/feed/rss/$ Disallow: /category/* 8. .htaccess Hacks .htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security. See them below 9. Protect your .htaccess After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file. # STRONG HTACCESS PROTECTION order allow,deny deny from all satisfy all 10. No Directory Browsing Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes. In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog. # disable directory browsing Options All -Indexes 11. Secure wp-config.php Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick # protect wp-config.php Order deny,allow Deny from all The code denies access to the wp-config.php file to everyone (including me :() 12. Limit Access to the Wp-Content Directory Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML. Place the code below in the .htaccess file within the wp-content folder (not the root). Order deny,allow Deny from all Allow from all 13. Protect WordPress Admin Files Wp-admin should be accessed only by you and your fellow bloggers (if any). You may use .htaccess to restrict access and allow only specific IP addresses to this directory. If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up. Copy and paste the code below to the .htaccess in wp-admin folder (not root folder) # deny access to wp admin order deny,allow allow from xx.xx.xx.xx # This is your static IP deny from all The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address. There is another way you could restrict access to the directory and that is by using a password in the .htaccess. I am planning to write a detailed .htacess hack where I will include all of these. 14. Prevent script injection I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS. Simple copy and paste the code below to your .htaccess in the root # protect from sql injection Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Bonus Safe file permission for WordPress blog Take a note at the files permission. Wp Security scan shows this in a nice way. Browse the specific files on your root using your favorite ftp client and Chmod the files if required. Last but not the least; you can install WordPress Firewall 2 which actually protects your blog from malicious hackers. It blocks the attempts of the hacker and notifies you when abused. Only the negative point of this plug-in is, it sometimes even blocks our action. This can really get annoying and I do not really recommend this plug-in unless you have SUPER Hackers and bots screwing up your blog. Stick with the .htaccess hacks since they do the job pretty well and your blog should be just fine. wordpress hacked redirect wordpress hacked 2017 wordpress hacked how to fix wordpress hacked by muhmademad wordpress hacked plugin wordpress hacked by mister spy wordpress hacked script injection wordpress hacked sending spam email wordpress hacked .htaccess file wordpress hacked by ayyildiz tim wordpress hacked wordpress hacked what to do wordpress hacked can't login wordpress hacked admin users added wordpress hacked ads wordpress hacked again wordpress hacked admin account wordpress hacked alias.php wordpress hacked admin wordpress hacked adsense wordpress account hacked wordpress admin hacked password wordpress always hacked fixing a hacked wordpress site clean a hacked wordpress site wordpress hacked by wordpress hacked blank page wordpress hacked by islamic state wordpress hacked by hacker wordpress hacked backdoor wordpress hacked by team system dz wordpress hacked by hmei7 wordpress hack cleanup wordpress hacked check wordpress hacked cialis wordpress.com hacked wordpress constantly hacked wordpress comments hacked wordpress core hacked wordpress most hacked cms wordpress hacked change password wordpress hacked database wordpress hacked december 2014 wordpress hacked pages deleted digitalocean wordpress site hacked clean hacked wordpress database wordpress hacked eval base64 decode fix hacked wordpress database wordpress google description hacked wordpress site description hacked wordpress easily hacked wordpress email hacked wordpress engine hacked wordpress hacked 500 error wordpress hacked by el moujahidin wordpress get hacked wordpress hacked fix wordpress hacked footer wordpress hacked ftp wordpress find hacked files wordpress files hacked wordpress fancybox hacked wordpress hacked php files wordpress hacked links footer wordpress index file hacked wordpress hacked google search results wordpress hacked grep wordpress hacked godaddy wordpress hacked google redirect wordpress got hacked wordpress getting hacked wordpress gets hacked all the time wordpress keeps getting hacked wordpress hacked silence is golden wordpress always getting hacked wordpress hacked htaccess wordpress hacked header.php wordpress hacked help wordpress hacked header wordpress hacked hidden links wordpress hacked how to clean hacked wordpress how to wordpress homepage hacked wordpress hacked index.php replace wordpress hacked index.php wordpress hacked iframe wordpress hacked isis wordpress hacked index.html wordpress hacked islam wordpress index hacked wordpress importer hacked wordpress hacked link in header wordpress hacked javascript .js hacked in wordpress wordpress jetpack hacked wordpress hacked links wordpress login hacked wordpress logo hacked wordpress hacked spam links wordpress hacked viagra links payday loans hack wordpress wordpress hacked mysql wordpress hacked menu wordpress hacked malware wordpress most hacked wordpress mobile hacked wordpress metadata hacked wordpress site hacked malware wordpress hacked by moroccan wolf wordpress hacked by meca wordpress hacked new user wordpress hacked news wordpress newsletter hacked wordpress site hacked now what wordpress hacked by a.n.t netregistry wordpress hacked wordpress hacked options.php wordpress hacked on mobile wordpress.org hacked wordpress hacked by owner dzz wordpress wp_options hacked digitalocean wordpress hacked how is wordpress often hacked wordpress hacked posts wordpress hacked phishing wordpress hacked page wordpress hacked popups wordpress hacked prevent wordpress hacked pharmacy wordpress hacked restore wordpress hacked replace index.php wordpress hacked reinstall wordpress hacked reset password wordpress revslider hacked wordpress repeatedly hacked hacked wordpress repair wordpress site hacked redirect wordpress hacked sending spam wordpress hacked site wordpress hacked statistics wordpress hacked scan wordpress hacked spam posts wordpress simplepie hack wordpress hacked themes wordpress hacked to send spam wordpress hacked theme index.php wordpress tinymce hacked wordpress title hacked hacked wordpress templates wordpress tagline hacked wordpress hacked by turkish wordpress hacked url injection wordpress hacked username change wordpress uploads hacked wordpress username hacked wordpress user hacked wordpress hacked viagra wordpress site hacked viagra wordpress mobile version hacked wordpress hacked wp config php wordpress hacked white screen wordpress website hacked redirect wordpress website hacked help wordpress website hacked can't log in wordpress website hacked by hacker wordpress site hacked white page recover hacked wordpress website wordpress yoast hacked wordpress seo by yoast hacked wordpress hacked 2015 wordpress hacked 2014 wordpress hacked 2016 wordpress hacked 2012 wordpress sites hacked 2015 wordpress sites hacked 2014 godaddy wordpress hacked 2015 wordpress 3.9.3 hacked wordpress 3.9 hacked wordpress hacked 404 wordpress 4.1 hacked wordpress 4.2.2 hacked wordpress 4.3 hacked wordpress 4 hacked wordpress 4.0 hacked wordpress 4.0.1 hacked wordpress 4.1.1 hacked wordpress 4.2 hacked wordpress 4.3.1 hacked wordpress contact form 7 hacked
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnKn1SbXq9SGn6ds2fxYxNDsG6MpZFJRdscknun0hqZcuuqnp4cyDwB-TEe5cbYKvG3NOVwLZbxdWPeadw3pJEhi50jtE9BJsu_G9GrUN2hT7KrnrB-M2kE-ByJjUYfvTHxMxKExPC2AYW/s640/pexels-photo-270360.jpeg
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnKn1SbXq9SGn6ds2fxYxNDsG6MpZFJRdscknun0hqZcuuqnp4cyDwB-TEe5cbYKvG3NOVwLZbxdWPeadw3pJEhi50jtE9BJsu_G9GrUN2hT7KrnrB-M2kE-ByJjUYfvTHxMxKExPC2AYW/s72-c/pexels-photo-270360.jpeg
SolutionRider- One Stop Solution for Notes, Exams Prep, Jobs & Technical Blogs.
https://thesolutionrider.blogspot.com/2017/12/prevent-your-wordpress-blog-from-being.html
https://thesolutionrider.blogspot.com/
https://thesolutionrider.blogspot.com/
https://thesolutionrider.blogspot.com/2017/12/prevent-your-wordpress-blog-from-being.html
true
6820083649286484786
UTF-8
Loaded All Posts Not found any posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU LABEL ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy