A good part of the users out there is by now familiar with the fact that WordPress is one of the most widely used blog software on the Internet. It even went beyond the sphere of blogs and became an excellent basis to create any type of website. However, the Internet as a network contains a number of dangers that leave users open for attacks by hackers.
Just to clear something out, it’s impossible to prevent all forms of attacks on your site, but there are a number of steps you can take to prevent users from WordPress and their websites. WordPress users were adopted on that platform, thinking that it is quite pleasant to use and quite flexible. Further more, they also agreed it has a very good support. Because of all of these options the user might expect a certain level of security that can be achieved with the help of a couple of the recommendations listed below.
The Danger is Your WordPress Blog?
In the past, hacker’s aim was simply to bring down a website. These criminals, however, understood that taking someone’s site down provides no benefits. Today’s hacking comes down to “re-writing” the page to their personal favour. WordPress hackers do this through “link injection”. They hack into a hosting account of a particular user where the files are stored and used by WordPress, injecting a specific line of code that draws on all sides of the site. The two main negative effects of this decline were:
- Time and resources are needed to cleanse the consequences of attacks
- A rank reduction at large search engines
Users of WordPress invest a significant amount of time, energy and financial resources to set up and maintain a blog. A blog can also generate profit for its owner and maybe even bring acclaim. “Page rank” is threatened when search engines on the attacked pages notice suspicious links, and designate the site as unsafe. When the “page rank” is threatened by attack, a user of the site may lose a visitor, and thus revenue.
How to Protect Your WordPress Blog?
The aim of WordPress blog protection is to prevent external users’ access to files that makes WordPress core. By taking the following measures a blog owner can actively participate in the fight against hackers.
Standard Blog Maintenance
A very important component of maintaining a good blog is the belief that plug-ins and themes come from trustworthy sources. The best way to make sure that these factors are checked is downloading them from WordPress.org site and verified authors.
Besides this, regular updates of plugins, themes and WordPress is also an important part of maintenance. Each update corrects certain bugs and vulnerabilities that appeared in the the software. It is best to update plugins and themes before the installation update. Otherwise, some compatibility issues might occur.
WordPress users also need to know that it is very important to have a regular backup of the entire installation and database. They must also be familiar with the process of restoring the entire backup if needed. The ideal backup would be the one that is done on the server, and not through the administrative section of WordPress.
A strong password is the first line of defence against hackers. It is best if it’s a combination of numbers and letters, but so that this combination can be very difficult to guess. Of course, this combination should be random, which requires the user to keep the code in a location that is safe. There are free sites that can generate such a code.
To further strengthen your security code, WordPress itself has the possibility of using secret keys. The secret key (secret key) is a hash, which adds a random element in the password. Turning the secret keys how-to can be found on the WordPress API site. Copy the information you find on this site and replace the corresponding part of the code in the wp-config.php file with the code that you copied. For the existing installations this will delete the cookies that are stored in the browser on your computer and force users to log in again.
Creating of the Secure Username
Default administrator account name for WordPress is “admin.” Most hackers know this, and therefore half the information they need to access user data. The other half is the password for this account. To protect this account, the username should be changed into something unique. This can be achieved in two ways, depending on how well the user operates with MySQL.
Users who are familiar with MySQL commands can use phpMyAdmin and the following command:
UPDATE wp_user_login = 'new user' WHERE user_login = 'admin'
For those who are not as familiar with MySQL, there is another way to get on top of things:
- Create a user with aunique username
- Assign it admin position
- Log off and log in again using the created order
- Delete the admin account
Recommended Security Plugins
There are several plugins available to WordPress users who can assist with your blog security. Here are a few others that we recommend:
This plugin scans for weaknesses that can allow hackers to obtain the files. Also, it suggests on how to correct these weaknesses. WP Security Scan doesn’t have to be constantly switched on.
Files scanning, searching for evidence of the hacker attack, WordPress Exploit Scanner can alert the user to some problematic parts. Similar to WP Security Scan, this plugin can be temporarily set.
WordPress File Monitor
This plugin constantly monitors the files and alerts the user if there are some changes. Based on this, the user could easily identify the changes that are a result of attacks by hackers. To be effective WordPress File Monitor should be permanently on.
Limiting the number of login attempts, this plugin prevents hackers to guess a user’s password by trying to guess login form on several attempts. The number of attempts can be configured by the user. Login Lockdown should always be active.
Permissions on Folders and Files
Another method of preventing the hacker attack is to ensure that the permissions on the folders and files are setup properly. Most hosting companies allows you to change file permissions through control panel. If this is not the case, then an ordinary FTP programs provide the ability to change user permissions.
A good practice is to set file permissions to 644 and folders permissions to 755. This will give access to plugins and themes they need. If a problem occurs because of certain permissions, it it can be changed.
Changing of the Prefix on the Table
WordPress tables used in the database come with the prefix wp_. This is another piece of information that hackers know very well. Files in the database can be hidden if the prefix is changed from the default to a unique one. These changes can be made within the file wp-config.php. These changes are the best thing to do before installing WordPress. Changing existing tables that are used can be quite complicated.
Moving wp-config.php File
After the release of WordPress version 2.6 users got the ability to move wp-config.php file. Moving files can prevent hackers to find the file and to make unwanted changes. The file can be moved only in the parent directory of WordPress installation. For example, if a file is installed in:
public_html / wordpress / wp-config.php
it can be moved in:
public_html / wp-config.php
WordPress is programmed so that it searches only for the parent directory. If the configuration file is moved to another location, the error will occur.
Locking Through .htaccess
This method can be a bit difficult to adjust, but it is very effective at combating attacks by hackers. The aim is to specify the IP address or range of IP addresses that can access the administration site. To do this, create a .htaccess file in the wp-admin directory. This file should contain the following information:
AuthUserFile / dev / null
AuthGroupFile / dev / null
AuthName "Access Control"
Order deny, allow
deny from all
#IP Address to the whitelist
Allow from xxx.xxx.xxx.xxx
You may define as many IP addresses as you like, and of course changing the IP address is simple and easily done. There is one downside of this method, though. If multiple computers from multiple locations access the admin section of the site to do things there will be a lot of IP addresses that should be monitored. For users who need access to the admin section with multiple locations this can be a problem
WordPress users can include SSL encryption at login to the Administración part of their site. This can be achieved by changing the file wp-config.php. The file needs to add the following line of code:
Front end login - define ('FORCE_SSL_LOGIN', true);
Login to the admin part - define ('FORCE_SSL_ADMIN', true);
If the user wants to use this option you need to convince him that, before turning on the same, the server which features the website is supported by SSL encryption.
You Can Protect Yourself From Attacks
Dangers of hacker attacks on the blog are a reality, but there are ways to prevent such situations. With regular maintenance and preventive measures users can prevent most of these attacks. By following the above mentioned measures a high level of safety of your WordPress system is achieved.