It's clearly impossible to completely prevent hacker attacks, but there are many small operations that can increase the security of your WordPress blog, minimizing the possibility of suffering the annoying inconvenience. Here are the main steps you should take to protect your beloved WordPress blog!
Backing Up The Blog
Let's start with the base, or before any amendment is advisable to make a backup of the files that are going to change, so as to avoid a heart attack when you see a white screen appear instead of your blog.
Vulnerability of Your Computer
One aspect that many people underestimate is the vulnerability of the computer from which you are accessing, just for once, to your blog. Make sure that your PC is free of viruses, spyware, malware and so on ... it makes no sense to keep your blog on your pc if there is a key logger that can intercept your user name and password!
Use Very Strong Password
As in any field, the password is critical; make it more complex as possible, especially for users with full privileges as the administrator.
Here's How To Choose A Secure Password:
- Length of at least 8 alphanumeric characters, or both letters and numbers, maybe even mixing with case sensitive.
- Must not contain the user name associated with, nor the name or surname of the person
- Avoid using words that makes sense, as compleanno88 rather use c8eanmopl8no
- Use special characters such as @ #!?
- Use software to generate secure passwords, such as IOBit
- Do not use as a password dates, password all numbers, or real names
I Also Recommend:
- avoid automatically save passwords on your computer via the browser
- does not save the password in your computer
- would be a good idea to also protect access to our computer via a very secure password
Remove the Admin User
The Admin account is the user that is created with each standard WordPress installation, so the hacker can easily know the user name and focus only on the password (to more directly access as an administrator!). Add a new user (must have a user-name different from the name that will appear in the blog), assign them the permission of Director. Please logout and log in with the credentials of the new user. Remove the Admin user and assign the new user all items of Admin and follow the onscreen instructions.
Change the Prefix Of The Database Tables
Here, too, a little flaw WordPress, meaning that by default, the tables are prefixed WP,. so the hacker is more facilitated in its dirty work. From an awkward, change the prefix, for example by tab_WP_X X with the initial of the name of the blog. But how?
In this regard, we find solace in a great plug-in, WP security scan , which in just one click, allows us to make this change (in the database).
The Safety of The Wp-Config.Php File
The WP-config.php file is very important, has the task of containing all the passwords to access the databases, then you will need to provide maximum protection! Simply add the htaccess file the following lines of code, and access will be denied to anyone:
# Protect WP-config.php
Order deny, allow
Deny from all
Prevent Indexing Of Folders Wp-
The spider fathom all the pages of your blog to perform the indexing of the same ... but having Indexed pages as important as those in WP-admin, WP-content and WP-includes, it is not a good thing! So now you have to tell the spiders not to index the whole admin folder, how?
Enter the following line in your robots.txt file (the file of robots, it can automatically create in webmaster tools > Site configuration> Crawler access):
Limit the Number Of Failed Login Attempts On WordPress
Login Lock restricts the ability for a user to try again and again to access the blog via the classic login. After N failed attempts in X minutes, the user will be blocked ip address for Y minutes. Great to prevent hacker attacks by Brute Force Attack (brute force attack, or try endless password until you find the correct correspondence with the user name).
Delete the String Version of WordPress
Currently with version 3.2.1, I have not found the version of WordPress in the source, so who has versions> = 3.2.1 skip this step. WordPress automatically adds the version currently installed information that can be used by the hacker to understand how and where it is vulnerable to the blog.
To eliminate it, all you have to do is add this code in the file functions.php of your theme Appearance> Editor> functions.php:
<? php remove_action ('WP_head', 'WP_generator')?>
Now check the source of your blog (click with the right mouse button on the homepage of your blog, then choose HTML or View Page Source), if the version is still present, searches for and removes the file header.php this string:
<Meta name = "generator" content = "WordPress <? Php bloginfo ('version');?>" />