How do i can secure my wordpress blog to prevent from hacking

Profile picture of the author Hafeez by Hafeez Posted: 05/15/2012
Hi guys,

I have my wordpress based blog and once that was hacked by someone and hacker did a pishing attack and finally my blog was reported as attacker and admin suspended my blog.

After giving some clarifications, admin reinstate my blog and now i want to secure my wordpress based blog to eleminate of hacking attack.

How do i secure my blog to maximum security level?

Any advise please?
#blog #hacking #prevent #secure #wordpress

  • Profile picture of the author jewelraz
    jewelraz
    Don't use "Admin" or "admin" as Admin Username, password should be Upper case+lower case+numbers
  • Profile picture of the author Hafeez
    Hafeez
    Thank you for your reply.

    I have changed my all passwords and user names as well. I also changed the .htaccess files for root and some other folders but still i am feeling unsecure. Is there need to do something more?
  • Profile picture of the author DeMango25
    DeMango25
    Personally I use WP Lockup (no affiliate link) and I'm pretty happy with it, easy to set up and adds some effective security measures to your wp installation.
  • Profile picture of the author semrocks
    semrocks
    I had a client that had the dreaded "this site may harm your computer" in google's SERP's. (we took over doing seo from a guy doing it for them on the side, after the fact) The first thing we did was install a wp plugin called Sucuri scanner, I believe they'll scan your site for free, help you harden it (prevent future malware, spam, etc) They charge 99 bucks to remove any infections, I hope for your sake, you'll never have to deal with it. It's pretty stressful, rankings fall, customers freak out...all of the above.
  • Profile picture of the author K Meier
    K Meier
    Check this out. It's a bigger guide on how to secure your wordpress blog. The PDF file is quite big The WordPress Security Checklist
  • Profile picture of the author Abledragon
    Abledragon
    Don't forget to keep your computer clean and use SFTP rather than FTP to transfer files. WordPress security is about more than just WordPress.

    Some more details here:

    WordPress Security: Not Just About WordPress | WealthyDragon

    Cheers,

    Martin.
  • Profile picture of the author System Wide Solutions
    System Wide Solutions
    Originally Posted by K Meier View Post

    Check this out. It's a bigger guide on how to secure your wordpress blog. The PDF file is quite big The WordPress Security Checklist
    Thanks for sharing this. Nice one.
  • Profile picture of the author darnellsmith
    darnellsmith
    Over the years I have had many websites hacked but there only one fool proof way to beat hackers.

    Keep a backup of your files and database.
  • Profile picture of the author gladiolus
    gladiolus
    Hacking techniques are used to “harvest” email addresses, which are then used by spammers and other hackers for malicious activities. If you are storing email data on your website, for what-ever required reason, make sure it’s stored in a secure format, such as a MySQL Database.
  • Profile picture of the author JesseN
    JesseN
    You should also add this:

    <Files readme.html>
    Order Deny,Allow
    Deny from All
    </Files>

    to you .htaccess file. This prevents people (including you) from checking what version of Wordpress you are using which hackers might use to exploit vulnerabilities of the previous versions.
  • Profile picture of the author Fahmzie
    Fahmzie
    Originally Posted by K Meier View Post

    Check this out. It's a bigger guide on how to secure your wordpress blog. The PDF file is quite big The WordPress Security Checklist
    Nice guide there..

    Always keep backup of your files and data. Use some automatic plugin that backup your data and send it to your email.
  • Profile picture of the author Randy27
    Randy27
    I use WP Lockup (no affiliate link) and I'm pretty happy with it,
  • Profile picture of the author aeroponica
    aeroponica
    Make your password 100% strong.
  • Profile picture of the author Mkj
    Mkj
    If you have a static ip address you can block access to the admin section, or any other part of your website, with this code placed in a htaccess file within the directory you want to protect:

    Code:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Example Access Control"
    AuthType Basic
    <LIMIT GET>
    order deny,allow
    deny from all
    allow from (put your own ip address here without the brackets)
    </LIMIT>
    Bit more peace of mind. Works for me for sure.
  • Profile picture of the author derek.ang
    derek.ang
    1) Change your password every month
    2) Upgrade to latest version ALWAYS
  • Profile picture of the author so11
    so11
    Hello,

    all practices listed are true. But even if you follow them all your site may still have lots of vulnerabilities. Even if you use SFTP and have extremely strong password, etc. the problem is that you make constant changes to you sites (instal news scripts, add new code, plugins, etc.). thats how hackers penetrate.

    1. Test in test environments (if possible) before putting it in production it will reduce your risk significantly.
    2. Every time you make changes to your site, you need to audit it to make sure there are no vulnerabilities.
    3. Use good practices posted above.

    regards,

    So11
  • Profile picture of the author Terry Crim
    Terry Crim
    Don't use wordpress? Make sure you update it regularly. Disable the wp-admin access when you are not using it. Change your hosting passwords regularly. Instead of just updating or allowing cpanel to install your wordpress manually remove all the files on your host and manually install and setup wordpress.

    The one button installs that are in cpanel do leave security risks and holes open for hackers, which is why I recommend manually installing wordpress vs the easy push button route most hosts provide.

    Alternatively, don't use wordpress. Most here love it and I think wouldn't know what to do without a wordpress run website, everyone to their own. I personally don't like wordpress and security issues are a few of the reasons why, everyone to their own though.
  • Profile picture of the author System Wide Solutions
    System Wide Solutions
    Originally Posted by K Meier View Post

    Check this out. It's a bigger guide on how to secure your wordpress blog. The PDF file is quite big The WordPress Security Checklist
    Thanks. This is really helpful.
  • Profile picture of the author doganj1
    doganj1
    You can protect the folder wp-admin with password. So you have two layers password to access wp-admin
  • Profile picture of the author hilarious89
    hilarious89
    Hey Hafiz, I am not that much expert on securing WP blogs. I haven't provided any security to my wordpress blog yet cause its free blog. You can use WP locker if you want.

Related discussions