How Do You Protect Your Website From Hackers

21 replies
I've been seeing a lot of posts on the forum on wordpress websites getting hacked which has also alerted me to start protecting my own blogs from being potentially stolen from me.

So far from what I've learned, I've been able to figure out how to change my "admin" name to something else in my cpanel, I also change my passwords regularly and I also include WP antivirus plugin and a WP firewall plugin.

Granted, I still consider myself a newbie so I'm wondering what measures you would take to protect your blog from being hacked. Or, if you had this happen to you, what did you do differently after the hack to prevent it from happening again?
#hackers #protect #website
  • Profile picture of the author WealthWithin
    I've been having the same password for all my wordpress sites, and I haven't been hacked for the last 3 years or so.

    If you're changing passwords regularly you should be safe. Just use best practices when selecting passwords.

    1. Don't use the same password for cPanel/FTP and Wordpress
    2. Backup your wordpress site every week or so.
    3. Use a strong password. (mix of letters, uppercase, numbers, special characters)
    4. Keep the wordpress version always up to date.
    5. Do not install any themes/plug-ins that you get from random places on internet.
    6. If you want to be really safe, use .htaccess to limit admin panel access to only to your IP
    {{ DiscussionBoard.errors[5791244].message }}
    • Profile picture of the author MoneySavingLisa
      Originally Posted by WealthWithin View Post

      If you want to be really safe, use .htaccess to limit admin panel access to only to your IP
      Thanks for the tip. How would something like that be done? I have bluehost so I'm assuming it would be something in myPHPAdmin options.
      Signature

      {{ DiscussionBoard.errors[5791303].message }}
      • Profile picture of the author jharper
        To use the .htaccess file to allow only your IP address access to the admin console is an effective method of protection. You need to edit or create a .htaccess file by FTP or server file manager access. The only problem with this method is that if your IP address changes regularly (you work in an internet cafe, wireless hotspots etc) you have to keep updating the .htaccess file with your current IP address.

        Other ways to protect the site are to hide your WP version (plugins available), so if you miss a WP update your current version isn't immediately targeted by hackers if there is a known security issue.

        I use the login lock plugin which can block ip address which fail a login for a period of time, hopefully long enough for the hacker to move on to another less well protected site.

        You can also use the .htaccess file to block access to certain directories (like your plugin directory) and files (like wpconfig.php). This will further protect your installation and all of these things together make it really secure and it's what I do for my WP customers.
        {{ DiscussionBoard.errors[5791983].message }}
        • Profile picture of the author MoneySavingLisa
          Originally Posted by jharper View Post

          To use the .htaccess file to allow only your IP address access to the admin console is an effective method of protection. You need to edit or create a .htaccess file by FTP or server file manager access. The only problem with this method is that if your IP address changes regularly (you work in an internet cafe, wireless hotspots etc) you have to keep updating the .htaccess file with your current IP address.

          Other ways to protect the site are to hide your WP version (plugins available), so if you miss a WP update your current version isn't immediately targeted by hackers if there is a known security issue.

          I use the login lock plugin which can block ip address which fail a login for a period of time, hopefully long enough for the hacker to move on to another less well protected site.

          You can also use the .htaccess file to block access to certain directories (like your plugin directory) and files (like wpconfig.php). This will further protect your installation and all of these things together make it really secure and it's what I do for my WP customers.
          Great ideas! I'll check how to that. I've actually been trying to find the loging lock plugin previous to this post, but couldn't remember the name. I'll try and google it LOL. I'll have to ask my hosting how I can add the .htaccess as they are usually more proficient than I am!
          Signature

          {{ DiscussionBoard.errors[5797874].message }}
  • Profile picture of the author ChristineCobb
    I've learned a lot about WordPress security from Regina Smola. I recommend you visit her website at How to Fix and Secure WordPress from Hackers « WPSecurityLock and get on her list. Her giveaway report is about the security plugins everyone needs.
    Signature
    Creating an Affiliate Tools Page Couldn't Get Any Easier. Find out how.

    Free Screencast Videos Resource Guide Here
    {{ DiscussionBoard.errors[5792038].message }}
    • Profile picture of the author wpsecuritylock
      Thanks Christine for the mention, I appreciate that.

      Lisa, the number of sites that get hacked daily is astounding (100,000+). Kudos to you for taking action to protect yourself.

      Don't forget, your website security starts with your computer. Make sure you're running 24/7 anti-virus and anti-malware protection, stay behind a firewall, and keep your applications up to date as well.

      It's amazing how many hacked WordPress sites I've fixed where the webmaster had an infected computer that spread to their own website(s).

      Or a webmaster that has a test directory with a WordPress installation of version 2.6.1 they forgot about that sits and festers.

      Clean up your server. Remove any old WordPress installations and plugins/themes you don't need. Just because their inactive doesn't mean they don't post a threat.

      Hope that helps.
      {{ DiscussionBoard.errors[5793613].message }}
  • Profile picture of the author modernians
    Great tips, are the plugins to protect you any good?
    {{ DiscussionBoard.errors[5798528].message }}
  • Profile picture of the author dsouravs
    use bulletproof plugin...
    Signature

    I can convert your Non-Responsive website to Responsive website ... How sweet is that? :)

    {{ DiscussionBoard.errors[5798628].message }}
  • Profile picture of the author Mr.Daydream
    sometimes the hackers are coming from countries that don't really have much monetary value to your site so you can just ban any ip coming from that country trying to access your site
    {{ DiscussionBoard.errors[5816257].message }}
  • Profile picture of the author Farish
    Some people may not like me saying this, but I wonder how many of those websites that got hacked used pirated plugins that have been supposedly nulled out? Most of these people are not programmers and have no clue what has been placed into those plugins downloaded from "free sources:.
    {{ DiscussionBoard.errors[5817034].message }}
  • Profile picture of the author iuditg
    The most important thing is to have strong password. After that change your default database name. 90% of the people use Simple Script or Fantastico to install wordpress as they are lazy and eventually ends up getting hacked. Change your default wordpress name to something other than wp_

    Further Please make sure you add an empty index.html file in all your wp-contents folder (Plugins, themes, uploads, etc). Further Install a security plugin, you can find various on wordpress site. I did create one myself but I won't advertise here, if you are interested you can hit me a PM and I will provide you the link.

    Also, it's important to change your default login URL. That would solve 80% of your problem.
    {{ DiscussionBoard.errors[5817171].message }}
    • Profile picture of the author cooler1
      Originally Posted by iuditg View Post

      The most important thing is to have strong password. After that change your default database name. 90% of the people use Simple Script or Fantastico to install wordpress as they are lazy and eventually ends up getting hacked. Change your default wordpress name to something other than wp_

      Further Please make sure you add an empty index.html file in all your wp-contents folder (Plugins, themes, uploads, etc). Further Install a security plugin, you can find various on wordpress site. I did create one myself but I won't advertise here, if you are interested you can hit me a PM and I will provide you the link.

      Also, it's important to change your default login URL. That would solve 80% of your problem.
      How do you change your default database name?

      Someone told me in another thread that changing the database name would hardly make a difference because it wouldn't deter a determined hacker.

      http://www.warriorforum.com/website-...ml#post5753342

      What is the purpose of adding an empty index.html file? Do you need to add one to every WP directory? I've never heard that being advised before.
      Signature

      {{ DiscussionBoard.errors[5817281].message }}
  • Profile picture of the author Robby54
    Make sure your server is also secured. You can fix a lot of security holes with just CSF firewall alone.
    {{ DiscussionBoard.errors[5817505].message }}
  • Profile picture of the author Jamaican2011
    I get this message as of lately

    Warning: Cannot modify header information - headers already sent by (output started at /home/wayne555/public_html/watdahell.com/index.php:1) in/home/wayne555/public_html/watdahell.com/wp-includes/pluggable.php on line 866
    {{ DiscussionBoard.errors[5826063].message }}
    • Profile picture of the author simona86
      There's a huge number of free WordPress plugins written by Good Samaritan developers looking to keep their blogging peers safe. A few must-haves include Secure WordPress, which removes some critical meta information that a hacker could use against you from your WordPress install, Limit Login Attempts, which makes a brute-force attack basically impossible, and WP Security Scan, which provides a report about your specific configuration of WordPress and suggests corrective actions. you can get more information from here I would like to... | Facebook

      Hope this information helps you.
      {{ DiscussionBoard.errors[5963701].message }}
  • Profile picture of the author ghostrecon
    Use HTTPS and SSL where available.
    Signature

    PinPioneer.com - Proprietary Pinterest Marketing Software
    1000 Pins Uploaded PER Hour
    Use code: WFPioneer
    {{ DiscussionBoard.errors[5963707].message }}
  • Profile picture of the author bunnyadam
    have your own backups, install wordfence wordpress plugin. have strong password like Capital letter+small+number+special character. don't use dictionary words as password.
    have proper permission set on your files and directories, scan your code for any trojan or malwares. do not use free themes and plugins with low ratting.
    Signature

    Lowest Possible Price Servers- PawnHost.com

    {{ DiscussionBoard.errors[8806835].message }}

Trending Topics