How to Hacker Proof Your WordPress Installation

Always Update

Updating WordPress became very easy now. From WordPress 2.7+, you can now update your blog with just a click. So don’t feel lazy upgrading your blog – as soon as they release any updated version, try to upgrade your blog. If you are using older version, you can use WordPress Automatic Upgrade plugins and update to the latest version.

Update Your Plugins Too

As plugins are developed by third-party programmers, they may be more vulnerable than WordPress itself. I would suggest you to check plugins profile to read the comments and stats before using any. Update your plugins regularly as well.

Protecting Your Admin Profile

Create a new user and give it full administrative privileges. Once you have done that delete your old “admin” user’s profile. As a result hacker has to crack both your user name and password.

Stop Creating Guest Account

If your blog is not Multi User blog, there is no need to allow visitors to create Guest account. Uncheck Settings > General > Membership > Anyone can register option.

Use Strong Password

Don’t use any obvious words sequence, numbers sequence, your name, town, date of birth etc as password. Try to use a combination of small letter, capital letter and numbers in your password. You can use Strong Password Generator for create your password. This website also give you easy way to remember your password.

Protect Your wp-admin Folder

You can add a .htaccess file in your wp-admin folder and block all IP addresses except the IP address you use, may be your home IP, office IP etc.

Backup Regularly

Even though most of the Hosting providers offer regular backup, still you should not rely on them. Couple of months ago, I found my website was unavailable and I contacted GoDaddy support. They informed they are resolving the problem and they took 5 days to fix. Horribly on 3rd day they informed me that all my records has be wiped out, so I may not get my database and files back. Fortunately, I had my website backup in my pc, and they fix my problem, I already transferred my website to Hostgator and kept my website running.

Use Login Lockdown Plugins

Login Lockdown Plugins records each failed login attempts and lock a particular IP for a while for a number of failed login attempts.

Delete WordPress Version

Hackers may find out your WordPress version and exploit its vulnerabilities. You may want to delete the WordPress version from your website source. Go to Appearance > Editor and choose the Header.php file and delete <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> from the source code to hide your WordPress version.

Move the wp-config.php file

Also since version 2.6, WordPress allows you to move the wp-config.php file to a higher level. Because this system file contains by far more sensitive information than any other, and because it is difficult to access the parent file server level, it certainly makes sense to store it outside of the actual installation. WordPress automatically looks at the highest underlying index for the configuration settings file. Any attempt by users to adjust the path is thus useless.

Use Security Plugins

If you found that you are being targeted frequently, you can use security plugins to ensure more security for your blog. You can find some useful security plugins for wordpress here

Stop Anonymous Comments and Trackbacks

Why? There’s history of WordPress Trackback Charset SQL Injection Issue and other Non-WP related spam flood.

Check Your Server Files and Folder Permissions

Especially Config.php file, which is an open text based file in a Web accessible directory. Not only is it Web accessible, but it contains the login and password for your blog’s database. No need to be a rocket scientist to figure out what will happen if someone naughty can get access to that. Directories should have permissions of 755. NEVER 777. All files should have permissions of 644. If you do want to use the built-in editor; theme files should have permissions of 666. NEVER 777. Do not use any plugin that needs to write anything to the server. No matter how drastic it sounds, trust me it will save your ass.

Check Your Theme for Holes

If you are building your own theme/or asked someone to do that for you, please do try to consult/check for latest PHP security holes or common security flaws before using that as template. You can also use the WordPress Theme Scanner (WP-Scanner)

Prevent Access to Your WordPress Folders and Plugin Directory

If you check your Plugins directory in a browser with www.example.com/wp-content/plugins you may see a listing of all of the Plugin files and directories. So can everyone else. The same may go for some of your other WordPress directories. There are a few ways to deal with this.

1. Create a blank HTML or PHP file and put it in that directory.
2. Put a password on the directories to prevent access. This is done through your host server’s backend management program, such as with Cpanel’s guide on protecting directories with passwords.
3. Restrict access to those directories or files as explained in Hardening WordPress with .htaccess.
4. Add disallow to your robots.txt file for these directories to stop search engines and other bots from indexing them.

Subscribe to the WordPress Development Blog

at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

One Last Tip

Download and install the WP Vulnerability Scanner plugin. When done, simply activate it and launch WP-Scanner and then de-activate it once you’re done with the test.