Being a Blogger you should be very careful about the overall security of your blog. Securing your blog from various types of hacking isn’t a one time activity, you should always be careful and smart and don’t think that nobody is going hack your blog because you’re a normal person who never interfere in Government policies and thinks that there is nothing valuable on your blog and hackers only hacks the sites that are big or owned by Government/Military.
1. Keep WordPress updated
There are various reasons behind WordPress update releases and among these various reasons one reason might be the presence of vulnerability. Updating your WordPress blog regularly not only improves the performance of the blog but it will also fix the bugs and vulnerability found in its earlier version. So, to be on safe side from known issues and vulnerability you should always update your WordPress blog. Upgrading to the newer version of WordPress is the only thing that will keep your blog secure in future.
2. Be the first one to update WordPress Plugins and Themes
Whenever a new version is available for WordPress Plugin or Theme, Update it immediately. In Fact WordPress plugins are more vulnerable than original WordPress script. 80% WordPress blogs are hacked because of a loophole present in your WordPress plugin. If there isn’t any update from the Plugin owner and you came to know that Plugin is vulnerable then I strongly recommend that you should uninstall the plugin.
3. Change Login password at Regular Interval
This point should be applied to all your Internet Accounts that requires Login. To prevent brute force attacks you should keep changing the Login Password of your WordPress blog. Also, the password must be strong and hard to guess. For better Login Security I’d recommend you to use Chap Secure Login plugin for WordPress. You can use this plugin to transmit your password in encrypted format. This plugin is useful when you can’t use SSL or other kinds of secure protocols. By activating the Chap Secure Login plugin, the only information transmitted unencrypted is the username, password is hided with a random number generated by the session. Also, I’d recommend Login Lock Plugin for your WordPress blog. This plugin has great features to prevent unauthorized Login attempts.
Update [June 2012]: Login Lock Plugin is causing Redirection Loop to internet browsers. Due to this, administrators will not be able to Login to WordPress Dashboard. If you’ve istalled this pulgin and you’re unable to login to your dashboard, Login via FTP and rename or delete the plugin. Meanwhile, You can use 6Scan Security Plugin for WordPress. Its great and also tells you about latest vulnerability.
4. Backup WordPress Database at Regular Interval
In WordPress, there is a Plugin for everything. You can use any popular Database Backup Plugin to backup your WordPress database. Earlier I was using WP-DB-Backup Plugin, but the plugin was last updated on 21st December 2010, So I uninstalled it and now I’m using WordPress Backup to Dropbox. This Plugin enables automatic backup of WordPress Database to Dropbox. All you need is an account in Dropbox. Alternatively, You can use backup option present in your cPanel to manually backup your database.
4 Intermediate Steps to Prevent WordPress Hacking
Before Applying any of below mentioned tips, I strongly suggest you to take Database backup. Also, before modifying wp-config.php file, take a backup of this file.
1. Modify Key values in wp-Config.php file
visit WordPress secret key generator for wp-config and after getting the unique keys, open your wp-config.php file and find <define(‘AUTH_KEY’,> and replace the given keys with newly generated keys.
2. Secure wp-config.php file
You can move wp-config.php file to the directory above your WordPress install. For example if you’ve installed WordPress on root directory then you can move wp.config.php file to above the root directory. Also note that you can only move wp.config.php file one directory level above the WordPress installation, not more than that. Also, make sure that only you and your web server can read this file. It generally means a 400 or 440 permission.
After doing this, Write deny access to .htaccess file for wp-config.php. To do this open .htaccess file and put below mentioned code on the top of the file and save it.
deny from all
3. Protect .htaccess (Hyper text access) File
To Protect your .htaccess file present in your ‘www’ directory, Use following code snippet and paste it on your .htaccess file.
# Protecting .htaccess </code>
<Files ~ “^.*\.([Hh][Tt][Aa])”>
deny from all
4. Disallow Directory Browsing
You can not afford to allow your website visitors to browse your entire WordPress directory. To disallow directory browsing, you need to make some changes to .haccess file. Add below mentioned small code to your .htaccess file.
# disable directory browsing
Options All -Indexes
By applying these Basic and Intermediate actions you can easily harden hacking on your WordPress blog. If you’ve having problem applying intermediate steps, Post a comment or email me.
Some Good Reads for WordPress Security: