WordPress is one of the most popular content management and blog publishing platform used around the world even at the time of writing this post only WordPress 3.3 has been downloaded by 10,784,818 times which also means that it’s the biggest target of hackers and malware distributers around the world.
You must take various easy steps to protect your WordPress from un-authorized access.
Here are few steps to protect your WordPress blog from un-authorized access from beginning.
- Secure Hosting: No matter how secure your WordPress installation is, if hosting server is not secure your site can be hacked. Always purchase hosting from reliable hosting providers. Always buy hosting with SUPHP and SUHOSIN installed on server as this helps in managing permissions.
- Secure Installation: Start protecting your WordPress site since installation, many web hosting websites offers one click installation of WordPress with auto installers instead of using those installers install WordPress by yourself and change default WordPress prefix from WP_ to something un guessable, always use strong database password.
- Strong UserName / Password: During installation never select “Admin” as user name select something different as user name, always use strong passwords with mix small / capital letters, numbers and special characters (#%^~@!).
- Installation cleanup: Remove un-used files from WordPress installation like readme.html and license.txt files.
- Protecting Core Files: Always protect core files from external access
- Protect your wp-config.php file of your wordpress installation.
deny from all
- Protect your .htaccess file of your WordPress installation.
deny from all
- Plugins & Themes Installations: Always install reputable themes and plugins as there are thousands of free themes and plugins available around the web which contains various infections, malwares, encrypted malicious code etc.
- Secure Your WordPress:
- Change the default role to subscriber; instead of posting with Admin rights create a new Author for posting purpose with only posting rights.
- Always update your WordPress installation as soon as update arrives from WordPress.
- Always update plugins, remove plugins which are deprecated
- If you have dedicated IP create a .htaccess file in wp-admin folder and use this code
deny from all
allow from your home IP
allow from your office IP
- If you don’t have dedicated IP use password protected WordPress Admin area with .htaccess file you can create one from here.
- Backups: Always install backup plugins that will take automatically backups of database and important folders, always prefer paid 3rd party backup websites (usually charges a little amount for backup) so in case of any disaster you won’t lose your important data.
- WP-Security Scan: The regularly updated WP Security Scan scans your WordPress installation for security vulnerabilities and suggests corrective actions.
It checks for vulnerable passwords, file permissions, database security, it hides the WP version, WordPress admin protection/security and it removes the WP Generator META tag from the core code. Powerful plugin.
- Login Lock Down Security: Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP address, then the login function is disabled for all requests from that range.
This helps to prevent brute force password discovery. Currently, the plugin defaults to a one hour lock out for any IP address block after three failed login attempts within a 5 minute period.
- Antivirus For WordPress: AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Some of its features include: monitors possible platform vulnerabilities, virus injections, malicious links, etc. It can also send you email notifications and whitelisting.
- SPAM Protection: To protect your WordPress installation from Spammers always use CAPTCHA plugin with any kind of forms like contact form, comments etc. Always use Akismet plugin with wordpress, Akistmet is very strong system that protects your WordPress installation from comments SPAM.