WordPress Blog Protection Tips

It is not enough to remove the consequences, you need to understand the causes. I already wrote that we got hacked and supposedly we all decided. However, a week later the story repeated, another jquery script was changed, as well as .htaccess files. And in .htaccess there were redirects to some left site only for mobile devices and tablets, and therefore I noticed this not immediately.

For a couple of days, I managed to find all the files that were changed.an attacker, and also created by him specifically for penetration (shell). And again, thanks to the hosting for help. After that, I decided to take all the measures that are described on the Internet.

The content of the article

All parts of my short FAQ for bloggers:

I wrote a number of articles related to blogging. They do not claim to be a full-fledged manual, but beginners may be helpful. You can get acquainted if interested.

0. I recommend the course “How to become a thousand-blogger and earn money”
1. How to start blogging
2. How to promote a blog - a list of my actions
3. How to make money on blog and travel
4. An example of earnings on our blog - Finstrip 2013. Finstrip 2012. Finstrip 2011
5. Reader and search traffic, as well as why readers do not return
6. A little truth about travel blogging
7. WordPress Blog Protection Tips

WordPress Blog Protection Tips

WordPress Blog Protection Tips

WordPress Blog Protection Tips

The list is unlikely to be complete, and, as they say, who needs it, they still break it. But at least these actions can be done by almost any blogger in order to defend at least a little.

Update counter and widget codes

Check the codes of all counters and social widgets on your blog and on the site where you got them.
Perhaps they have been updated. I noticed that Facebook often changes the code for widgets, apparently increasing security.

Update all plugins and WordPress to the latest versions and remove unused

There are no comments, everyone can do it. Vulnerabilities are usually found in plugins and themes, therefore, at a minimum, it is better to delete all unused.

Update timthumb.php

If your theme uses resize thumbnails via timthumb.php, then you must update this file to the latest version, since the old versions are known vulnerabilities.

Check permissions on folders and files

All files must have 644 permissions, 755 folders, except .htaccess - 444 permissions and uploads folders - 777 permissions.

Change admin username

The quickest option is to log into phpadmin and execute this query in your database there:

UPDATE wp_users SET user_login = ‘Your new login’ WHERE user_login = ‘admin’;

Or you can simply create a new user through the admin panel of your blog, reassign all articles to it, and delete the old admin user.

Change all passwords to more complex ones.

Banal advice, but passwords should be complicated,consisting of numbers and letters of different register. Also, do not forget that after fighting with viruses you need to change all passwords in any way (blog admin panel, hosting admin panel, ftp, sql database), and it also makes sense to change the secret keys in the wp-config.php file.

Protect .htaccess and wp-config.php files from access for all

Add to your .htaccess in the root of the blog, here is this code:

Order deny, allow
deny from all
order allow, deny
deny from all

Protect the wp-includes folder with .htaccess

Create a file with a plain text file, call it .htaccess and copy it to the wp-includes folder, after adding the code to the file:

Order Allow, Deny
Deny from all
Allow from all

Protect the wp-admin folder with .htaccess and .htpasswd

Create a file with a plain text file, call it .htaccess and copy it to the wp-admin folder, after adding the code to the file:

AuthUserFile /home/public/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny, Allow
Deny from all
Require valid-user
Satisfy any

Where, “/home/public/.htpasswd” is the full path to the .htpasswd file. It is desirable that this file is located above the directory of your blog.

In file .htpasswd stored password for access to the zone wp-admin in encrypted form. The easiest way to create this file is to specify the username and password in the usual way. It is best not to repeat and specify data that is different from the existing accounts.

With this method there is only one inconvenience - it is not applicable if you have a multi-user blog, as the password will be requested from all users.

Change Database Prefix

Change your sql database prefix withStandard "wp_" on some sort of "wpsdjflk647_" could be at the very beginning of the creation of the blog. But now it is not a problem. I made it a plugin, which will be discussed below. Although you could go into phpadmin, replace all the table names there, and then change the prefix in the wp-config.php file

Install Belavir Plugin

Install the Belavir plugin, which willtrack changes in all php files of your blog. The plugin itself does not monitor anything, but launches the check when you enter the admin panel of the blog on the Console page, where it actually displays the changes. He has no settings.

Install WP Security Scan Plugin

Install the WP Security Scan plugin, with which you can do some things, in particular:
- change database prefix
- check the rights to folders and files
- hide WordPress version
- connect antivirus for the blog and check it

Install Better WP Security Plugin

Install the Better WP Security plugin, it is even more needed than the previous two. The list of its capabilities is very large, I will list a part:
- allows you to change the database prefix
- removes unnecessary information from the blog code by type of version wordpress
- monitor changes in all files
- ban ip those who enter strange addresses in the browser after the name of your blog, receiving an error 404
- Prohibits selecting a password for the admin panel, ban ip
- changes the standard addresses of the entrance to the admin panel, excellent protection against brute-force attacks
- and much more.

Monitoring changes on your ftp

Install the ftpinfo program on your computer,which allows you to connect to your ftp-server and monitor changes to all account files for their appearance / deletion / change. Very handy thing during virus attacks. You can monitor not only all files, but also create masks for files and folders.

Backup databases and files every few days

Very useful thing, it can come in handy forfight against viruses. The originals of files will always be at hand and there will be an opportunity to roll back if it is impossible to clean the site from viruses. I use the BackWPup plugin. It has many features, including copying data to Dropbox - a convenient service that provides 2GB of free space on the Internet and synchronization with your computer.

These are the tips on how to protect a blog on WordPress, I applied on our blog. If there are any questions or additions (maybe something else can be done), write in the comments :)

Life hacking 1 - how to buy a good insurance

Choosing insurance is now unrealistically difficult, so to help all travelers, I compile a rating. To do this, I constantly monitor forums, study insurance contracts and use insurance by myself.

Insurance Rating

Life hacking 2 - how to find a hotel 20% cheaper

First, choose a hotel on Booking. They have a good offer base, but the prices are NOT the best! The same hotel can often be found 20% cheaper in other systems through the RoomGuru service.

Discount hotels

Leave a reply