Tips for securing your WordPress blog

It is not enough to remove the consequences, you need to understand the causes of the occurrence. I already wrote that we were hacked and, they say, we decided everything. However, after a week history repeated itself, another jquery script was changed, as well as .htaccess files. Moreover, in .htaccess there were redirects to some left site only for mobile devices and tablets, and therefore I did not notice this immediately.

In a couple of days, we managed to find all the files modified by the attacker, as well as those created by him specifically for penetration (shell). And again, thanks to the hosting for the help. Then I decided to take all the measures described on the Internet..

The content of the article

All parts of my little blogger FAQ:

I have written a number of blogging related articles. They do not pretend to be a complete manual, but beginners may find it useful. You can read it if you are interested.

0. I recommend the course «How to become a thousand-year blogger and earn»
one. How to start blogging
2. How to promote a blog - a list of my actions
3. How to make money blogging and traveling
4. An example of making money on our blog - Finstrip 2013, finstrip 2012, Finstrip 2011
five. Reader and Search Traffic, and Why Readers Don't Return
6. Some truth about travel blogging
7. Tips for securing your WordPress blog

Tips for securing your WordPress blog

Tips for securing your WordPress blog

Tips for securing your WordPress blog

The list is unlikely to be complete, and, as they say, whoever needs it will be broken anyway. But at least these actions can be done by almost any blogger in order to protect himself at least a little..

Refresh codes for counters and widgets

Check the codes of all counters and social widgets on your blog and on the website where you got them from.
They may have been updated. I noticed that Facebook often changes the code for widgets, they seem to increase security..

Update all plugins and WordPress to the latest versions and remove unused ones

Here comments are superfluous, everyone knows how to do it. Vulnerabilities are usually found in plugins and themes, so at least everything that is not used is best removed..

Update timthumb.php

If your theme uses resize of thumbnails via timthumb.php, then be sure to update this file to the latest version, since older versions are known to be a vulnerability.

Check the rights to folders and files

All files must have 644 permissions, 755 folders, except for .htaccess - 444 permissions and uploads folder - 777 permissions.

Change username admin

The fastest way is to go to phpadmin and execute this query in your database there:

UPDATE wp_users SET user_login = ‘Your new login’ WHERE user_login = ‘admin’;

Or you can simply create a new user through the blog admin panel, reassign all articles to him, and delete the old admin user.

Change all passwords to more complex ones

Trivial advice, but passwords should be complex, consisting of numbers and letters of different case. Also, do not forget that after fighting viruses, you need to change all passwords in any way (blog admin panel, hosting admin panel, ftp, sql databases), and it also makes sense to change the secret keys in the wp-config.php file.

Protect .htaccess and wp-config.php files from access for everyone

Add to your .htaccess at the root of your blog, this is the code:

Order deny, allow
deny from all
order allow, deny
deny from all

Protect wp-includes folder with .htaccess

Create a plain text file, name it .htaccess and copy it to the wp-includes folder, after adding the code to the file:

Order Allow, Deny
Deny from all
Allow from all

Protect wp-admin folder with .htaccess and .htpasswd

Create a plain text file, name it .htaccess and copy it to the wp-admin folder, after adding the code to the file:

AuthUserFile /home/public/.htpasswd
AuthType Basic
AuthName “restricted”
Order Deny, Allow
Deny from all
Require valid-user
Satisfy any

Where, «/home/public/.htpasswd» Is the full path to the .htpasswd file. It is desirable that this file is located above your blog directory.

The .htpasswd file stores the encrypted password for access to the wp-admin zone. The easiest way to create this file is here by specifying the username and password in the usual form. It is best not to repeat yourself and specify data that differs from the existing accounts.

With this method, there is only one inconvenience - it is not applicable if you have a multi-user blog, since the password will be requested from all users.

Change database prefix

Change your sql database prefix from standard «wp_» for some «wpsdjflk647_» it was possible at the very beginning of the creation of the blog. But even now this is not a problem. I made it a plugin, which will be discussed below. Although it was possible to go to phpadmin, replace all the table names there, and then change the prefix in the wp-config.php file

Install the Belavir plugin

Install the Belavir plugin, which will track changes in all php files of your blog. The plugin itself does not monitor anything, but starts a check when you go to the blog admin panel on the Console page, where it actually displays the changes. He has no settings.

Install WP Security Scan Plugin

Install the WP Security Scan plugin to do some things, in particular:
- change database prefix
- check the rights to folders and files
- hide WordPress version
- connect an antivirus for your blog and check it

Install Better WP Security Plugin

Install the Better WP Security plugin, it is even more needed than the previous two. The list of its capabilities is very long, I will list a part:
- allows you to change the database prefix
- removes unnecessary information from the blog code by the type of WordPress version
- monitors changes in all files
- bans the ip of those who enter strange addresses in the browser after your blog name, getting a 404 error
- prohibits guessing the password for the admin panel, bans the ip
- changes the standard login addresses to the admin panel, excellent protection against brute-force attacks
- and much more.

Monitoring changes on your ftp

Install the ftpinfo program on your computer, which allows you to connect to your ftp server and monitor changes in all account files for their appearance / deletion / change. A very handy thing during virus attacks. You can monitor not only all files, but also create masks for files and folders.

Backups of databases and files every few days

A very useful thing, it can also come in handy for fighting viruses. The originals of the files will always be at hand and there will be an opportunity to roll back if it is not possible to clean the site from viruses. I am using the BackWPup plugin. It has many features, including copying data to Dropbox - a convenient service that provides 2GB of free space on the Internet and synchronization with your computer.

These are the tips for protecting a blog on WordPress, I applied on our blog. If there are any questions or additions (maybe something else can be done), write in the comments 🙂