Pheww...!! Its been so long that i haven't posted something interesting. I really apologize for the delay. Lets Get Started :D
In my previous tutorials, I have explained how to hack a website (that was for educational purpose only) and how to upload a shell also. Now its time to secure your website from various attacks.
What is WordPress?
Its and open source website creation written in PHP or is the easiest and most powerful blogging and website content management system .
With the increase in Digital Market, more and more people are creating their website to show their presence in this Digital World so there is a need to secure that world also.
WordPress Security
1. Disable custom HTML when possible
Add this code in wp-config.php file
define( 'DISALLOW_UNFILTERED_HTML',true );
2. Remove all Default posts and comments
Remove all default posts and comments. If malicious hackers find those on your site,then it may indicate to them that you have a new wordpress site which can be easily cracked.
just to this file "wp-includes/general-template.php"
function the_generator( $type ){
echo apply_filters("the_generator',get_the_generator($type),$type)."\n";
}
After Security
function the_generator($type){
#echo apply_filters('the_generator',get_the_generator($type),$type)."\n";
}
note: make sure a hash is applied next to the echo command .
3. Delete wp-admin/install.php and wp-admin/upgrade.php
Be sure to delete /wp-admin/install.php and /wp-admin/upgrade.php after every wordpress installation or upgrade.
4. Hide indexes
Just open .htaccess file and
type this code
Options –indexes
5. Block
Some Crucial directories
Your site's wp-includes/ directory is the most important one to block.
Find the .htaccess file there and insert
RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]
If there
are subdirectories, then use this code
RewriteRule ^(wp-includes|subdirectory-name-here)\/.*$ ./ [NC,R=301,L]
6. Secure your Admin
page with YUBICO
7. Limit Login Attempts
Limit the number of login attempts possible both through normal login as well as using auth cookies.
http://wordpress.org/extend/plugins/login-lockdown/
8. Server Side
Scanning Online
FREE
Web-malware continues to
evolve making it challenging to detect using only HTTP fingerprinting
techniques,
such as the ones
Site
Check is restricted to.
9. Install Wordpress
Security Scan
Plugin
This is a good
plugin
which scans
your
Wordpress installation
and give the
suggestion
accordingly. This plugin
will check for below things:
· Passwords
· File Permissions
· Database Security
· Wordpress Admin
protection
10. Automatically Backup
your site
11. Two Factor Authenticator
The Google Authenticator plugin for Wordpress gives you two-factor authentication using the
Google
Authenticator app for Android/iPhone/Blackberry.
12. Using .htaccess file as a
FIREWALL
RedirectMatch 403 \[
13. Clean
out Old Unneeded
Core Files
Clean out old unneeded core files with help from
this free Wordpress plugin:
14. Activate Akismet Plugin
To block the comment spam automatically using Akismet Which
a Wordpress plugin
15. Monitoring Your Wordpress
16. Hide
Your Login Page
17. Content Security
18. Check for Exploits
19. Select Email Address as
Your Login Key
20. Change Database Prefix
Plugin
22. Outstanding Security Plugin
23. Website Defender Plugin
24. Maintenance Mode
Plugin
