How to make wordpress more safe - Slap The Wizard

Jumat, 31 Oktober 2014

How to make wordpress more safe

For those of you who have a blog site using Wordpress CMS, consider the security of your website, because you stand alone without assistance from WordPress to secure your website. 
This tips actually this tutorial is not 100% secure, and does not guarantee your site is not compromised, but these tips will only strengthen the security only. Because there is no perfect security, and forever, and security is not a one-time deal that could once set and left. Because maybe that is now considered to be secure, but tomorrow is already the buggy to follow the development of technology. 

At this time I put on disposable in apache hosting, perhaps in different environtment another hosting one there are different ways to set / techniques: 

1. Before you do anything, please first backup the database and the file. Database files downloaded via phpmyadmin and can be compressed and downloaded. 

2. Always update wordpress engine / plugins /  the latest themes. 

3. Delete the file / themes folder / plugins that are not in use. 

4. Avoid using the default admin username as your username to login, replace it with another username and use strong passwords from a combination of numbers, letters (upper-lower case) and symbol character. 

5. Install the plugin wp-security scan and run. 

6. Change the database table prefix be unique, default is 'wp_' please change it to 'in_' 'we_', 'po_', and others. To be able to wear instead pulgin wp-security scan. (Before doing this step first check step 1) .On the WP install Softaculous at first there pihan also want to use wordpress table prefix which. 

7. Block crawling bot for specific folder, Because many hackers would deface wordpress usually from scaning dork results from Google with certain keywords to find the bug. 

Please add the robots.txt 

User-agent: * 
Disallow: / cgi-bin 
Disallow: / wp-admin 
Disallow: / wp-includes 
Disallow: / wp-content / plugins / 
Disallow: / wp-content / cache / 
Disallow: / wp-content / themes / 
Disallow: * / trackback / 
Disallow: * / feed / 
Disallow: / * / feed / rss / $ 
Disallow: / category / * 

8. Protect the wp-config file by adding the following rule in .htaccess 

<Files wp-config.php> 
Order Deny, Allow 
Deny from all 
</ Files> 

9. Protecting the .htaccess file itself by adding the following rule in .htaccess 

<Files ~ "^. * \. ([Hh] [Tt] [Aa])"> 
order allow, deny 
deny from all 
satisfy all 
</ Files> 

10. Prohibit browsing directory listing, add to the .htaccess or create an index.php file in each folder 

# Disable directory browsing 
Options All -Indexes 

11. Prohibit some script injection 

# Protect from sql injection 
Options + FollowSymLinks 
RewriteEngine On 
RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR] 
RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0,2}) [OR] 
RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0,2}) 
RewriteRule ^ (. *) $ Index.php [F, L] 

12. Securing the include folder, add to the .htaccess 

# Block the include-only files. 
RewriteEngine On 
RewriteBase / 
RewriteRule ^ wp-admin / includes / - [F, L] 
RewriteRule! ^ Wp-includes / - [S = 3] 
RewriteRule ^ wp-includes / [^ /] + \. Php $ - [F, L] 
RewriteRule ^ wp-includes / js / TinyMCE / langs /.+ \. Php - [F, L] 
RewriteRule ^ wp-includes / theme-compat / - [F, L] 

14. If necessary, you can create a new password in the wp-admin directory by giving through cpanel password "password protected directory" please be given a password in wp-admin folder 

15. Install captcha plugin Akismet to protect from spamming comment. 

16. Disable edit themes / plugins through the dashboard by adding the following tags in your wp-config: 

define ('DISALLOW_FILE_EDIT', true); 
By adding a tag at the top, then the edit menu theme / plugin on the dashboard removed, as we know hackers are usually planted in the yard backdoor theme / plugin. 

17. CHMOD wp-config to 400 or 600 

18. To do this you can add via php.ini (if your hosting allow it) or .htaccess 

Disable register_globals 
Disable allow_url_fopen 
Disble display_errors 
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open 

Disable potentially dangerous functions above may just get one of the scripts do not run, if the script requires the function of one of the above. 

19. Perform periodic backups on hosting account or website 

20. If your wordpress get h4ck or defacement and can not resolve on your own, please try to contact us, hopefully we can help or provide your backup.