How to Protect Your WordPress from Being Exploited

You might be wondering how to protect your WP installation; therefore I’m leaving you some helpful tips/plugins. Use them at your own discretion:

1. Plugin CHAP Secure Login: It encrypts passwords using the protocol CHAP (http://en.wikipedia.org/wiki/Challenge-handshake_authentication_protocol). Doesn’t need extra configuration, you install it and activate it.
URL: http://wordpress.org/extend/plugins/chap-secure-login/

2. Plugin Login Lockdown: It blocks IPs after several authentication failures.
URL: http://wordpress.org/extend/plugins/login-lockdown/

3. Plugin WP-DB-Backup: Allows you easily to backup your core WordPress database tables. You may also backup other tables in the same database.
URL: http://wordpress.org/extend/plugins/wp-db-backup/

4. Plugin WP-Security-Scan: Checks your WordPress website/blog for security vulnerabilities
URL: http://wordpress.org/extend/plugins/wp-security-scan/

5. Protect your wp-config.php: Add the following line to your .htaccess:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>

6. Change your password and DB passwords every certain amount of days.

7. Delete the information of your WP version. Usually it could be found in the header.php file or the one of your THEME. Comment the line (don’t delete it).

8. Hide the directory WP-content: You can do this by creating a white index.html file in this directory to create a .htaccess in the same directing and adding the following line:
Options All -Indexes

9. Block the WP directories to the search engines through your robot.txt file:
Disallow: /wp-* in your file robots.txt

10. Keep updated your WordPress, always to the last version.

11. Review your plugins, make sure that the are official and well-reviewed. Usually people offer plugins to the community. People download it and don’t realize that the plugin contains several hacking or spamming tools.

12. Use SFTP: Substitute the FTP connection to SFTP, which sends the information you upload to our server in a secure way.
Note: You need to change the port to 22, and have Bash Access enabled.

Additional information/plugins to secure your WP installation:

a- http://codex.wordpress.org/Hardening_WordPress

b- http://wordpress.org/extend/plugins/wordpress-firewall-2/
This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks.

c- http://www.village-idiot.org/archives/2008/04/16/postlogger-for-wordpress/
This plugin will seem useless until or unless your WordPress install is exploited. If you happen to be using this plugin, and actively logging all $POST variables, and your WordPress install is exploited, you will be able to go back and actually see where and how the exploit occurred.
Armed with that information, you can take the data to the WordPress devs.

d- http://wordpress.org/extend/plugins/bulletproof-security/
WordPress Website Security Protection: BulletProof Security protects your WordPress website
against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts.

Hope it helps to protect your WP installation :)

Looking for quality WordPress Hosting? Look no further than Arvixe Web Hosting!

Tags: , , , , , , | Posted under Security/Vulnerability, WordPress | RSS 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *


− 6 = 1

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>