How to Secure WordPress From Being Hacked

I A̅m new to wordpress . Pls I want U to explain tip 2 very well for me cos I dont want my blog to get hacked..

Ahmad much needed article. One question for you is that I have two .httaccess files one in root folder and other is in my blog folder. In which file should i add the code.

Ahmad, Thanks to the brief and wonderful post and hope it is very useful for me to implement some security measures.

Great walk through thanks, I’m sure we can all use the help at better securing our sites.

Recently my website was hacked, They redirect it to porn site for 4 day, I call hosting office and make their class :) ,I think it may drop down my rankings :(

Hai Ahmad
Nice Article, I followed all steps except 2nd one
i have small question regarding first tip
I add the code above “end of wordpress” is it right? or should i add that code below “end of wordpress” in .htaccess file
Looking forward from you
Thanks

Hi,

Seems like hackers can reach anywhere and everywhere and to combat that intellectuals are toiling to come up with sophisticated tools. All the 6 security tips have been jotted down for my benefit. Thanks Ahmad

Amit from ItechCode.

I thought I knew it all till I read more tips here. Thanks for sharing this valuable information, Ahmad! You rock.

Thank you. I’ve had a real problem with hackers hitting my htacess file and I’ve been able to delete the malicious code but your post finally gave me some tools to actually stop them coming back in. Thank you so much.

My friends blog hacked more than 10 times. I will recommend all this tips to him. Hope it will get fine. Thanks for share..

i also downloaded the nulled script and now after 3-4 days it started giving ads on my site .. plz help bro how to remove those ads..

Ahmad,

Could you please give me information on How to restriction access to wp-content/uploads.

I want to secure that folder from Public viewing & want to display a custom Page for that

Security was not a concern for me. But now after reading this, I am worried about the foolishness I was doing. Thanks for sharing by.

Hello Ahmad,

Don’t you think these instructions would be a bit confusing for some readers out there. I would like to mention what I have written on my blog. There is a plugin which secures our blog from many security vulnerabilities like Brute force attacks and etc in just one click.

Thanks to the brief and wonderful post and hope it is very useful for me to implement some security measures…..

All things you should do to completed to protect your website is one thing: install wp security plugin. This plugin will help you do all above tasks.

am new to wordpress and am finding it much easier than drupal which i used to use
thank you so much for these valuable tips

Thanks for the tips, I’ll have to spend some time this weekend locking down my wordpress installs.

will use these tips thanx i am new helped me alott. :)

Really That Helped me alot in saving my blog from hackers. Thanks!

Thank you Ahmed Bhai, this article will help to resolve security concerns for my site. keep it up.

Till now I have been just using captcha during login and comments but I think few of the tips mentioned above must be used else things can go worse any given day..
BTW you have an awesome blog would surely bookmark it.. Thanks for sharing such a valuable piece of information..

So you write this great article and not a lot of people answered the “your turn” section :)

So here goes!
1. Sites in general are being hacked for: data theft, defacing, a place to store code or just to troll. There are probably far more reasons but these onces came to mind.

WordPress sites – not so much. Maybe except from the storing code part. The uploads folder is a great target. With all the flexibility of WP the uploads folder is mostly overlooked.

The fact is WP is open source; great for rapid development but the downside is the code is available for bad people. I believe by now the WP core files are hammered shut but like you mentioned the third part plugins are not. Ok I know how to code and i am not the prime audience for WP. Because you can set up WP without knowing anything about coding. But when you need a plugin to do something you can only choose from what is out there. I rarely use third party plugins myself because they rarely never do precisely what i want. So I end up writing them myself. But I understand that that is not for everybody. And why on earth would somebody who want to make a blog about their cats think about hacking.

Ignorance is bliss they say(I don’t mean that to offend people) but that is where hackers are hoping for. A side note – never ever use the same password for more than 1 website.

Just know what you are working with! And know how a webserver works. Ok not a webserver but in which layers i can be dissected. Hacks by bots(clever scripts running from (maybe another WP)hacked site) are most common. These bots target the broswer view part. So login forms and included libraries. There are more levels but I don’t wanna explain these here. Not relevant and all. Because if a webserver is hacked you can do nothing about that(without the knowledge). Or even if a website is hacked on the shared server you are working of.

But lets set a little scenario!
Your not WP site is hacked by a brute force attack via a login form. They can enter and do something with the single account the forced entry.

WP scenario!
The same as above. But WP is all about user experience. So you don’t need a FTP client to alter scripts if the write permissions are set for the editor files. And with this a lot is possible. drop database tables, insert bad code or redirect traffic.

BTW about brute force. If you use a plugin which counter it. Make sure it is random and not just adds a second for the login. A bot can learn and will and has more time than you!

2. Yup and more.
My suggestions
– Protect more files – complete wp-admin folder, uploads folder( you can make a custom one but that is still visible in HTML source code)
– Don’t use admin as username(mentioned above)
– If the name of the blogger is visible don’t use the admin user for the blogging. Create another account for that with less authorities.
– maybe not in the scope but don’t blog on an insecure network from the coffeeshop.
– WP doesn’t have restrictions on the length of passwords. Use a MD5 + salt generator to encrypt your password. I do the same for the wp_ prefix. ( I know md5 isn’t secure anymore with rainbow tables and all but for this it is perfectly oke)
– Delete all unnecessary files, themes and plugins. If you don’t use them they have no business being on your server.
– DuckduckGo is your friend, maybe yours is google :) Use it. Coding isn’t a black magic. Do you want to alter your look with a functions.php file search for the functions you want to use and always look for recent posts!

Hope this makes any sense :) had to wait on a security scan for a WP website so i searched and came here. Yes I try to hack them but with consent and even get payed for it :) So really bored and wanted to share my thoughts on this. I go further but for people who just want to have a place on the internet this is all I can think of.

English is not my native language so bare with me for the grammar mistakes

Name please those plugins ?

Ahmad first of all am really impressed with your blog template and secondly the way you deliver the content :)
This post provides some tips which a newbie as well as experts need to implement to protect their sites.

Im googling and it brings me to the right blog. I have wordpress websites and this is very useful for me. Im following you now on twitter. keep up the good works. thanks

Sir you did simply a great Job. Your work should be appreciated at every forum. I have a suggestion, if you mention the step by step PrintScreen images in the post, this will put more clarity in your writing. Any How Excellent :o) Thumbs Always Up !!!

The tips are nice Ahmad. My question was that I’m using a WordPress plugins called Better WP Security. So the plugin must be doing all the things mentioned above automatically yah?

was editing the wp-config file i changed the first four keys but what abt the other 4 i.e
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

waiting for ur help

Very Awesome post.. lots of wp sites are being hacked daily but now i think we can make it secure

What about WordPress bullet proof plugin that can help also or not?

Hello Ahmed awais, very nice and informative post specially for newbie,thanks for the nice information

Smart and intelligent tips to keep a blog secured. Well done to finding those secret keys and prefixes.

i m already using premium theme for my blog and your post is really Good and helpful for me one more thing where i m not using premiums themes there i will use soon for my blog safety

One more question. Now WP-Security Admin tools showing me every point in green color, does it mean my wp blog is now secure ?