Hello Guys, Today I'm going to tell you the most important steps to do to have a more secured Wordpress blog.
I think wordpress is the most used Webapps on cyber now; however, it's almost the easiest to be hacked and defaced!
But, on the other hand, securing your wordpress is so easy. specially on linux servers.
Note:- This tut will be based on linux commands, if you're a windows server user this tutorial is not completely for you!
1. Harder & Longer Password
Wordpress Hashes are so hard to crack (hardest for me xD) so making you password harder than "123456" , "admin" , "password" could help you ALOT!
The first thing a hacker would do is guess your password, if he failed he'll brute force it!
Hard password can save you from almost 50% of the attacks ! (In My Point of view )
When we say "hard password" it means using special characters like (@, () , [] , {} , ^ , % ,$ ,#,!,) and so on..
A longer password would not only secure you from Brute forcing, but even if you have a vulnerability like SQL injection for example and the attacker got a hash of your password (which is a Long and Full of special characters password) it would be hard as hell to crack it! and it will take them forever to crack it!
2. Securing From Symlink
Symlink is the most common way of hacking nowadays, and securing your website from it is will help you much!
For those who don't know what symlinking is can read my Symlink tutorial here.
now to secure your blog from this kind of attack, you just have to change the permissions of you configuration file. You can do that though FTP, Cpanel, a shell, etc.
just change the configuration file (wp-config.php in your case =) ) to 400
you can do that in a shell by running this command:
chmod 400 wp-config.php
and other ways are easy, just press on the option and change (in FTP and cpanel)
and always remember to remove your shell as soon as you finish working on it! xD
Chmoding this file to 400, will not allow the attack to read your configuration file from another user! and that's about it :P
3. Securing From Defacing
If a hacker managed to get in your admin panel (somehow o.O) maybe through a Trojan on your PC or something you should close all the ways that let him upload a shell or deface your website!
What you can do it change the permission of all the pages (index.php, 404.php, footer.php, etc etc) in the theme to 400 (Example: chmod 400 page.php) or through your ftp or cpanel because if those files are writable there is a big change that the attacker change their source to a shell source code and deface you.
4. Vulnerability Discovering & Finding And Removing
Scan it every month just to check if any plugin have any vulnerability or something. that will make you faster than the hacker by discovering the vulnerability and patching it before someone else exploit it.
and second thing you want to do is being up-to-date with 133day.com and Wordpress forums they post any discovered vulnerability and sometimes its patches. This will help you to be less exploitable (I guess xD)
5. Some Quick Tips
# NEVER EVER use the same password in two different things related to your website for example your Database's password and Cpanel's password, website's password and Database's password.
Always use different passwords
# Disable FTP when there is no use of it
# Don't use "admin" or "administrator" as your username
# Change Admin's Panel password every two weeks or so
# Read this article on Wordpress official website (Click Here) For more security
Following the above steps can prevent almost 98% of the attacks on your wordpress blog :)
Hope you liked it!
thanks for reading.