WordPress Security Guide:
WordPress is an amazing program but because of it’s popularity, hackers love to target it. Protecting your site should be a high priority. This guide will help get you started in protecting your assets. There’s a lot here, and some of it is quite technical but take your time, do one step at a time and test it before going on to the next step.
Step 1
Backup your files: You’re going to be editing some text files that if done wrong, will cause your site to fail. Before you edit, you should make a backup of them before editing them every time.
Backup your site. We’ve got you covered. This step is to back up your website. At TLCWebHosting.com, we backup your site each night, then the next night we shuttle your backup to an off site disaster recovery server; As a safe guard, we also back up your site weekly and monthly, just in case. Note that when we restore an account, everything is restored including email (any new email since the backup was made will be gone). If you want us to try to manually preserve your email, you can request this but there may be a fee applied to your account.
We do not recommend plug ins like “Backup Buddy” unless you are aware of how to manage the backups to prevent them from consuming all this disk space on your account.
Step 2
Update WordPress, your plug-ins, and themes. TLCWebHosting.com recommends that you check and keep these up to date daily or weekly. This is by far the most important thing you can do.
Step 3
Change Your Login Name and Password. By default many user use the default user name of Admin. Hackers know this and use this name most often when trying to hack an account. Change the name to something unique and not something simple like “admin1” or “admin123”. Instead use something like RedRock4x.
Suggestion: Add that new user, make it an admin then delete the original login of “admin”.
Set all user passwords to use UPPER and lower case letters, numbers, and symbols. Do not use the same password you use for any other account. Some good examples are “U#kS59$ZMM” or “NomEX4%3”. This prevents hackers from brute forcing the password using automated script. Our server logs are full of hacking bots attempting to hack into client accounts all day long.
Step 4
Install the WordFence Plug-in. Most of the default settings are fine, but set the plug in to scan your themes and plug-ins. TLCWebHosting.com recommends you start out with the free version and upgrade if you see the need.
Step 5
Prevent search engines from spidering sections of your site that hackers will be interested in. There’s no guarantee that search engines will obey your request, but at least the well known spiders will respect your wishes. Simple add or create a text file called robots.txt in the /public_html folder of your site. Inside the file, add the following:
# Prevent search engines from spidering sections of your site User-agent: * Disallow: /cgi-bin Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: */trackback/ Disallow: */feed/ Disallow: /*/feed/rss/$ Disallow: /category/*
Step 6
Use the text file /public_html/.htaccess to protect different aspects of your site. By default files that begin with a period can’t been seen. you’ll need to allow hidden files in the File Manager tool in your control panel to see the file so you can edit.
Add the following lines to ALL your .htaccess files throughout you site directories.
# STRONG HTACCESS PROTECTION <Files ~ "^.htaccess"> order allow,deny deny from all satisfy all </Files>
Add this to your /public_html/.htaccess
# LETS SECURE config.php <Files ~ "^config.php"> Order deny,allow Deny from all </Files>
#prevent the Hacker from browsing your directory tree by adding: Options All -Indexes
#PREVENT SOME SQL SCRIPT INJECTIONS: Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
Add this to your /public_htm/wp-content/.htaccess
#LIMIT ACCESS TO THE /wp-content DIRECTORY <Files ~ "^"> Order allow,deny Deny from all Satisfy all </Files>
Deny Access to Your Dashboard Back End
This one is optional* but is highly recommended. There are two version for this. You only need to use one of them. It prevents everyone except systems with YOUR IP ADDRESS from getting into the adminisrative site of WordPress. *The drawback is that IP Addresses change and thus, you will be locked out unless you determine in advance a method for updating this file. You’ll need to know your IP Address which you can get from HereIsYourInfo.com
Option 1) Place the following lines in your /public_html/wp-admin/.htaccess file but change IP.ADD.RE.SS to your actual IP ADDRESS.
# deny access to wp admin order deny,allow allow from xx.xx.xx.xx deny from all
Option 2) Place the following lines in your /public_html/.htaccess file but change !^IP.ADD.RE.SS$ to include your actual IP ADDRESS. For example, if your IP Address is 123.45.768.9 you’d use !^123.45.678.9$
# DENY EVERYONE FROM WP-LOGIN EXCEPT THOSE WITH APPROVED IP ADDRESS <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^IP.ADD.RE.SS$ RewriteRule ^(.*)$ - [R=403,L] </IfModule>
Note, if you want to add more than one IP Address, you just repeat the line with the IP address in below the existing one.