Making your WordPress hack proof

Securing wp-includes
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.

Rename the administrative account
On a new install you can simply
create a new Administrative account and delete the default admin account.
On an existing WordPress install you may rename the existing account in the
MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’;,

Monitoring your logs
If you are on a private server (where you have admin access), you have to watch your logs to detect password guessing
attempts, web attacks, etc. A good open source solution to monitor your logs in real time and block the attacker is OSSEC.

Adding salt key to wp-config

Don’t Let Search Engines Index your WordPress Folders – Create a “robots.txt” file and include the following line: Disallow: /wp-*

Changing database prefix wp_
steps to follow

How to hide the WordPress Version
1. Open the functions.php file on your Dashboard ( Appearance —> Editor —> functions.php )
Paste the below code at the top of the file.
< ?php function hide_version()
return ”;
add_filter(‘the_generator’, ‘hide_version’);
Now SAVE the file. You are done. Then check the source code and the WordPress Version has gone, as well as from RSS-Feeds.
2. Simply DELETE the readme.html file from WordPress root directory, after every upgrades.

These are some of the many steps which can help you keep your WordPress website secure.

%d bloggers like this: