Making your WordPress hack proof

Securing wp-includes
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.

Rename the administrative account
On a new install you can simply
create a new Administrative account and delete the default admin account.
On an existing WordPress install you may rename the existing account in the
MySQL command-line client with a command like UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’;,

Monitoring your logs
If you are on a private server (where you have admin access), you have to watch your logs to detect password guessing
attempts, web attacks, etc. A good open source solution to monitor your logs in real time and block the attacker is OSSEC.

Adding salt key to wp-config

Don’t Let Search Engines Index your WordPress Folders – Create a “robots.txt” file and include the following line: Disallow: /wp-*

Changing database prefix wp_
steps to follow

How to hide the WordPress Version
1. Open the functions.php file on your Dashboard ( Appearance —> Editor —> functions.php )
Paste the below code at the top of the file.
< ?php function hide_version()
return ”;
add_filter(‘the_generator’, ‘hide_version’);
Now SAVE the file. You are done. Then check the source code and the WordPress Version has gone, as well as from RSS-Feeds.
2. Simply DELETE the readme.html file from WordPress root directory, after every upgrades.

These are some of the many steps which can help you keep your WordPress website secure.

16total visits,4visits today