Tuesday, February 22, 2011
How to prevent WordPress Blog from Hackers
Last week my blog got suffered from hackers attack. Hackers injected malicious script on my WordPress code and my blog’s theme’s code files. Due to this that script was redirecting my visitors to other website. I was too much afraid of this issue and contacted my hosting provider about this attack. They said that I have to make my WordPress more secure.
I researched WordPress and found following ways to prevent our WordPress blog from hackers attack
1. Remove Incorrect Password message from WordPress login page
Hackers want to know about some clue that they are applying correct or wrong password. If on login failure your blog will display ‘Incorrect Password’ then you are giving an awesome clue to hackers that they applied a wrong password so please try a new set of password. Actually all this becomes possible by brute force attack by using script and if script gets some indication that applied password is wrong then it tries to login using different password.To remove log-in error messages, simply open your theme’s functions.php file, and paste the following code:
add_filter('login_errors',create_function('$a', "return null;"));Save the file, and see for yourself: no more messages are displayed if you fail to log in. Please note that there are several functions.php files. Be sure to change the one in your wp-content directory.
2. Force using SSL
If your web server can handle SSL then you may force WordPress to use SSL. Only few web server like HostGator allow you to use SSL. Once you’ve checked that your Web server can handle SSL, simply open your wp-config.php file (located at the root of your WordPress installation), and paste the following:
define('FORCE_SSL_ADMIN', true);Save the file, and you’re done!
3. Protect your wp-config file using .htaccess
wp-config file is very important since it contains all the details of your WordPress configuration, your database username, password, database table name, server name, etc. If any one is able to view/access your wp-config file then he can delete all your articles. To protect your wp.config.php file use your .htaccess file.The .htaccess file is located at the root your WordPress installation. After creating a back-up of it (it’s such a critical file that we should always have a safe copy), open it up, and paste the following code:
order allow,deny
deny from all 4. Protect WordPress blog from Script Injections
PHP GLOBALS and _REQUEST variables must be protected against script injections. The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPress installation). Make sure to always back up the .htaccess file before modifying it.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]5. Create your own plugin to protect your blog from Malicious URL requests
Create a PHP file and name it as BlockMaliciousRequests.php and copy below code and save it. Upload this plugin at wp-content/plugin/ directory and activate the plugin.
/*
Plugin Name: BlockMaliciousRequests.php
Plugin URI: http://mazakaro.com
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/ global $user_ID; if($user_ID) {
if(!current_user_can('level_10')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
}
?>6. Remove WordPress version number
Open any WordPress blog and as you will view its source code then you will find this code If your blog is not up to date and you have old version of WordPress then the hacker will come to know that you are using old version of WordPress and lot of chance will be there that your blog is not up to date from security point of view. Paste the following code into your theme function.php file and avoid displaying WordPress version number.
remove_action('wp_head', 'wp_generator');// remove version info from head and feeds
function complete_version_removal() {
return ”;
}
add_filter(‘the_generator’, ‘complete_version_removal’);
7. Change default ‘Admin’ usernemeWordPress’s default administrator’s username is ‘admin’. Hackers also know this and by putting ‘admin’ as username you are reducing hacker’s half effort. Change the default administrator name from ‘admin’ to some other name of your choice. To change default admin name you have to change your database entry by using following SQL query by using phpMyAdmin.
UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'Admin';Conclusion
If you think that you installed WordPress and installed lot of plugins and started posting articles then do not think that your all work got over to become a successful blogger. Security is the most important thing and do not forget to know about security threats. You must follow various steps to make your blog more secure. I hope you will get benefit from this article. Please share more tips about security.
Subscribe to:
Post Comments (Atom)
|
Tukeran Link Yuk...! Silahkan copy kode di atas...! |
0 komentar:
Post a Comment