How to Secure your wordpress site from Hackers

Several of my websites are hacked today. All of my sites are hosted in Hostgator VPS server and my sites are hacked by “Prishtina Hackers Group”.

Thanks to this group who insisted me to seriously thinking about the security of my sites. My sites are hacked that does not means that those hacker group is extraordinary actually as a developer I was less careful about the security of my sites. This is the main offense and security gap from my end.

I want to share my this experience with you so that you can protect your sites from these kind of hacks and my in this post I am going to fill up all the security wholes in a site.

First I have to run a scan. What I normally do with my sites?

  1. Most of my sites are running on wordpress CMS.
  2. For all my sites the user name is admin.
  3. I mostly used common passwords for my sites, so that I can recall it easily.
  4. I installed those sites by using  fantatstico deluxe through my hosting control panel.

Ok, now I am going to explore the problems that I have done with these steps and what the important things I had not done with my websites

Using WordPress CMS

Though its easy for a hacker to hack your site if you are using a common CMS. But developing your site with CMS will deduct your development time, its very adorable to all. WordPress itself provides a strong security to its user. But if you use a CMS then hackers are already aware of your site architecture. Like if you use wordpress cms, a haker already know that you have your config file (wp-config.php) at the root. This config file consists your database user name and and password.

Secure your wp-folders

A wordpress CMS content wp-content, wp-admin and wp-include files. Search engine might index those pages and explore it to all. You don’t need to show these folders to your search engines these are mostly like system files for a CMS.
You can block your these wp- folders to search engines by using a robots.txt file. You can find these robots.txt file at the root folder of your server. Add the following line to your robots.txt file:

[php]Disallow: /wp-*[/php]

Do not allow Public Browsing

If someone can browse your plugin or theme folder they can easily understand what are the plugins you are using in your wordpress site. If that plugin has a security whole hacker can hack your wordpress site too.
The best way to remove this public browsing is to inset an index.html file in your these folders. Or you can add this line of code into your .htaccess file (you will fined it in your server root folder)

Options All -Indexes

Always update your wordpress CMS to its latest version

It is natural that earlier version of worppress version has so many bugs and security wholes. WordPress developers are continuously upgrading their scripts to fix these gaps. If wordpress community knows that one of their version became a target to the hacker and hacker explored some gaps to that version, they immediately try to fix those issues in their immediate new version.
Always upgrade your wordpress site to the latest wordpress version. It will automatically provide you a standard security to your wordpress site.

Hide your current wordpress version

As I told the oldest version of wordprss site has security gaps and bugs. If a hacker knows the currently running wordpress version of your site and if they are aware about the security gaps of that wordpress version your site may become an easy target to those hackers. Below the line of code you can find your header.php file of your theme folder that shows your current wordpress version of your site.

Add these simple line of code to your functions.php file inside your theme folder. It will remove your worpress version to view it publicly

remove_action('wp_head', 'wp_generator');

Securing your wp-admin folder

Your site’s wp-admin folder should only be visible to the administrator and its obvious that you will have only limited numbers of administrator for your websites. You can restrict the IP addresses for your admin users.
View my this post to restrict the access to your wp-admin folder.

Protecting your wp-config.php and .htaccess file

Its obvious that .htaccess hack is one of the most common hack technique to compromise your site you have to secure this file as your first priority. Write the code below to your .htaccess files

order deny,allow
deny from all

On the other hand your wp-config.php file contains your database access info that is valuable too. To protect your wp-config.php file you can write the below code to your .htaccess file

order allow,deny
deny from all

Keep your blog safe from Script Injection

GET and POST are sometimes not enough for a dynamic website you can write down some code to your .htaccess file to keep yourself safe from Script Injection

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\< |%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Please always take a backup of your .htaccess file before editing it.

Protect your wordpress site from Content Scrapper

You can write down this code into your .htaccess file to protect your site from content scrapper
[php classname=”apache”]
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don’t hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Secure file and Folder Permissions

Sorry going to stop writing my post right now, its not an one day job will start writing it again :-), keep watching this page.

Leave a Reply