Home » Htaccess » Security » WordPress

10 Things You Must Apply to Secure Your WordPress Blog

Posted by

WordPress is the most used blogging platform in the world. World’s top blogs like Tech Crunch, Mashable etc. use WordPress as platform. The main reason behind that is WordPress provides a well structured and secured blogging interface for you. But hackers are not spending their holidays. They are also trying to hack the WordPress blogs every time. They always search for security holes in your WordPress blog and if they are successful, you are failure.

So why not to protect your blog to prevent them from such actions? Well, let me tell some useful things that you must apply in your WordPress blog for the security.

1. Move the WordPress core file in different location. Do not keep them at the root drive. Read more about how to move the WordPress core file in different location.

2. Do not keep your user name as “admin”. Chose a different user name such a way that any body can’t guess that. If you have the user name as admin then make another administrator account with a secured user name and log-in to WordPress with that account and delete the admin account. when deleting, make sure to assign all the post of the admin to the current user.

3. Remove the WordPress version number. Open the functions.php from your wp-include directory with note pad and add the following code:

remove_action('wp_head', 'wp_generator');

4. Prevent indexing of your WordPress core files through robots.txt. Add the following in to robots.txt.

Disallow: /wp-*

5. Protect your .htaccess file. Just paste the following lines in the .htaccess file belonging at the root directory (Always keep a backup of the .htaccess file before editing it).

# STRONG HTACCESS PROTECTION order allow,deny deny from all satisfy all

6. Protect the wp-config.php file so that nobody can view that. Add the following in your .htaccess.

# protect wpconfig.php order allow,deny deny from all

7. To disable directory browsing add the codes in .htaccess file.

# disable directory browsing Options All -Indexes

8. Protect the spammers by adding the codes in .htaccess file

RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

9. Prevent the hackers from script injection to your WordPress blog. Adding the following codes you can protect your blog from script injection and any type of modification of PHP GLOBALS and _REQUEST variables.

Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\< |%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]

10. Block suspicious users to visit your site. Learn about how to block a user.

Except all above you must update maintain your WordPress and the plug-ins to be more secured.

Related content:

  1. 7 Tips To Secure Your Website
  2. Prevent Search Engines From Indexing Your Sitemap File by Adding Noindex X-Robots-Tag
  3. How to Block Unwanted Person to Visit Your Blog
  4. Dropbox CDN Plugin For WordPress TO Reduce Blog Bandwidth
  5. Get The Most Out of Dropbox
This post was written by Tanmay

Reader Comments

  1. Shabnam Sultan

    Useful tips :)first things to do when you install your WP blog.

  2. Jayanta

    @Shabnam: Yes you can install wordpress keeping the core files in different location. But If you have already installed it at the root dir, you can still move them. Follow the given link.

  3. Satyajit

    hey bro…great tips…yeah security matters a lot…..it really hurts a lot if one lose something on which a lot of hard work is put on due to security vulnerabilities
    Thanks for sharing…. :)

  4. Harsh Agrawal

    One more basic thing one should do always download WordPress theme from reliable source. Very useful share :)

  5. Tanmay

    Thanks Harsh. Very happy for your complement. Thanks again for your valuable advise. Hope our readers will be benefited.

  6. new website creator

    Using the code you provided to Prevent hackers from script injection caused my site to have server errors and would not load the site! so i had to block it out — why did this happen?
    #Options +FollowSymLinks
    #RewriteEngine On
    #RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
    #RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    #RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    #RewriteRule ^(.*)$ index.php [F,L]

    fyi: I also have come across this strong htaccess protection code; do you think this makes sense to also include in htaccess file?

    # STRONG HTACCESS PROTECTION

    order allow,deny
    deny from all
    satisfy all

    order allow,deny
    deny from all

    Order Allow,Deny
    Deny from all

    # end STRONG HTACCESS PROTECTION

    thanks

  7. new website creator

    note all the brackets and other code marks are removed from my post so i hope no one else tries to copy as is since it’s incomplete.

    will try wrapping code/code around it below ….

    [code]
    # STRONG HTACCESS PROTECTION

    order allow,deny
    deny from all
    satisfy all

    order allow,deny
    deny from all

    Order Allow,Deny
    Deny from all

    # end STRONG HTACCESS PROTECTION
    [/code]

    [code]

    #Prevent hackers from script injection
    #Options +FollowSymLinks
    #RewriteEngine On
    #RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
    #RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    #RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    #RewriteRule ^(.*)$ index.php [F,L]
    [/code]

  8. Renji

    Will the code in “8. Protect the spammers” prevent regular users from commenting if they directly accessed a page?

  9. Tanmay

    No…