HOW CAN WE PROTECT WORDPRESS BY HACKER

Once, after the publication of my article about the plugin iThemes Security, to my statement that by setting it for good you could rest assured, someone told me that in this area you can never rest easy. The experience has also shown me what this comment was true. Even if you install a plugin dedicated to the security of WordPress, it is always good to monitor the site, update the core and plugins and fielding other small actions that raise the level of security.

THE FIRST LEVEL OF SAFETY IS SET TO TOP

The first measures for the security of our site made wordpress you bring into the field during installation. Choose a user name for the administrator other than the standard (admin), set a strong password that is sufficiently long, entering uppercase letters, lowercase letters, numbers and special characters, choosing as the prefix of the database tables a far cry from the usual wp_ (eg xy_12) and entering in the wp-config.php file encryption keys that we can copy and paste from this link.

If we did not do all this at the beginning, later we explain how a site into production.

ELIMINATE YOU ADMIN

default WordPress user administrator assigns the username “admin”. It ‘a good idea to change this user with a name of our choice. Leave the User Administrator with the user “admin” means to give another little advantage for hackers and automated systems used to bring brute-force attacks on the site. To change the admin user does not need to enter code. Just act in the users section of the WordPress dashboard.
USE A STRONG PASSWORD

Every time we raise the level of password complexity, increases the time to be used to violate it. We use long enough password, entering uppercase letters, lowercase letters, numbers and special characters.
CHANGE THE CODE OF TABLES

WordPress to work needs a MySQL database. The database tables are automatically created with the WordPress installation and have the wp_ prefix. Wanting to change this prefix for safety reasons is wise choice. But how do you change the prefix of the MySQL tables of WordPress? First make a backup of the database. Then we open the config.php file and correct the prefix of the tables:
$ Table_prefix = ‘wp_ “in $ table_prefix =’ xy_12 ‘(instead of xy_12 can put a prefix to your liking)
Then we bring in phpmyadmin and follow this simple guide. The game is done.
INSERT ENCRYPTION KEYS

At this point we take the wp-config.php file and open it. Using the link mentioned in the paragraph “the first security level is set at the beginning”, we copy the encryption keys and overwriting incolliamole to those of the default file (which are empty at the beginning as you see below)
define ( ‘AUTH_KEY’, ‘the key here’);
define ( ‘SECURE_AUTH_KEY’, ‘the key here’);
define ( ‘LOGGED_IN_KEY’, ‘the key here’);
define ( ‘NONCE_KEY’, ‘the key here’);
define ( ‘AUTH_SALT’, ‘the key here’);
define ( ‘SECURE_AUTH_SALT’, ‘the key here’);
define ( ‘LOGGED_IN_SALT’, ‘the key here’);
define ( ‘NONCE_SALT’, ‘the key here’);
DISABLE THE EDITOR FROM BOARD

If a hacker was able to get to your wall, you would find the opportunity to speak on the code of your key files. You can be remedied by inhibiting the display of these files from the board by installing on your wp-config.php the following code:

define ( ‘DISALLOW_FILE_EDIT’, true);

Do not worry. If you would like to play around with the hidden chased wordpress files, you can use your ftp client to download them and edit them.

HIDE THE VERSION OF WORDPRESS

A hacker, can save time and put in place specific actions to a certain version of wordpress if you know the type. The version of the WP is seen viewing the site’s source code using any browser. To hide the WordPress version used on header.php write the following string:

<? Php remove_action ( ‘wp_head’, ‘wp_generator’); ?>

ELIMINATE THE DISPLAY OF ERRORS

When there is a problem with a theme or plugin on our site you appear error messages. These messages are used to figure out where the problem lies, so to solve it. But attackers could exploit to gain entry points to the site, as they contain the server path. So it’s a good idea to disable the display of error messages. To do this, add the wp-config.php file the following code:

error_reporting (0);
@ini_set ( ‘display_errors’, 0);

CHANGE OF URL LOGIN

Even stones know that to access a wordpress site begins from the login page the url attarverso miostio.xx / wp-admin. To eliminate this facility we could change the last part of the url / wp-admin with a word to our pleasure and make it such miosito.xx / miaparola. To do so we must operate on 3 different files in the following manner:

On the wp-config.php enter:

DEFINE ( ‘WP_ADMIN_DIR’, ‘miaparola’);
DEFINE ( ‘ADMIN_COOKIE_PATH’, ‘SITECOOKIEPATH.WP_ADMIN_DIR);

then edit the function.php the theme by adding these lines:

add_filter ( ‘site_url’, ‘wpadmin_filter’, 10.3);
function wpadmin_filter ($ url, $ path, $ orig_scheme) {
$ Old = array ( “/ (wp-admin) /”);
$ Admin_dir = WP_ADMIN_DIR;
$ New = array ($ admin_dir);
return preg_replace ($ old, $ new, $ url, 1);
}

And finally write the .htaccess file

RewriteRule ^ miaparola /(.*) wp-admin / $ 1?% {QUERY_STRING} [L]

HIDE FILE WP-CONFIG

The wp-config file is perhaps the most important file of all WordPress. It contains the db address and the access credentials to it. In short, if an attacker was aware of the contents of this file would cause a disaster. Fortunately, we can hide it by inserting a few simple instructions inside the .htaccess file. Outside the space between # BEGIN WordPress and # END WordPress insert
<Files wp-config.php>
Order Allow, Deny
Deny from all
</ Files>
PUTTING FILES WP-CONFIG .htaccess AND READ-ONLY

As mentioned, the most important files of WordPress are the wp-config.php and hatccess. Protect them from changes is a necessary step in optical security. How to do? It can be done by acting directly within filezilla. right click on the file and click “” file permissions. then set them to 644 which means that the files are Inaccessible by all as read-only, except for the owner who will also act in writing.
BACKUP, BACKUP, BACKUP

You never know, even if we put into practice all the precautions in the world our website in WordPress may have violated the same. In this case a backup of files and databases will be vital. The Backup is comfortable even if it should happen that some plugins would go a conflict with some other plugin or wordpress itself and the site only returns a blank screen. A great help to all this is the plugin UpdraftPlus – Backup and Restore. This Plugin allows you to make a backup of the data is that the database, store them in a specific location on our website or in an application such Dropbox and the like. Just set it at the beginning and launch your first backup. Then we could also decide whether to make backups automatically on a daily, weekly, biweekly or monthly. The plugin can also decide how many backups to keep. I usually I keep two. When does the third backup, the oldest is erased. Once backed up, you can restore the site by simply restore button. In addition to the backup and restore, this plugin can also make a copy clone. The plugin can be downloaded from the repository WordPress plugin and it’s free.
For my safety, I usually do a copy of files and folders locally and I export the local database via phpmyadmin.

Leave a Reply

Your email address will not be published. Required fields are marked *