Howto secure wordpress

Written by on Friday, September 17, 2010 20:07 - 0 Comments

We all know how secure wordpress is out of the box and if you miss a patch then .. well your just asking for big trouble.   Generally upgrading your wordpress to the latest release will keep out 99% of the hackers and bots out there scouring the web for insecure wordpress sites (and believe me there are a lot).  There are a few plugins out there that I use to help secure wordpress, there are more so this is not the be all end all but it will help.

Secure WordPress: This is a great plugin although some of the features dont work (such as the scan feature).  It will secure many parts of your wordpress including removing wordpress versions, putting index files in directories and blocks bad hacker queries.  Basically a must have for wordpress installs.

Admin Protector: this plugin basically puts a .htaccess type login box on your wp-admin, if you dont have users or multiple authors this plugin is very useful.

Admin SSL: This plugin will redirect your wp-admin to https:// if you dont have an ssl certificate then this plugin probably wont help you.

WordPress File Monitor: This tool is really great for monitoring what files are changing in your wordpress, its always a good indicator if your have been compromised if a file in your wordpress changes that you didnt know about.  You can schedule a scan of the files for hourly, daily etc.. the settings I like to use here are scan every 3 hours, Detection mode Hash and exclude directories wp-content/cache and wp-content/uploads

WP-DB Manager: ok so this plugin doesn’t necessarily help you not get hacked, but in the case that you do and your website goes to hell or your database gets wiped out this little tool will serve you wonders.  The secret to this one is using the automatic database backup feature and schedule it to email you the database backups once a day.  (Dont forget to use the Gzip compression!)

Put this in your wp-admin folder as .htaccess (stole this from wordpress bulletproof)

# The Most Common Apache Directives to force PHP5 to be used instead of PHP4
# Some web hosts have very specific directives – check with your web host first
# Remove the pound sign in front of AddType x-mapp-php5 .php for 1&1 web hosting
# AddType x-mapp-php5 .php
# Other common possibilities depending on your web host – check with your web host first
# AddHandler application/x-httpd-php5 .php
# AddHandler cgi-php5 .php
RewriteRule ^(.*)$ – [F,L]
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp:  [NC,OR]
RewriteCond %{QUERY_STRING} http:  [NC,OR]
RewriteCond %{QUERY_STRING} https:  [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>||”|;|?|*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ – [F,L] ')}

Article written by

Leave a Reply

You must be logged in to post a comment.

2003 server - Sep 30, 2008 22:34 - 0 Comments

instant messaging srv records

More In Computers & PC

Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments

Outlook: Duplicates in Mailbox

More In Computers & PC