WordPress Security Hacks Part One.. | Tutorial Freak – Online Tutorials

WordPress Security Hacks Part One..

wordpress-tutorials

Part one: 1 to 5:

Security has always been a hot topic. Offline, people buy wired homes, car alarms and gadgets to bring their security to the max. Online, security is important too, especially for people who make a living from websites and blogs. In this article, we’ll show you some useful tweaks to protect your WordPress-powered blog.

1. Prevent Unnecessary Info From Being Displayed

The problem
When you fail to log into a WordPress blog, the CMS displays some info telling you what went wrong. This is good if you’ve forgotten your password, but it might also be good for people who want to hack your blog. So, why not prevent WordPress from displaying error messages on failed log-ins?

The solution
To remove log-in error messages, simply open your theme’s functions.php file, and paste the following code:

add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Save the file and see for yourself no more messages are displayed if you fail to log in.

Please note that there are several functions.php files. Be sure to change the one in your wp-content directory.

Code explanation

With this code we’ve added a simple hook to overwrite the login_errors() function. Because the custom function that we created returns only null, the message displayed will be a blank string.

2. Force SSL Usage

The problem
If you worry about your data being intercepted, then you could definitely use SSL. In case you don’t know what it is, SSL is a cryptographic protocol that secures communications over networks such as the Internet.

Did you know that forcing WordPress to use SSL is possible, not all hosting services allow you to use SSL so check with your host.

The solution

Once you’ve checked that your Web server can handle SSL, simply open your wp-config.php file (located at the root of your WordPress installation), and paste the following:

define(‘FORCE_SSL_ADMIN’, true);

Save the file, and you’re done!

Code explanation

Nothing hard here. WordPress uses a lot of constants to configure the software. In this case we have simply defined the FORCE_SSL_ADMIN constant and set its value to true. This results in WordPress using SSL.

3. Use .htaccess To Protect The wp-config File

The problem

As a WordPress user, you probably know how important the wp-config.php file is, This file contains all of the information required to access your precious database, username, password, server name and so on. Protecting the wp-config.php file is critical, so how about exploiting the power of Apache to this end?

The solution

The .htaccess file is located at the root your WordPress installation. After creating a back-up of it (it’s such a critical file that we should always have a safe copy), open it up, and paste the following code:


order allow,deny
deny from all

Code explanation

.htaccess files are powerful and one of the best tools to prevent unwanted access to your files. In this code, we have simply created a rule that prevents any access to the wp-admin.php file, thus ensuring that no evil bots can access it.

4. Blacklist Undesired Users And Bots

The problem

This is as true online as it is in real life, someone who pesters you today will probably pester you again tomorrow. Have you noticed how many spam bots return to your blog 10 times a day to post their annoying comments!!! The solution to this problem is quite simple: forbid them access to your blog.

The solution

Paste the following code in your .htaccess file, located at the root of your WordPress installation. As I said, always back up the .htaccess file before editing it. Also, don’t forget to change 123.456.789 to the IP address you want to ban.


order allow,deny
allow from all
deny from 123.456.789

Code explanation

Apache is powerful and can easily be used to ban undesirable people and bots from your website. With this code, we’re telling Apache that everyone is allowed to visit our blog except the person with the IP address 123.456.789.

To ban more people, simply repeat line 4 of this code on a new line, using another IP address, as shown below:


order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780

5. Protect Your WordPress Blog From Script Injections

The problem

Protecting dynamic websites is especially important. Most developers always protect their GET and POST requests but sometimes this is not enough. We should also protect our blog against script injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.

The solution

The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPress installation). Make sure to always back up the .htaccess file before modifying it.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Code explanation

Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a

Leave a Reply

      
      
      
      
      
      
      
      
             
Save Now! $1.99 .COM at GoDaddy!
             
      
  • Luxi iPhone Incident Light Meter Review..