When you live off an online business or blog, web security is crucial to you, mainly because any breach in security can hinder your business processes. This article shows you 10 useful WordPress tweaks that will help you protect your blog or website against hackers or evil bots:
1. Usually, when you forget your password and fail to log in to your WordPress blog, CMS displays info notifying what you did wrong. This information is useful to you, as well as to hackers eyeing your blog. The ideal solution would be to prevent WordPress from displaying info on failed log-ins.
Log-in error messages can be removed by pasting the following code in your WordPress theme’s functions.php file (wp-content directory):
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
This code overwrites the login_errors() function and no message is displayed.
2. SSL, which is a cryptographic protocol securing communications over networks, can prevent your data from being intercepted. SSL usage can be forced on WordPress, especially if you are hosted on HostGator or Wp WebHost , by pasting the following code in your wp-config.php file at the root of WordPress installation:
define(‘FORCE_SSL_ADMIN’, true);
By defining the FORCE_SSL_ADMIN constant, and setting its value to true, WordPress can be made to use SSL.
3. The wp-config.php file holds the key to your database. Hence, protecting the wp-config.php file should be your primary concern. By using the .htaccess file located at the root of WordPress installation, it is possible to protect your wp-config.php file. Make a copy of .htaccess file first, and then paste the following code in the original file:
<files wp-config.php>
order allow,deny
deny from all
</files>
Any unwanted access to your files can be prevented using the .htaccess files. The above code prevents evil bots from accessing the wp-config.php file.
4. Spam bots are regular visitors who pollute your blog with annoying posts. Forbidding, or blocking them from visiting your blog is the only way to stop receiving spam comments. By using the .htaccess file, you can block spam bots from accessing your blog.
Make a copy of your .htaccess file and edit the main file by adding this code:
<Limit GET POST PUT>
order allow,deny
allow from all
deny from 123.456.789
</LIMIT>
The IP address (e.g as above) should be changed to the IP address you want to forbid access. Repeat line 4 as many times as you want, each time inserting a new IP address you want to block.
This code essentially tells Apache that everyone is allowed on your blog except poster/posters with IP address 123.456.789.
5. Your blog is a dynamic website. Hence, protecting it is especially important. It is not enough to protect your ‘get’ and ‘post’ requests, but also forbid script injections or an attempt tamper with the php globals and _request variables. Create a back-up of your .htaccess file and paste the following code in the original:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
The above code helps you to check requests containing <script> and whether it has attempted php globals and _request variables modification. If it has, the request is denied and a 403 error will be shown in the client’s browser.
6. If you have just started a blog, chances are your blog is not popular yet. Sometimes, despite being around for a while, some blogs are still not known. In both cases, there will be people who would want to use your content on their websites without your permission. Especially if someone is hot-linking to your images, it uses up much of your server’s bandwidth.
.htaccess file comes to rescue yet again. Make a copy of .htaccess file and paste the following code in the original document:
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your “don’t hotlink” image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
The above code bars anyone else from linking to your images except your own websites. Because hot-linking would be too time-consuming and complicated, other websites will find it easier to display a nohotlink.jpg image. If you specify non-existent images, websites that want to hot-link to your images will have no choice but to display blank spaces.
The above mentioned code also allows a referrer check to see if it matches your blog’s URI and that it is not empty. If you have a file with a gif, jpg, png, or bmp extension, a nohotlink image will be displayed.
7. A weak spot in your blog is susceptible to attacks from malicious hackers. WordPress’ default protection can be enhanced to fight evil queries by pasting the following code in a text file and save it asblockbadqueries.php:
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID;
if($user_ID) {
if(!current_user_can(‘level_10′)) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], “eval(“) ||
strpos($_SERVER['REQUEST_URI'], “CONCAT”) ||
strpos($_SERVER['REQUEST_URI'], “UNION+SELECT”) ||
strpos($_SERVER['REQUEST_URI'], “base64″)) {
@header(“HTTP/1.1 414 Request-URI Too Long”);
@header(“Status: 414 Request-URI Too Long”);
@header(“Connection: Close”);
@exit;
}
}
}
?>
Upload the blockbadqueries.php to your wp-content/plugins directory and activate as any other plug-in to protect against harmful queries.
The above code checks for request strings that are more than 255 characters and the presence of either theeval or base64 PHP functions in the URI. The plug-in returns a 414 error to the client’s browser if either of these conditions is met.
8. The head of your blog files will automatically display the WordPress version you are using. If your blog is frequently updated, this information is harmless. However, if your blog is not updated regularly using the latest version yet WordPress continues to display it, hackers will find it only too easy to attack your blog.
Adding the following code in your WordPress theme functions.php file and refreshing your blog will get rid of the WordPress version number:
remove_action(‘wp_head’, ‘wp_generator’);
WordPress’ “hooks” mechanism allows hooking one function to another. The WordPress version is generated by the wp_generator function which is hooked. The above code helps remove the hook to prevent it from showing the latest WordPress version.
9. Breaking passwords may be difficult, but is achievable. People, who want to break passwords by the brute force method, refer dictionaries for password combinations. Of course, prior knowledge of your password helps them decipher the write password combination. Hence, default “admin” username should always be changed to something not easily guessable.
If you are using WordPress 3.0, you will be able to choose a desired admin username. If you are using one of the older versions, run the following SQL query to your database to change the username by specifying it:
UPDATE wp_users SET user_login = ‘Your New Username’ WHERE user_login = ‘Admin’;
Updating query is enough to change usernames in database. However, posts that were made by “admin” will not be changed to your new username.
10. Directory listing is allowed by most hosts. In fact, it is a default feature. By simply typing www.yourblog.com/wp- in your browser’s address bar, you will be able to see all files in that directory. This certainly makes it easy for hackers to know when last files were modified, and also access them.
You can prevent this by adding the following to your .htaccess file or Apache configuration: Options -Indexes
Simply updating your blog’s robots.txt file with Disallow: /wp* is not enough as it does not bar users from seeing the wp-directory, but only prevents it from being indexed.
