WordPress is the most popular self-hosted content management system (CMS) on the Internet and therefore, like Microsoft Windows, it is also the most popular target of attacks. The software is open source, hosted on Github, and hackers are always looking for bugs and vulnerabilities that can be exploited to gain access to other WordPress sites.
WordPressThe least you can do to keep your WordPress installation secure is ensure that it is always running the latest version of WordPress.org software and also the various themes and plugins are update. Here are few other things you can do to improve the security of your WordPress blogs:
When you install a WordPress blog, the first user is called “admin” by default. You should create a different user to manage your WordPress blog and either remove the “admin” user or change the role from “administrator” to “subscriber.”
You can either create a completely random (hard to guess) username or a better alternative would be that you enable single sign-on with Jetpack and use your WordPress.com account to log into your self-hosted WordPress blog.
WordPress sites always publish the version number thus making it easier for people to determine if you are running an outdated non-patched version of WordPress.
It is easy to remove the WordPress version from page but you need to make one more change. Delete the readme.html file from your WordPress installation directory as it also advertises your WordPress version to the world.
Login to your WordPress Linux shell and execute the following command to get a list of all “open” directories where any other user can write files.
find . -type d -perm -o=w
You may also want to execute the following two commands in your shell to set the right permissions for all your WordPress files and folders (reference).
find /your/wordpress/folder/ -type d -exec chmod 755 {} ; find /your/wordpress/folder/ -type f -exec chmod 644 {} ;
For directories, 755 (rwxr-xr-x) means that only the owner has write permission while others have read and execute permissions. For files, 644 (rw-r—r—) means that file owners have read and write permissions while others can only read the files.
If you have installed WordPress using the default options, your WordPress tables have names like wpposts or wp_users. It is thus a good idea to change the prefix of tables (wp) to some random value. The Change DB Prefix plugin lets you rename your table prefix to any other string with a click.
This is important. Open the .htaccess file in your WordPress root directory and add the following line at the top.
Options -Indexes
It will prevent the outside world from seeing a listing of files available in your directories in case the default index.html or index.php files are absent from those directories.
Go here to generate six security keys for your WordPress blog. Open the wp-config.php file inside the WordPress directory and overwrite the default keys with the new ones.
These random salts make your stored WordPress passwords more secure and the other advantage is that if someone is logged into WordPress without your knowledge, they will get logged out immediately as their cookies will become invalid now.
The error logs can sometimes offer strong hints on what kind of invalid database queries and file requests are hitting your WordPress installation. I prefer the Error Log Monitor as it periodically sends the error logs by email and also displays them as a widget inside your WordPress dashboard.
To enable error logging in WordPress, add the following code to your wp-config.php file and remember to replace /path/to/error.log with the actual path of your log file. The error.log file should be placed in a folder not accessible from the browser (reference).
define(‘WP_DEBUG’, true); if (WP_DEBUG) { define(‘WP_DEBUG_DISPLAY’, false); @ini_set(‘log_errors’, ‘On’); @ini_set(‘display_errors’, ‘Off’); @ini_set(‘error_log’, ‘/path/to/error.log’); }
It is always a good idea to password protect the wp-admin folder of your WordPress since none of the files in this area are intended for people who are visiting your public WordPress website. Once protected, even authorized users will have to enter two passwords to log in to their WordPress Admin dashboard.
You can use the “last -i” command in Linux to get a listing of all users who have logged into your WordPress server along with their IP addresses. If you find an unknown IP address in this list, it is definitely time to change your password.
Also, the following command will show the user login activity for a longer period of time grouped by IP addresses (replace USERNAME with your shell user name).
last -if /var/log/wtmp.1 | grep USERNAME | awk ‘{print $3}’ | sort | uniq -c
The WordPress.org repository contains quite a few good security related plugins that will continuously monitor your WordPress site for intrusions and other suspicious activity. Here are the essential ones that I would recommend.
Tip: You can also use the following Linux command to get a list of all files that have been modified in the last 3 days. Change mtime to mmin to see files modified “n” minutes ago.
find . -type f -mtime -3 | grep -v “/Maildir/” | grep -v “/logs/”
Your WordPress login page is accessible to the world but if you wish to prevent non-authorized users from logging into WordPress, you have three choices.
Also see: Must-have WordPress Plugins
Google Developer Expert, Google Cloud Champion
Amit Agarwal is a Google Developer Expert in Google Workspace and Google Apps Script. He holds an engineering degree in Computer Science (I.I.T.) and is the first professional blogger in India.
Amit has developed several popular Google add-ons including Mail Merge for Gmail and Document Studio. Read more on Lifehacker and YourStory
Digital Inspiration has won several awards since it's launch in 2004.
Google Developer Expert
Google awarded us the Google Developer Expert award recogizing our work in Google Workspace.
ProductHunt Golden Kitty
Our Gmail tool won the Lifehack of the Year award at ProductHunt Golden Kitty Awards in 2017.
Microsoft MVP Alumni
Microsoft awarded us the Most Valuable Professional (MVP) title for 5 years in a row.
Google Cloud Champion
Google awarded us the Champion Innovator title recognizing our technical skill and expertise.
Subscribe to our YouTube channel and get notified whenever we upload a new video tutorial.
We build bespoke solutions that use the capabilities and the features of Google Workspace for automating business processes and driving work productivity.
Send personalized email to your contacts with Google Sheets & Gmail
Create pixel perfect documents from Google Sheets and Google Forms
Download emails and attachments from Gmail to your Google Drive
Send email to respondents when they submit your Google Forms
Email entire spreadsheets, selected cell ranges or send dynamic charts on schedule.
Turn your Google Slides presentations into animated GIF images and videos
Sign up for our email newsletter to stay up to date.
We will never send any spam emails. Promise.
© 2004 — 2022 Digital Inspiration® All rights reserved.

Affiliate Marketing As A Business


/ Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *