PDF

Helping companies succeed online - Web Design, SEO and Content Marketing
www.telezent.com
WordPress
Security
How do Wordpress websites get hacked?
Here are the four main reasons
Hosting + Computer Malware = 41%
Themes = 29%
Plugins = 22%
Passwords = 8%
1 Hosting
Where you host your website is very important. Most wordpress installations are hosted on
shared hosting plans.
Shared hosting is high risk
Shared hosting providers host hundreds of websites on a single server
So the risk increases hundred fold
Due to budget or business reasons, if you have to go with shared hosting make sure you
tighten up all areas of security and monitor regularly
VPS hosting
Is less riskier than shared hosting, because the number of other websites shared on the server
are much less
Dedicated hosting
This is the most secure as the entire web server is dedicated to your website
You still have to make sure you do the right house keeping, choose the right
themes/plugins and tighten up all permissions
Wordpress managed hosting
These hosting providers offer specialized WordPress hosting
The hosting servers are optimized for WordPress from a security and performance
standpoint
Managed hosting is expensive when compared to shared hosting
Here are few of them
www.telezent.com
2 Remove the Admin Wordpress Account
This is the most important and easiest thing you could. Hackers are well aware of the Admin
account and can crack it if the password is not strong.
The best option is to delete the Admin account
Create another account with the same privileges
Create a very complex user id and password
3 Keep Wordpress Updated
WordPress updates are released to fix bugs, introduce new features, patch security holes, etc.
Therefore it is important to keep Wordpress always updated.
When patches are available for major security holes, it is important to upgrade.
I have had a few clients come to us when their website got attacked.
We discovered that their WP version was years old, and that is the reason it may have got
hacked.
4 Brute Force Attacks
A Brute Force Attack tries various usernames and passwords, over and over again, until it
gets in.
Due to the repeated nature of these attacks, you may find your website slow down.
Apart from deleting the admin password and using complex password, you can limit the
number of logins and block the IP which is repeatedly requesting access.
There are 2 plugins which are helpful
Limit Login Attempts
Brute Protect
5 Hide WordPress Version
If your WordPress version is outdated, then knowing the version gives hackers clues on how
to hack your website. It is a good practice to hide the WordPress version of your website.
Editing the functions.php file and adding this line of code will do it.
<?php remove_action('wp_head', 'wp_generator'); ?>
www.telezent.com
6 Secure FTP Connections and Cached Passwords
When connecting use SFTP encryption if your hosting provider provides it.
All information (password, user names, file data) is encrypted and sent between your local
computer and your website.
Also clear the cache of your FTP programs so that they do not store connection strings and
passwords.
7 WP-CONTENT
- Lock It
The wp-content folder stores all website related files such as images, themes, plugins, etc.
This directory needs to be locked down, so that hackers cannot intrude and execute harmful
code.
Add an .htaccess file within the wp-content directory and lock it
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
8 WP-ADMIN
- Deny ACCESS
The wp-admin folder contains all the admin related code.
In most cases Wordpress admins and users will be the ones logging into the wordpress
dashboard to post content.
So you can block all – except your admins/users. Limit who can access this directory based
on their IP. Create a htaccess file in the wp-admin folder and modify it as below
order deny,allow
allow from [enter your ip here]
deny from all
You can ask your users to send you their IPs by using this tool WhatsMyIP.org
www.telezent.com
9 Protect WP-CONFIG File in Wordpress
As the name suggest, the wp-config file stores configuration related information.
It stores all the database name and access information.
Enter the following in the .htaccess file
<Files wp-config.php>
order Allow,Deny
Deny from all
</Files>
Then also make sure to make both wp-config.php and .htaccess file permissions to read only
10 Prevent all directory browsing
The WordPress file structure is well documented.
It can be browsed and can show vulnerabilities in your website.
It is a good idea to prevent all directory browsing.
Add this to your .htaccess file:
# directory browsing
Options All -Indexes
Then also set wp-config.php and .htaccess file permissions to read only.
11 Choose the right WordPress theme for your website
Be very careful on the Wordpress Theme you choose. And be double careful if you are going
with a free theme. Free themes can be difficult to enhance and customize, and may even have
security loopholes. The best strategy is to buy them from a reputed company which has been
around for any years and provide fanatic support.
Free websites can place unwanted or malicious code/links on your website.
Also verify your wordpress theme using the Theme Authenticity Checker plugin.
It will scan your code and bring to light any malicous code or hidden links in it.
www.telezent.com
12 Check if Wordpress Plugin is Safe
The first step is to check the reliability and support of the plugin.
Evaluating a Plugin
Go to the Wordpress Page of that plugin and look for reviews, ratings and support options.
Check out when it was last updated and number of downloads. A trustable plugin will have
recent updates and a lot of downloads.
Check for Malicious Code
Using Exploit Scanner plugin, check for unwanted code.
It will scan all your plugins and report any red flags.
13 Backup Your WordPress Website
Regularly backup your code. Backup should be in your DNA. We advice a manual backup
using FTP and MySQL. This makes sure you are in complete control and nothing is missed
out.
Also for quick backups you can use any the below backup plugins.
Some of them will directly backup your code to a cloud storage provider like Dropbox,
AWS or Google.
VaultPress
BackWPup
WP-DB-Backup
You can restore your website with backup files, should the need arise. So taking a back of
your WP codebase and database is very important.
www.telezent.com
14 Security Plugins
We advice you to install the All In One WP Security Plugin.
It reduces security risk by checking for vulnerabilities, and by implementing and enforcing
the latest recommended WordPress security practices and techniques.
15 Increase your security features with Content Delivery
Network (CDN) services
Website download speed is important, CDN services help by storing copies of your content
on servers in different locations.
Apart from speed, CDN also offer security services.
Below are 2 you may want to try
Incapsula
CloudFlare
16 Two factor authentication
Also known as multi-factor authentication, it helps your WordPress sites from login attacks.
And, even if your password gets compromised, a verification code will be required to get into
your database.
You can use the below plugins to establish multi-factor authentication on your site.
Rublon (WordPress plugin)
Google Authenticator
17 Change your admin URL
To protect the Wordpress website from being hacked we can customize the default admin
URL to any name we want.
This prevent the hackers to access your admin login page.
Your default admin login page is “http://yourdomain.com/wp-admin/” and
“http://yourdomain.com/wp-login.php” you can change it to “http://yourdomain.com/abc”
or “http://yourdomain.com/xyz”
There are 2 plugins which are helpful
HC Custom WP-Admin URL
Better WP Security
18 Disable Theme and Plugin Editors
By default Wordpress dashboard allows the administrators/users to edit theme and plugin
through admin panel.
For security purposes it is necessary to disable the theme and plugin editors.
You just need to add the below code in 'wp-config.php' file
define('DISALLOW_FILE_EDIT',true);
About the Author
Sandeep Arora has extensive business experience in helping companies succeed online. Sandeep
has helped clients create advanced websites and portals. He has helped companies grow online
through effective websites and advanced digital strategies.
Sandeep's dedication and passion has made Telezent a digital partner for over 150 clients.
A self-motivated entrepreneur, Sandeep is never satisfied with status quo and constantly pushes
Telezent to excel in all areas.
Sandeep worked 12 years in the USA before returning to India in 2007 and starting Telezent.
Below are some areas of technology he is passionate about and worked in USA extensively
(a) Enterprise application integration
(b) Search engine crawler design and programming
(c) Mission critical BPM and SOA systems over the internet
In the USA he has worked with Fortune 500 companies like FM Global, Lockheed Martin, AMS,
Pitney Bowes, Swiss Bank(now UBS)and Avon Products over this period of time.
He received his Bachelor of Technology from IIT (Indian Institute of Technology, Kharagpur) in
1993.
About Telezent
Telezent is a Global Internet Strategy and Development company. Founded in 2007 we are
currently helping firms succeed online. We provide complete internet related services
Website, Blog, Ecommerce and CMS development
Mobile Website Development
Search Engine Optimization, Social Media Marketing, Content Syndication and PPC
Reputation Management
Internet Research
Graphic Design, Flash Development, Infographics and more
www.telezent.com