1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Hey Guest Last month we upgraded BlackHatWorld.com to a new platform - . If you notice anything that requires attention please start a new thread here.
    Dismiss Notice

Securing your wordpress site.

Discussion in 'Blogging' started by naweed, Apr 18, 2013.

  1. naweed

    naweed Junior Member

    Joined:
    Dec 25, 2011
    Messages:
    186
    Likes Received:
    37
    Hi, following the recent brute force hacking I decided to include a few simple steps that can be taken to secure your wordpress site from threat. These are simple steps that will reduce the risk that your website is hack but it won't eliminate that risk completely. You can skip some of these steps if you want.

    1. Password protect your wp-admin directory.
    I don't mean the default login of wordpress but add another one with .htpasswd. To create one go here then enter your username and password. Next copy the content in the text area and paste it in a new file name .htpasswd(note: it should not end with .txt) and upload it to your wp-admin file.

    2. Limit the ips that can access your wp-admin folder.
    This is will allow only specific ips to access your wp-admin file. Just add the following line to your .htaccess found in your wp-admin folder
    Code:
    <Limit GET POST> 
    order deny,allow
    deny from all
    allow from XXX.XXX.XXX.XXX
    
    
     </Limit>
    where xxx.xxx.xxx.xxx is your ip. if your want to add another ip just add another allow "from line"
    You can also allow a range of ip. e.g "allow from 123." will allow all ips starting by 123.
    This is the same for "allow from 123.113." it will allow any ips starting by 123.113.

    3. Install google authenticator plugin
    Just search for it in the wp plugins repository. Next download wordpress autheticator on your smartphone or tablet. Each time you login to your wp dashboard, you will need to enter your username and password as usual but also a 6 digit code that you will found in the google autheticator apps install on your smartphone. Note, your smartphone is not required to be connected to the internet but you should set your time zone and time correctly on your smartphone. Once the plugin install in wp. follow these steps:
    1. In wp dashboard user>all users>edit your profile
    2. You ill see the google authenticator settings
    3. Check the active checkbox, not the relax checkbox
    4. Do not enable app pasword as this will decrease your login security
    5. choose a description
    6. Go to google authenticator and scan the qr code or enter the secret text manually

    Ok your are done. you have just enable two way verification for your wp site. Even if someone has your password he will still be unable to login.

    4. Install login limit attempt
    This one is self explanatory. It should be enough alone to protect you site from bruteforce login attempts like the one that occur recently

    5. Do not use nulled themes or plugins
    Well you can use but only if you trust the one nulling it or if know php and html then you can check if it contains backdoors or hidden links

    6. Install a security plugin
    I don't use one personally, so I can't tell you which one to use

    These is just a short list there other task that can be done to secure your site. If you know any other tips, post it below.
     
    • Thanks Thanks x 1
  2. Ville

    Ville Newbie

    Joined:
    Sep 9, 2012
    Messages:
    32
    Likes Received:
    8
    Nice! Thank you.