1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ultimate Guide to Securing your WORDPRESS website

Discussion in 'Black Hat SEO' started by seocrab, Aug 8, 2013.

  1. seocrab

    seocrab Senior Member

    Joined:
    May 2, 2013
    Messages:
    969
    Likes Received:
    825
    Occupation:
    seo freelancer
    Location:
    UK
    Here's my guide to making your wordpress websites ultra-secure, using some common sense and tried-and-tested methods to prevent and secure against hacking attempts:

    1.
    Do not use "admin" as your username! Pick something unique and not related to your niche, e.g. jason647

    2. Configure your robots.txt to stop search engines indexing hidden files:

    Code:
    #
    User-agent: *
    Disallow: /cgi-bin
    Disallow: /wp-admin
    Disallow: /wp-includes
    Disallow: /wp-content/plugins/
    Disallow: /wp-content/themes/
    
    3. Delete the readme.html and license.txt files to hide your wordpress version number.

    4. Delete the word "wordpress" from your site. Open footer.php, index.php and other site files and manually search and remove "wordpress" references (this can be done using a free text editor or the "Editor" panel in wordpress. Note: the Hide My WP plugin linked below also performs this function.

    5. Configure your .htaccess file to:

    Protect wp-config.php:

    Code:
    <Files wp-config.php>
    order allow,deny
    deny from all</Files>
    
    Block access to plugins:

    Code:
    # directory browsing
    Options All -Indexes
    
    
    Block access to .htaccess:

    Code:
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </Files>
    6. Rename your wordpress database table prefix. Change the code in wp-config.php:
    Code:
    [FONT=Courier New]$table_prefix[/FONT]  = 'wp_';
    to:

    Code:
    [FONT=Courier New]$table_prefix[/FONT]  = 'UNIQUENAME_';
    Use numbers, letter, underscores, upper and lowercase combinations.

    Then login to your phpMyAdmin page through your hosting cpanel and change all table names. Tutorial with screenshots here:
    Code:
    http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/
    
    TIP: it is easier to create a unique table prefix BEFORE installing wordpress. The above instructions are for existing installations.

    If you don't like making manual changes or want additional protection, use a security plugin, such as:

    Better WP Security
    (free)
    Code:
    http://wordpress.org/plugins/better-wp-security/
    Hide My WP
    Code:
    http://www.blackhatworld.com/blackhat-seo/blogging/548823-get-hide-my-wp-no-one-can-know-you-use-wordpress-3.html
    
    Login Lockdown (free)
    Code:
    http://wordpress.org/plugins/login-lockdown/
    WP Security Scan (free)
    Code:
    http://wordpress.org/plugins/wp-security-scan/
    TIP: If you use pirated plugins/themes, check code manually, only download from a trusted source/sharer, and run security scans before activating.
     
    • Thanks Thanks x 26
  2. Kevhart

    Kevhart Registered Member

    Joined:
    Feb 15, 2013
    Messages:
    73
    Likes Received:
    43
    Location:
    Sweden
    Great info, cheers!
     
    • Thanks Thanks x 1
  3. kingbrend

    kingbrend Regular Member Premium Member

    Joined:
    Feb 12, 2008
    Messages:
    427
    Likes Received:
    113
    Home Page:
    Those plugins are useful.. I use Login Lockdown, Better WP Security, along with Wordpress Firewall 2.

    They work really well together.
     
    • Thanks Thanks x 1
  4. swords12

    swords12 Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 5, 2011
    Messages:
    877
    Likes Received:
    89
    Awesome stuff, thanks!
     
    • Thanks Thanks x 1
  5. nichelinks

    nichelinks Junior Member

    Joined:
    Jan 11, 2013
    Messages:
    118
    Likes Received:
    37
    Occupation:
    SEO Analyst
    Location:
    IM
    Sounds Interesting, but couldn't find the "Hide My WP" plugin, it seems the file has been deleted by the OP. I have only one doubt: Everyone know google loves wordpress sites. If we hide the wordpress then is there any chance that it will affect SEO benefits..
     
    • Thanks Thanks x 1
    Last edited: Aug 8, 2013
  6. seocrab

    seocrab Senior Member

    Joined:
    May 2, 2013
    Messages:
    969
    Likes Received:
    825
    Occupation:
    seo freelancer
    Location:
    UK
    Here's a link to another Hide My WP thread on here:

    Code:
    [URL]http://www.blackhatworld.com/blackhat-seo/member-downloads/545999-get-wordpress-hide-my-wp-no-one-can-know-you-use-wordpress-anymore-plugin.html[/URL]
    Google "likes" Wordpress because, amongst other things, it functions well: it's got a great structure and integrates with social applications - Google doesn't overtly promote Wordpress as a platform so hiding references to "Wordpress" will not affect your rankings (in my experience). Other platforms will perform just as well, provided the user knows what they're doing. For beginners, I think Wordpress is the best choice for quick ranking, hence the need to understand its security flaws... ;)
     
  7. seocrab

    seocrab Senior Member

    Joined:
    May 2, 2013
    Messages:
    969
    Likes Received:
    825
    Occupation:
    seo freelancer
    Location:
    UK
    Thanks for the feedback - is Wordpress Firewall 2 working with recent versions of WP? Noticed it hasn't been updated in a while:

    Code:
    http://wordpress.org/plugins/wordpress-firewall-2/
     
  8. HighTechOcean

    HighTechOcean Jr. VIP Jr. VIP

    Joined:
    Jan 31, 2014
    Messages:
    766
    Likes Received:
    73
    Gender:
    Male
    Occupation:
    Boss
    Location:
    BlackHatWorld
    Home Page:
    Awesome stuff of security.

    Is there any other way of security ?
     
  9. abhi007

    abhi007 Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    5,306
    Likes Received:
    3,741
    Location:
    snip.li/TubH
    apply this then no need of other...
     
  10. K.H.R

    K.H.R Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 9, 2013
    Messages:
    2,931
    Likes Received:
    953
    Gender:
    Male
    Occupation:
    Study + Outsourcing
    Location:
    BHW
    Awesome Share. Its Really Helpful for the WP site Owner. Thank you.
     
  11. webSPELL

    webSPELL Newbie

    Joined:
    May 26, 2014
    Messages:
    28
    Likes Received:
    5
    Thanks for the guide.
     
  12. Zevoltai

    Zevoltai Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 29, 2013
    Messages:
    794
    Likes Received:
    237
    Do you guys think wordfence is enough for general purposes?
     
  13. ch8878

    ch8878 Elite Member

    Joined:
    Mar 21, 2009
    Messages:
    2,242
    Likes Received:
    428
    Gender:
    Male
    Occupation:
    Gamer
    Location:
    Youtube
    Home Page:
    Bookmarked to read later tonight.
     
  14. 3tails

    3tails Newbie

    Joined:
    Jul 18, 2012
    Messages:
    49
    Likes Received:
    6
    Location:
    East Coast, USA
    I'd like to add Sweetcaptcha to the list of plugins/services to add to your wordpress to lock it down. It's free, it's easy to use, and it kills bots that try to post to your site or break your password.

    Also, as a common sense rule, back everything up frequently. Weekly backups are your friend just in case something goes horribly wrong and you have to reload your stuff.
     
  15. Matt707

    Matt707 Regular Member

    Joined:
    Jan 17, 2014
    Messages:
    363
    Likes Received:
    151
    Gender:
    Male
    Occupation:
    Investor
    Location:
    United States
    Wow! Amazing stuff here. I'll be sure to refer to your post when ever this question pops up somewhere.
     
  16. aavinash

    aavinash Newbie

    Joined:
    Sep 7, 2014
    Messages:
    16
    Likes Received:
    0
    Thanks for posting
     
  17. ch8878

    ch8878 Elite Member

    Joined:
    Mar 21, 2009
    Messages:
    2,242
    Likes Received:
    428
    Gender:
    Male
    Occupation:
    Gamer
    Location:
    Youtube
    Home Page:
    User-agent: *
    Disallow: /cgi-bin
    Disallow: /wp-content/cache/
    Disallow: /wp-content/themes/
    Disallow: /wp-content/plugins/
    Disallow: /wp-admin/
    Disallow: /wp-includes/
    Disallow: /wp-login.php
    Disallow: /wp-register.php
    Disallow: /tag/
    Disallow: /author/
    Disallow: /about/
    Disallow: /contact/
    Disallow: /privacy-statement/
    Disallow: /comments/
    Disallow: /archives/
    Disallow: /20*
    Disallow: /trackback/
    Disallow: /xmlrpc.php
    Disallow: /out/
    Disallow: /bugs/
    Disallow: /suggest/
    Disallow: /search/
     
    Last edited: Sep 24, 2014
  18. sysco32

    sysco32 Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 5, 2014
    Messages:
    505
    Likes Received:
    199
    Location:
    Skopje/Pecs
    Still,even with the changes,if somebody wants to go into your WP..they will.I was under attack for 3 days and on the 3rd day wordfence security system gave up.The result is 2 new admin user,i have no idea what else did they change in the system,posts,but i deleted everything and put new wp,posts..etc
     
  19. ch8878

    ch8878 Elite Member

    Joined:
    Mar 21, 2009
    Messages:
    2,242
    Likes Received:
    428
    Gender:
    Male
    Occupation:
    Gamer
    Location:
    Youtube
    Home Page:
    Ever try "Limit Login Attempts" ?
     
  20. erturu

    erturu Newbie

    Joined:
    Jul 23, 2014
    Messages:
    10
    Likes Received:
    1
    Thanks for the guide.