After some Website Hacking articles, i am adding one more article in this category which is based WordPress website security. Now days WordPress is one of the most popular platform for many bloggers and every day, thousands of new people are using WordPress. WordPress also provides powerful Content Management Systems (CMS). Because of this popularity, more hackers are targeting WordPress and looking for vulnerabilities within the software.
Today in this article i am going to share some important tips to secure WordPress website from hackers, So you can keep your focus on blogging instead of website security hacked.
Since there are no such software, like an Anti-Virus, available to secure a website. Most of the people just consider the job is done once they setup the website. It definitely is not. You can protect a website or webserver only by continued efforts.
You might be interested in some of our other articles:
Follow the following steps in order to protect WordPress Website / Blog.
Unless you know what you are doing or have a well versed development team in your payroll, it is a great idea to use open source scripts. Open source scripts like WordPress, Drupal, Joomla, Magento etc. are feature rich, powerful and are backed by thousands of coders for update & support.
This avoids websites falling prey to hackers & spammers due to poorly written code. Instead of building from scratch, you can use the existing scripts and modify them to your liking. Commercial scripts from reputed companies can also be deployed if they issue updates & patches regularly.
Passwords like “wildlove0123”, “unwildlover” are definitely not good. Your password does not have to reflect your “inner persona” as they are supposed to keep things safe.
Use a combination of numbers, special characters and alphabets and make sure they are atleast 10 characters long. Apps like KeePass, Lastpass etc. can help you generate strong passwords and to store them as well.
Upgrade to newer versions of scripts or add new features as soon as they are released. Main intension of Upgradation is to fix bugs in the script and are as important as a full version upgrade.
Keep the admin email address used to login to your webserver, CMS, database etc. away from the public eye, dont share such email address on website or in forum / social networking site. Use a totally different address in your contact page. This will help from not being scammed by a phising email disguised to have been sent by your hosting company or domain registrar.
If you are using a CMS, blog or forum script, change the default database table prefix. For example in case of WordPress, the default database table prefix is “wp”. So if a brilliant hacker finds a way to extract data from a database, default table prefixes will leave you a sitting duck.
It is not a mandatory requirement in a lot of scripts to enter a database password and leaving them empty will still get the script installed. An empty password is a criminal waste of an additional layer of security. Database password do not slow down the website when querying the database, so there is absolutely no reason not to have one.
Once the installation is done there is no use for the installer folder in the day to day operations of a website. It is very much possible for a hacker to run the installer once again, empty the database and take control of the website & its content. Ideally it is strongly advised to delete the folder once the installation is complete, but if you know your way around the web server, you can also opt to rename the folder.
Some scripts require full read & write access while installation. This can achieved by using the 777 code on vital folders like config, admin etc. Revert the file permissions back to their original code, say 755 or 644. A file or folder with full read write code gives easy access to inject malicious code in your website.
If your webserver or ISP support SFTP access, jump at the opportunity and upload files to your server in fully encrypted glory. Nobody can sniff what you are uploading or downloading to & from the webserver.
Be it may FTP or Database, never give root access to everyone willy nilly. Restrict access to certain non system folders in the case of FTP uploads by people other than the system administrator.
.htaccess files are often used to specify the security restrictions for the particular directory, and make sure you have not deleted it by accident or if it is there in the first place.
robots.txt gives special instructions to search engine spiders as to which folders are to be indexed and which ones are not. Folders with documents, images etc can be kept under wraps from being indexed and displayed in public web searches.
Mature platforms always have plugins to extend the core functionality of the script. Look for plugins that add an extra layer of security and install them. For example, WP Security Scan plugin checks if most of the steps I have mentioned above have been implemented properly in a WordPress installation.
Keep yourself updated on the latest vulnerabilities, bugs and attacks on the Internet. There will be a time delay before the patches are issued and this information will help you protect your website or to temporarily take it offline if there is a very serious threat. Wired’s Threat Level and Kreb’s on Security are good places to begin.
Piracy of commercial scripts and paid themes is the easiest among all other forms of piracy. Smaller file sizes, absence of version specific keygen, cumbersome Daemons, DLL patches & cracks make it a cake walk to pirate a script rather than a software or PC Game.
However, unlike pirated desktop software where a hidden malware is removed by the Anti Virus software, there is no way you can escape the backdoor added to the codebase. Even for a seasoned programmer, it is impossible to go through thousands of lines of code to check if the script is free of backboors.
A nulled script or theme with a backdoor ensures that the hacker peddling it in the first place has gotten himself a free server to spam people with mails promising to enhance things that cannot be enhanced. If you are lucky, your website might not used for anti government propaganda or for distributing child pornography. Unless you so love orange jumpsuits or better yet, would love to go on an all expenses paid trip to a certain facility in Cuba, stay away from nulled scripts. Nulled scripts hurt the pirate worse than the developer. Enough said.
When it comes to security online, there are always infinite number of ways to protect a website. Share with us the tips & tricks you use to protect your website by leaving a comment.
Credits go to Justin Stravarius.
Happy hacking.........
Today in this article i am going to share some important tips to secure WordPress website from hackers, So you can keep your focus on blogging instead of website security hacked.
Since there are no such software, like an Anti-Virus, available to secure a website. Most of the people just consider the job is done once they setup the website. It definitely is not. You can protect a website or webserver only by continued efforts.
You might be interested in some of our other articles:
- How To Unlock BlackBerry Cell Phones
- Email Password stealer to hack find password of email account
- Facebook, Hotmail, Gmail Passowrd hacking through Winspy Keylogger
- Remote Password Hacking Software - Sniperspy keylogger
- How To Hack Password Through Mobile
How to Protect WordPress Blog/Website From Hackers
Follow the following steps in order to protect WordPress Website / Blog.
1) Use Open Source Scripts :
Unless you know what you are doing or have a well versed development team in your payroll, it is a great idea to use open source scripts. Open source scripts like WordPress, Drupal, Joomla, Magento etc. are feature rich, powerful and are backed by thousands of coders for update & support.
This avoids websites falling prey to hackers & spammers due to poorly written code. Instead of building from scratch, you can use the existing scripts and modify them to your liking. Commercial scripts from reputed companies can also be deployed if they issue updates & patches regularly.
2) Use Strong Passwords :
Passwords like “wildlove0123”, “unwildlover” are definitely not good. Your password does not have to reflect your “inner persona” as they are supposed to keep things safe.
Use a combination of numbers, special characters and alphabets and make sure they are atleast 10 characters long. Apps like KeePass, Lastpass etc. can help you generate strong passwords and to store them as well.
3) Update Constantly :
Upgrade to newer versions of scripts or add new features as soon as they are released. Main intension of Upgradation is to fix bugs in the script and are as important as a full version upgrade.
5) Secure Admin Email Address :
Keep the admin email address used to login to your webserver, CMS, database etc. away from the public eye, dont share such email address on website or in forum / social networking site. Use a totally different address in your contact page. This will help from not being scammed by a phising email disguised to have been sent by your hosting company or domain registrar.
6) Add a Database Table Prefix :
If you are using a CMS, blog or forum script, change the default database table prefix. For example in case of WordPress, the default database table prefix is “wp”. So if a brilliant hacker finds a way to extract data from a database, default table prefixes will leave you a sitting duck.
7) Password protect the Database :
It is not a mandatory requirement in a lot of scripts to enter a database password and leaving them empty will still get the script installed. An empty password is a criminal waste of an additional layer of security. Database password do not slow down the website when querying the database, so there is absolutely no reason not to have one.
8) Delete the Installation Folder :
Once the installation is done there is no use for the installer folder in the day to day operations of a website. It is very much possible for a hacker to run the installer once again, empty the database and take control of the website & its content. Ideally it is strongly advised to delete the folder once the installation is complete, but if you know your way around the web server, you can also opt to rename the folder.
9) Change File & Folder Permissions :
Some scripts require full read & write access while installation. This can achieved by using the 777 code on vital folders like config, admin etc. Revert the file permissions back to their original code, say 755 or 644. A file or folder with full read write code gives easy access to inject malicious code in your website.
10) Use Secured FTP Access :
If your webserver or ISP support SFTP access, jump at the opportunity and upload files to your server in fully encrypted glory. Nobody can sniff what you are uploading or downloading to & from the webserver.
11) Restrict Root Access :
Be it may FTP or Database, never give root access to everyone willy nilly. Restrict access to certain non system folders in the case of FTP uploads by people other than the system administrator.
12) Ensure the presence of .htaccess file :
.htaccess files are often used to specify the security restrictions for the particular directory, and make sure you have not deleted it by accident or if it is there in the first place.
13) Add robots.txt file :
robots.txt gives special instructions to search engine spiders as to which folders are to be indexed and which ones are not. Folders with documents, images etc can be kept under wraps from being indexed and displayed in public web searches.
14) Use security plugins :
Mature platforms always have plugins to extend the core functionality of the script. Look for plugins that add an extra layer of security and install them. For example, WP Security Scan plugin checks if most of the steps I have mentioned above have been implemented properly in a WordPress installation.
15) Read leading Tech Blogs :
Keep yourself updated on the latest vulnerabilities, bugs and attacks on the Internet. There will be a time delay before the patches are issued and this information will help you protect your website or to temporarily take it offline if there is a very serious threat. Wired’s Threat Level and Kreb’s on Security are good places to begin.
16) Stay away from Nulled Scripts & Themes :
Piracy of commercial scripts and paid themes is the easiest among all other forms of piracy. Smaller file sizes, absence of version specific keygen, cumbersome Daemons, DLL patches & cracks make it a cake walk to pirate a script rather than a software or PC Game.
However, unlike pirated desktop software where a hidden malware is removed by the Anti Virus software, there is no way you can escape the backdoor added to the codebase. Even for a seasoned programmer, it is impossible to go through thousands of lines of code to check if the script is free of backboors.
A nulled script or theme with a backdoor ensures that the hacker peddling it in the first place has gotten himself a free server to spam people with mails promising to enhance things that cannot be enhanced. If you are lucky, your website might not used for anti government propaganda or for distributing child pornography. Unless you so love orange jumpsuits or better yet, would love to go on an all expenses paid trip to a certain facility in Cuba, stay away from nulled scripts. Nulled scripts hurt the pirate worse than the developer. Enough said.
When it comes to security online, there are always infinite number of ways to protect a website. Share with us the tips & tricks you use to protect your website by leaving a comment.
Credits go to Justin Stravarius.
Happy hacking.........
Filed Under: Website Hacking
If you enjoyed this post and wish to be informed whenever a new post is published, then make sure you subscribe to my regular Email Updates.
Subscribe Now!
Do you need to know what your child is doing on the computer? Do you want to know what your loved ones or spouse or kids are doing on the computer? Do you need to monitor what your employees are doing during work hours? Are they working or playing?
Winspy Keylogger
is intended to help you in these kind of situations. It can show you exactly what is being done on the computer at any time.
Click Here To Download Winspy Keylogger
