How To Secure Your Wordpress Blog

Starting with Plugins, here is the latest plugin and there use-

Wordfence (the Ultimate WordPress security plugin.):

About it:

http://markmaunder.com/2012/04/23/introducing-wordfence-the-ultimate-wordpress-security-plugin/

Sign Up:

http://www.wordfence.com/choose-a-wordfence-membership-type/

Always stay upgraded to latest versions. Also don't forget to Upgrade all your themes and plugins to their newest versions as well.

Never use your username as "Admin / admin / user/ your name etc.." and pa$$words as "12345 / admin123/ such idiots pa$$words helps hackers very well.." Always keep it something strict. Pa$$word must be from  8 - 16 char + digit + special symbols , you can use various online sites for creating strict pa$$words.

Always install only trusted apps and 3rd party softwares on forums and blogs as it may have various vulnerabilities which lead hacker to shell or xss your site.

Make sure all other public services running on your web server are secure

Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your pa$$words. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

How to check server security ?

A great question, how to check if my server on which i am being hosted is safe ?   Sure you have rights to contact your hosting provider for what stable version there server run , how much uptodate they are with there kernel version ? Do they keep backups or not ? Do they really take care for security and p@tches to prevent vulnerabilities. Do they use firewalls and such preventions ?

If you get all your answers then it means you are good lucky to take risk..   :t  

Never Forget webserver security and vulnerabilities may become big reason for your hacked site face !

Add extra protection to cPanel and Directories !

Never keep your cPanel pa$$word weak ! its the best way for hacker to get access with ease.

Always keep admin directory extra secure by adding directory pa$$word protect feature.

Never save any pa$$word related to your website or blog on your PC, it may be keylogged or grabbed by someone.

Always keep AV's activated, but don't use poor Av's they sometime self keylogg and send log.. :P

Learn about cPanel permissions etc and keep it uptodate

FTP Security -

When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.

Using SFTP is the same as FTP, except your pa$$word and other data is encrypted as it transmitted between your computer and your website. This means your pa$$word is never sent in the clear and cannot be intercepted by an attacker.

Some more on File Permissions and Database security   -

The best some i can share is here on security more..

File Permissions:

Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.

It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.

Here is one possible permission scheme.

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the web server.

/

The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/

The WordPress administration area: all files should be writable only by your user account.

/wp-includes/

The bulk of WordPress application logic: all files should be writable only by your user account.

Code:

/wp-content/

User-supplied content: intended to be completely writable by all users (owner/user, group, and public).

Within /wp-content/ you will find:

Code:

/wp-content/themes/

Theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account.

Code:

/wp-content/plugins/

Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Changing file permissions:

|If you have shell access to your server, you can change file permissions recursively with the following command:

For Directories:

Code:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:

Code:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Regarding Automatic Updates:

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server's user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.

Database Security:

If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cr@cks one WordPress installation, this makes it that much harder to alter your other blogs.

If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled. See Secure MySQL Database Design for a nice introduction.

No comments:

Post a Comment