Security has always been a hot topic.people buy wired homes, car alarms and gadgets to bringtheir security to the max ! Online security is important too ! Especially for people who makea living from websites and blogs
In this post i would like to give you some tweaks to improve your wordpress blog/ website’s security
1. Use .htaccess To Protect The wp-config File
The problem
As a WordPress user, you probably know how important the wp-config.php file is. This filecontains all of the information required to access your precious database: username, password,server name and so on. Protecting the wp-config.php file is critical, so how about exploitingthe power of Apache to this end?
The solution
The .htaccess file is located at the root your WordPress installation. After creating a back-upof it (it’s such a critical file that we should always have a safe copy), open it up, and pastethe following code:
Code explanation
.htaccess files are powerful and one of the best tools to prevent unwanted access to your files.In this code, we have simply created a rule that prevents any access to the wp-admin.php file,thus ensuring that no evil bots can access it.
2. Prevent Unnecessary Info From Being Displayed
The problem
When you fail to log into a WordPress blog, the CMS displays some info telling you what wentwrong. This is good if you’ve forgotten your password, but it might also be good for people whowant to hack your blog. So, why not prevent WordPress from displaying error messages on failedlog-ins?
The solution
To remove log-in error messages, simply open your theme’s functions.php file, and paste thefollowing code:
Save the file, and see for yourself: no more messages are displayed if you fail to log in.
Please note that there are several functions.php files. Be sure to change the one in yourwp-content directory.
Code explanation
With this code, we’ve added a simple hook to overwrite the login_errors() function. Because thecustom function that we created returns only null, the message displayed will be a blank string.
3. Protect Your WordPress Blog From Script Injections
The problem
Protecting dynamic websites is especially important. Most developers always protect their GETand POST requests, but sometimes this is not enough. We should also protect our blog againstscript injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.
The solution
The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPressinstallation). Make sure to always back up the .htaccess file before modifying it.
Code explanation
Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a <script> and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.
4. Create A Plug-In To Protect Your Blog From Malicious URL Requests
The problem
Hackers and evil-doers often use malicious queries to find and attack a blog’s weak spots.WordPress has good default protection, but enhancing it is possible.
The solution
Paste the following code in a text file, and save it as blockbadqueries.php. Once you’ve done that, upload it to your wp-content/plugins directory and activate it as you would any other plug-in. Now your blog is protected against malicious queries.
Code explanation
What this code does is pretty simple. It checks for excessively long request strings (more than 255 characters) and for the presence of either the eval or base64 PHP functions in the URI. If one of these conditions is met, then the plug-in sends a 414 error to the client’s browser.
5. Remove Your WordPress Version Number… Seriously!
The problem
As you may know, WordPress automatically displays the version you are using in the head of your blog files. This is pretty harmless if your blog is always up to date with the latest version (which is certainly what you should be doing anyway). But if for some reason your blog isn’t up to date, WordPress still displays it, and hackers will learn this vital piece of information.
The solution
Paste the following line of code in the functions.php file of your theme. Save it, refresh your blog, and voila: no more WordPress version number in the header.
Code explanation
To execute certain actions, WordPress uses a mechanism called “hooks,” which allow you to hook one function to another. The wp_generator function, which displays the WordPress version, is hooked. We can remove this hook and prevent it from executing by using the remove_action() function.
In this post i would like to give you some tweaks to improve your wordpress blog/ website’s security
1. Use .htaccess To Protect The wp-config File
The problem
As a WordPress user, you probably know how important the wp-config.php file is. This filecontains all of the information required to access your precious database: username, password,server name and so on. Protecting the wp-config.php file is critical, so how about exploitingthe power of Apache to this end?
The solution
The .htaccess file is located at the root your WordPress installation. After creating a back-upof it (it’s such a critical file that we should always have a safe copy), open it up, and pastethe following code:
Code explanation
.htaccess files are powerful and one of the best tools to prevent unwanted access to your files.In this code, we have simply created a rule that prevents any access to the wp-admin.php file,thus ensuring that no evil bots can access it.
2. Prevent Unnecessary Info From Being Displayed
The problem
When you fail to log into a WordPress blog, the CMS displays some info telling you what wentwrong. This is good if you’ve forgotten your password, but it might also be good for people whowant to hack your blog. So, why not prevent WordPress from displaying error messages on failedlog-ins?
The solution
To remove log-in error messages, simply open your theme’s functions.php file, and paste thefollowing code:
Save the file, and see for yourself: no more messages are displayed if you fail to log in.
Please note that there are several functions.php files. Be sure to change the one in yourwp-content directory.
Code explanation
With this code, we’ve added a simple hook to overwrite the login_errors() function. Because thecustom function that we created returns only null, the message displayed will be a blank string.
3. Protect Your WordPress Blog From Script Injections
The problem
Protecting dynamic websites is especially important. Most developers always protect their GETand POST requests, but sometimes this is not enough. We should also protect our blog againstscript injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.
The solution
The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPressinstallation). Make sure to always back up the .htaccess file before modifying it.
Code explanation
Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a <script> and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.
4. Create A Plug-In To Protect Your Blog From Malicious URL Requests
The problem
Hackers and evil-doers often use malicious queries to find and attack a blog’s weak spots.WordPress has good default protection, but enhancing it is possible.
The solution
Paste the following code in a text file, and save it as blockbadqueries.php. Once you’ve done that, upload it to your wp-content/plugins directory and activate it as you would any other plug-in. Now your blog is protected against malicious queries.
Code explanation
What this code does is pretty simple. It checks for excessively long request strings (more than 255 characters) and for the presence of either the eval or base64 PHP functions in the URI. If one of these conditions is met, then the plug-in sends a 414 error to the client’s browser.
5. Remove Your WordPress Version Number… Seriously!
The problem
As you may know, WordPress automatically displays the version you are using in the head of your blog files. This is pretty harmless if your blog is always up to date with the latest version (which is certainly what you should be doing anyway). But if for some reason your blog isn’t up to date, WordPress still displays it, and hackers will learn this vital piece of information.
The solution
Paste the following line of code in the functions.php file of your theme. Save it, refresh your blog, and voila: no more WordPress version number in the header.
Code explanation
To execute certain actions, WordPress uses a mechanism called “hooks,” which allow you to hook one function to another. The wp_generator function, which displays the WordPress version, is hooked. We can remove this hook and prevent it from executing by using the remove_action() function.
Last edited:
