11-02-2016, 02:20 PM
Below is some points which I wish to add
1. Do not keep the default wordpress admin user name
Create a new user, give them the same privileges and then delete the admin account.
2. Keep the wordpress uptodate and try to use auto update feature
3. Try to use some difficult password which is not based on your name nor dictionary based.
I will suggest you to use some nick name which are written in your local language which is not easily detectable and add some number and special characters in those.
4. Try to use Wordpress Two Step verification process for admin user.
5. Remove all unwanted plugins and themes which are not used or not monitored. Also you should remove default themes installed if not in use.
6. Install security plugins like "Captcha on Login", "Wordfence" or "iThemes Security Pro" and follow the instructions and recommendations.
7. Change “wp_” Database Table Prefix.
8. Change Default Login URL
By default, WordPress Admin login URL is wp-admin and everyone can access it and if someone manages to crack your password then he knows what to do next :p In that case, we can change the URL to whatever we want and trick them. You don't have to do this manually because there some paid and free plugins for this job.
9. Remove Login Error Message
By doing this you can easily prevent Username Disclosure Vulnerability. what actually happen is when someone enters a wrong username and tries to log in, form will come up with an error message saying Wrong username and this thing can help him identify the correct username and on a correct username it will come up with “The password you entered for “username” is wrong”. Navigate to => Appearance => Editor and open functions.php file and add this code:
addfilter('login_errors',create_function('$a', "return null;"));
10. Disable Directory Listings
This is also important one can easily your plugin files and wp-includes folder or theme files. Disabling Directory listings can help you prevent FPD (Full Path Disclosure) vulnerability. You can do this by adding this one line of code in your .htaccess file.
Options -Indexes
11. Disable PHP Execution
By doing this you can disable all already uploaded php backdoors or shells and this can really help you in many ways.
Most of the backdoors and shells are coded in PHP that's why it' very useful.
Do this by creating a new file and name it .htaccess and upload it to wp-content, plugins / themes/ upload folders and wp-includes folders and add the below code.
<Files *.php>
deny from all
</Files>
12. Protect Wp-config.php
This is very important as I explained above if one website is vulnerable, so you are. you can prevent Symlink attack by just securing the config. We have to secure it so no one can see whats inside wp-config.php and we can protect our Database credentials. Add this code into your .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
1. Do not keep the default wordpress admin user name
Create a new user, give them the same privileges and then delete the admin account.
2. Keep the wordpress uptodate and try to use auto update feature
3. Try to use some difficult password which is not based on your name nor dictionary based.
I will suggest you to use some nick name which are written in your local language which is not easily detectable and add some number and special characters in those.
4. Try to use Wordpress Two Step verification process for admin user.
5. Remove all unwanted plugins and themes which are not used or not monitored. Also you should remove default themes installed if not in use.
6. Install security plugins like "Captcha on Login", "Wordfence" or "iThemes Security Pro" and follow the instructions and recommendations.
7. Change “wp_” Database Table Prefix.
8. Change Default Login URL
By default, WordPress Admin login URL is wp-admin and everyone can access it and if someone manages to crack your password then he knows what to do next :p In that case, we can change the URL to whatever we want and trick them. You don't have to do this manually because there some paid and free plugins for this job.
9. Remove Login Error Message
By doing this you can easily prevent Username Disclosure Vulnerability. what actually happen is when someone enters a wrong username and tries to log in, form will come up with an error message saying Wrong username and this thing can help him identify the correct username and on a correct username it will come up with “The password you entered for “username” is wrong”. Navigate to => Appearance => Editor and open functions.php file and add this code:
addfilter('login_errors',create_function('$a', "return null;"));
10. Disable Directory Listings
This is also important one can easily your plugin files and wp-includes folder or theme files. Disabling Directory listings can help you prevent FPD (Full Path Disclosure) vulnerability. You can do this by adding this one line of code in your .htaccess file.
Options -Indexes
11. Disable PHP Execution
By doing this you can disable all already uploaded php backdoors or shells and this can really help you in many ways.
Most of the backdoors and shells are coded in PHP that's why it' very useful.
Do this by creating a new file and name it .htaccess and upload it to wp-content, plugins / themes/ upload folders and wp-includes folders and add the below code.
<Files *.php>
deny from all
</Files>
12. Protect Wp-config.php
This is very important as I explained above if one website is vulnerable, so you are. you can prevent Symlink attack by just securing the config. We have to secure it so no one can see whats inside wp-config.php and we can protect our Database credentials. Add this code into your .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>