How to Prevent Wordpress Hacking

Wordpress-Security
These are 10 Tips To Increase Wordpress Security


In recent years there has been a proliferation of great tools and services in the web development space. Content Management System (CMS) like WordPress, Joomla, Drupal and so many others allow business owners to quickly and efficiently build their online presences. Their highly extensible architectures, rich plugin, module, extension ecosystem have made it easier than ever to get a website up and running without years of learning required. With the ease of developing your site in just few minutes makes it more vulnerable and penetrable to most of the hackers in the global village. So in order to prevent these inconveniences this article will guide you.

Following are the factors which can improve your website security:

1. Update with latest patches:

The most common reason for getting your website compromise is not updating your CMS. Some of the users hesitate to update their CMS. Once your CMS update is available you should update it immediately. Nowadays hacking is entirely automated, with bots constantly scanning every site they can looking for exploitation opportunities. It is not a good enough to update once a month or even once a week because bots are very likely to find vulnerability before you patch it. You need to update as soon as updates are released.

2. Passwords:

The second most common reason is your password. Password must be secure in order to protect your website from unauthorized users. Some people use general password which causes their site compromised. Following is the list of commonly used passwords:
• admin/admin
• 123456
• password
• 12345
• qwerty
• letmein
• your name

If you have a habit to use such passwords we suggest that you change it. Another technique that is used in order to penetrate your admin panel is Dictionary attack. In which most of the dictionary words are used. So it is advised that you use following strategies in your password:

• Complex (Use of Alphabets , numbers and Special characters)
• Password Length ( Try to make your password 12+ characters long)
• Unique (Never ever reuse your password.)

If you find it difficult to memorize such complex passwords. You can use lastpass extention in your browser.

3. One Site – One Container:

We know unlimited hosting has many attractions to the subscribers but these attractions welcomes many harmful threats as well. Consider you have a plan in which you can host unlimited domains. This also means that you can install many plugins and themes in it. So if one of your plugin or theme is compromised and hacker somehow finds and exploit, Not only can this result in all your sites being hacked at the same time, it also makes the cleanup process much more time consuming and difficult. The infected sites can continue to re-infect one another in an endless loop. If you are already a victim of such attack change all of your passwords immediately which includes (Hosting Panel , Admin Panel , FTP , Databases)

4. Sensible User Access:

If you have more than one user working on your site. Then you have to assign them privileges according to their assignment. This also reduces the risk of getting your site compromise. If one of your user is hacked or compromised, then the damage will be restricted to his domain of control. Having carefully defined access will limit any mistakes that can be made, it reduces the fallout of compromised accounts, and can protect against the damage done by ‘rogue’ users. This is a frequently overlooked part of user management, accountability and monitoring. If people share a user account and an unwanted change is made by that user, how do you find out which person on your team was responsible? You can also monitor their activity in the logs.

5. Change Default CMS Settings:

Today’s CMS applications, although easy to use, are horrible from a security perspective for the end users. By far the most common attacks against websites are entirely automated, and many of these attacks rely on the default settings being used. This means that you can avoid a large number of attacks simply by changing the default settings when installing your CMS of choice.
For example some CMS applications are writeable by the user – allowing a user to install whatever extensions they want. There are settings that you may want to adjust to control comments, users, and the visibility of your user information. The file permissions, which we discuss later, are another example of a default setting that can be hardened.
It is usually easiest to change these default details when installing your CMS, but they can be changed later.

6. Extension Selection (Plugins & Themes):

One of the beautiful things about today’s CMS applications is it’s extensibility. What most don’t realize however is that, that same extensibility is it’s biggest weakness. There are a massive number of plugins, add-ons, and extensions providing virtually any functionality you can imagine. However the reality is that at times the massive number of extensions can be a double edged sword.

The Following points are to be kept in mind before using such extensions.

• When the extension was last updated.
If the update is a year old then you should look for an alternate plugins. This also shows how active is the plugin developer.
• Age of extension and number of installs.
It is a great practice that you check the developer’s profile and confirm how professional he is. If the numbers of installs are like 100 or 1000 then it means he has earned the trust of many users. This will also help you to avoid first timers who do not have CMS security knowledge.
• Legitimate sources.
Installing themes and plugins from legitimate sources will increase your server security as well. Most of the free themes and plugins are infected malwares and plugins.

7. Backups:

Making backups of your website is very important, but storing these backups on your web server is a major security risk. These backups invariably contain unpatched versions of your CMS and extensions which are publicly available, giving hackers easy access to your server.

8. CMS configuration files:

One of the most important file in your CMS is your configuration file. Such as wp-config in wordpress and configuration.php in joomla. You also need to know about the core server configuration files such as .htaccess in apache webserver, nginx.conf in Nginx server and web.config in Microsoft IIS server. These files also play a very important role in your site security. You can prevent hotlink protection. Prevent certain types of extensions such as .xap .gif etc and password protect directories so that unauthorized use is prevented. There are many more rules and options that you can look into for your web server configuration file. You can search for the name of your CMS, your web server and “security” but make sure to confirm your findings are legitimate before implementing anything. Some people post bad information online with malicious intent.

9. SSL Installation:

SSL is a Secure Socket Layer that encrypts the connection from point A and point B. So you can install SSL certificate on your account if you are running an online store or any other similar sites, SSL is a good option.

10. File Permissions:

File permissions define who can do what to a file.

Each file has 3 permissions available and each permission is represented by a number:

• ‘Read‘ (4): View the file contents.
• ‘Write‘ (2): Change the file contents.
• ‘Execute‘ (1): Run the program file or script.

If you want to allow multiple permissions you just need to add the numbers together, e.g. to allow read (4) and write (2) you set the user permission to 6. If you want to allow a user to read (4), write (2) and execute (1) then you set the user permission to 7.

There are also 3 user types:

• Owner – Usually the creator of the file, but this can be changed. Only one user can be the owner.
• Group – Each file is assigned a group, and any user who is part of that group will get these permissions.
• Public – Everyone else.

So, if you want the owner to have read & write access, the group to have only read access, and public to have no access, the file’s permissions settings should be:

                Write     Read     Execute
Owner        2          4           0
Group         0          4           0
Public          0          0           0

When you view the file permissions this will be shown as 640.

Folders also have the same permissions structure, the only difference being that the ‘execute’ flag allows you to make the directory your working directory (so you usually want it on).
Most CMS installs have all the permissions correctly configured by default, so why did I just spend so much time explaining how permissions work? When searching for solutions to permissions errors, all over the web you will find people advising you to change file permissions to 666 or folder permissions to 777. This advice will usually fix any permissions errors, but it is terrible advice from a security perspective. If you set a file permission to 666 or folder permission to 777 you have just allowed *anyone* to insert malicious code or delete your files!


We hope it helps you.


Technical Support Team,
WebSouls

 

  • 10 användare blev hjälpta av detta svar
Hjälpte svaret dig?

Relaterade artiklar

How do I prevent WordPress from overloading my shared server?

WordPress blogs can be extremely resource intensive if you happen to experience a surge in...

What is Wordpress?

WordPress is an open source blog tool and publishing platform powered by PHP and MySQL. It is...

How to Manually Install WordPress in Parallel Plesk Panel?

Installing WordPress manually in Parallel Plesk Panel allows for greater customization and...

How to reduce wordpresss server load on shared hosting

For everyone of you, who use wordpress as a platform with shared hosting for his/her blog will...

How to install Wordpress manually

Step 1: Download the installation file from the WordPress download section by clicking on...