Protect your WordPress Site from Getting Hacked

It happens all the time. Websites get hacked. Especially websites that use common software packages. Hackers want the most bang for their buck, and WordPress sites are a great target because so many people utilize them.

How Hackers Do it

Most hackers use a script that crawls your server looking for “holes” they can use to do their dirty work. Some generous hackers will even write scripts and post them on the internet for anyone to download and use. They don’t need your login or your password — just an entry point into your code. One common script finds a susceptible site, and replaces your front page with a custom page that says “you’ve been hacked”. There is usually a fair amount of bragging as well.

A hacker runs the scripts and everything happens quickly and automatically on entire servers full of websites. Most likely the “drive by” hacker doesn’t even know who they’ve hit.  They just a “hit and run” and go on to the next target.

This kind of hack isn’t too hard to fix, but it is still a pain to deal with and would be better if it never happened at all.

General Maintenance

• Keep your WordPress version up-to-date. Whenever WordPress finds an exploit they are quick to fix it and issue a new version. Don’t fall behind with your updates.
• Keep your plugins up-to-date for the same reasons.
• Don’t have a login/user with the name “admin”. Change “admin” to a person’s name or something else meaningful for you. Admin is common and easy to guess.
• Make your password a good one.
• Don’t download themes and plugins from suspicious sites. They could have malicious code in them.

A note about WordPress Security Plugins

If you aren’t a programmer and everything after this section reads like pure geek-foreign-language-gobblity-gook, you might want to be aware there are a lot of wordpress plugins that are specifically for security on your website. They won’t do everything, but check out what is available to see if it will help you!

Just stick to the plugins you find on WordPress.org or other reputable sources.

Does your website scream “WordPress”?

The first thing you should do is prevent the average Joe from being able to recognize your site as a WordPress site. This means removing all the WordPress tags and versions. If a WordPress hacker can’t tell you have a WordPress site, he won’t bother to case your virtual joint.

• Remove the “Powered by WordPress” link at the bottom of your site.
• Remove the WordPress login location (wp-login.php) at the foot of your page or change it to another location.
• Remove the HTML tags that identify the wordpress version:
• Remove the generator Tag in the RSS Feed by removing (or commenting out) the function in the general-template.php file

Permissions, permissions, permissions

Set your permissions to these:

• 755 = ./
• 755 = wp-admin
• 755 = wp-content
• 555 = wp-includes

Katey bar the door (let’s make some serious changes)

• Disable your Indexes so when someone navigates to your site they can’t see a list of files and folders. You can do this by adding “Options -Indexes” to your .htaccess file on your Apache server.
• Block Server-side directories like your wp-includes directory. Add this line to your .htaccess file:
  “RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]“. If you want to block multiple directories, you can add a pipe between directory names like this:
  “RewriteRule ^(wp-includes|other-directory-name)\/.*$ ./ [NC,R=301,L]“
• Rename your configuration file. Take your config.php file and name it something else. Now require the location of the new configuration location –  a directory that is blocked from outside access.
• Use Database Encoding UTF-8 as other character sets are vuneralbe to SQL injection.

Notes about screwing around with your .htaccess file

After you implement changes to your site, especially with the .htaccess file, you may find you need to clear your cache, and restart your browser if things are acting funny.