For those of you who have a blog site using Wordpress CMS, consider the security of your website, because you stand alone without assistance from WordPress to secure your website.
This tips actually this tutorial is not 100% secure, and does not guarantee your site is not compromised, but these tips will only strengthen the security only. Because there is no perfect security, and forever, and security is not a one-time deal that could once set and left. Because maybe that is now considered to be secure, but tomorrow is already the buggy to follow the development of technology.
At this time I put on disposable in apache hosting, perhaps in different environtment another hosting one there are different ways to set / techniques:
1. Before you do anything, please first backup the database and the file. Database files downloaded via phpmyadmin and can be compressed and downloaded.
2. Always update wordpress engine / plugins / the latest themes.
3. Delete the file / themes folder / plugins that are not in use.
4. Avoid using the default admin username as your username to login, replace it with another username and use strong passwords from a combination of numbers, letters (upper-lower case) and symbol character.
5. Install the plugin wp-security scan and run.
6. Change the database table prefix be unique, default is 'wp_' please change it to 'in_' 'we_', 'po_', and others. To be able to wear instead pulgin wp-security scan. (Before doing this step first check step 1) .On the WP install Softaculous at first there pihan also want to use wordpress table prefix which.
7. Block crawling bot for specific folder, Because many hackers would deface wordpress usually from scaning dork results from Google with certain keywords to find the bug.
Please add the robots.txt
User-agent: *
Disallow: / cgi-bin
Disallow: / wp-admin
Disallow: / wp-includes
Disallow: / wp-content / plugins /
Disallow: / wp-content / cache /
Disallow: / wp-content / themes /
Disallow: * / trackback /
Disallow: * / feed /
Disallow: / * / feed / rss / $
Disallow: / category / *
8. Protect the wp-config file by adding the following rule in .htaccess
<Files wp-config.php>
Order Deny, Allow
Deny from all
</ Files>
9. Protecting the .htaccess file itself by adding the following rule in .htaccess
<Files ~ "^. * \. ([Hh] [Tt] [Aa])">
order allow, deny
deny from all
satisfy all
</ Files>
10. Prohibit browsing directory listing, add to the .htaccess or create an index.php file in each folder
# Disable directory browsing
Options All -Indexes
11. Prohibit some script injection
# Protect from sql injection
Options + FollowSymLinks
RewriteEngine On
RewriteCond% {QUERY_STRING} (\ <|% 3C). * Script. * (\> |% 3E) [NC, OR]
RewriteCond% {QUERY_STRING} GLOBALS (= | \ [| \% [0-9A-Z] {0,2}) [OR]
RewriteCond% {QUERY_STRING} _REQUEST (= | \ [| \% [0-9A-Z] {0,2})
RewriteRule ^ (. *) $ Index.php [F, L]
12. Securing the include folder, add to the .htaccess
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^ wp-admin / includes / - [F, L]
RewriteRule! ^ Wp-includes / - [S = 3]
RewriteRule ^ wp-includes / [^ /] + \. Php $ - [F, L]
RewriteRule ^ wp-includes / js / TinyMCE / langs /.+ \. Php - [F, L]
RewriteRule ^ wp-includes / theme-compat / - [F, L]
14. If necessary, you can create a new password in the wp-admin directory by giving through cpanel password "password protected directory" please be given a password in wp-admin folder
15. Install captcha plugin Akismet to protect from spamming comment.
16. Disable edit themes / plugins through the dashboard by adding the following tags in your wp-config:
define ('DISALLOW_FILE_EDIT', true);
By adding a tag at the top, then the edit menu theme / plugin on the dashboard removed, as we know hackers are usually planted in the yard backdoor theme / plugin.
17. CHMOD wp-config to 400 or 600
18. To do this you can add via php.ini (if your hosting allow it) or .htaccess
Disable register_globals
Disable allow_url_fopen
Disble display_errors
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Disable potentially dangerous functions above may just get one of the scripts do not run, if the script requires the function of one of the above.
19. Perform periodic backups on hosting account or website
20. If your wordpress get h4ck or defacement and can not resolve on your own, please try to contact us, hopefully we can help or provide your backup.
Thankyou.