WordPress is a very popular CMS and that’s why it is highly targeted by hackers.
Although latest updates have made it one of the most used tools for e-commerce website, news portals or a business blog. There are a many ways to protect your WordPress Blog from being hacked.
We have collected some of the best practices which will help you to Secure your WordPress Website :
Disable File Editing:
Using the below code we can disable the File editor of admin side so hacker will not able to open the files if he/she want to do any change in file. By default WordPress allows user to edit the file using the editor through the admin panel.
define(‘DISALLOW_FILE_EDIT’,true);
Protect your .htaccess file
.htaccess is a important file of WordPress. .htaccess file is
mostly use for rewriting URL’s. .htaccess file will found in root
directory of WordPress.
Why .htaccess file is not visible directly in folder ?
This is because of dot extension. If you will add dot after any
file that file will not visible directly so the same concept is
applied on .htaccess file.
Using the below code we can protect the .htaccess file.
#Protect .htaccess
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>
Protect your wp-config.php file
Config file is most important file of WordPress. This file
contains our configuration details so it’s a important to safe
database details from hackers. Using the below code we can easily
protect the config file.
# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
In config file, we insert below details of site. To get the file
contain hacker will easily get the details of database like
database name, db username and db password.
// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define( ‘DB_NAME’, ‘database_name_here’ );
/** MySQL database username */
define( ‘DB_USER’, ‘username_here’ );
/** MySQL database password */
define( ‘DB_PASSWORD’, ‘password_here’ );
/** MySQL hostname */
define( ‘DB_HOST’, ‘localhost’ );
Protect your error_log file
It’s important to protect the broken code of file. Hacker can
easily access the PHP value using the error log so it a important
to hide the error log of site.
Need to add the below code in .htaccess file:
#Protect error_log
<files error_log>
order allow,deny
deny from all
</files>
Also we can hide the error log using config.php file. To hide the error log need to put the below code in config file:
define( ‘WP_DEBUG_DISPLAY’, false );
Protect your WordPress Website from SQL Injection
This is widely used technique to change(manipulate) in database. Hacker can easily manipulate input field data by inserting malicious code. Also hacker can insert, update and delete the data in the database.
Protect from SQL Injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (< |%3C).script.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Restrict Direct Access to Plugin and Theme PHP files
Using the below code so hacker will get 404 page when hacker will try to access the file of plugin and theme.
Restrict Direct Access to Plugin and Theme PHP files
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(..php)$ – [R=404,L] RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ RewriteRule wp-content/themes/(..php)$ – [R=404,L]
Secure the wp-includes Directory
Using the below code we can easily protect the wp-includes folder.
Protect Include-Only files
RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L]