Another good idea is to remove the generator meta for the WordPress. This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you’re not on the most current version.
To do this you need to place below code in function.php of your active theme. remove_action(‘wp_head’, ‘wp_generator’);
You can go one step further and additionally remove it from RSS feeds using this: function wpt_remove_version() { return ”; } add_filter(‘the_generator’, ‘wpt_remove_version’);

7. Update all the things

Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities.
If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
Don’t ignore this!
The same applies to themes and plugins. Make sure you update to the latest versions as they are
released. If you keep everything up-to-date your site is much less likely to get hacked.

8. Strengthen up those passwords

According to this infographic, around 8% of hacked WordPress websites are down to weak passwords.
If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, ‘admin’ or ‘password’ (all
way more common than you might think!), you need to change it to something secure as soon as possible.
For a password that’s easy to remember but very hard to crack, I recommend coming up with a
good password recipe.
If you’re feeling lazy, you can also use a password manager like LastPass to remember all your passwords for you. If you use this method, make sure your master password is nice and strong.

9. Never use “admin” as your username

Earlier this year, there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords.
If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.
Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.
If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.11. Hide your username from the author archive URL, another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something
like http://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.

10. Limit login attempts

In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.
Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.
There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.
Hackers use brute force attacks to try and gain access to your WordPress admin area; continually trying new random usernames and passwords.
One of the best ways to protect your website against this kind
of attack is to install Login LockDownor Login Security Solution. The plugins allow you to limit the number of login attempts from a given IP range.
Once a user has failed a defined number of times, they will be logged out of your website for a defined period of time. The default period of lockout can be increased to a more significant period of time if you wish.
You can manually unban any legitimate users that have been locked out, so you need not worry
about frustrating your staff.
The great thing about these plugins is that they record the IP address of anyone who fails a login attempt. You can use this information to block those people from your website indefinitely using the .htaccess technique I discussed earlier

The post WP Security essential part 2 appeared first on Welcome to Ahex Technologies.

It is important to understand how hackers gain entry into a WordPress website and have their wicked way. Although there are many different ways in which a hacker can break into a WordPress website, the main techniques can be grouped together into four categories. In an article last year, WP White Security reported the following statistics about hacked websites:

• 41% were hacked through a security vulnerability on their hosting platform
• 29% were hacked via a security issue in the WordPress Theme they were using
• 22% were hacked via a security issue in the WordPress Plugins they were using
• 8% were hacked because they had a weak password

As you can see, 41% of attacks are caused by security issues within your hosting platform. This covers a lot of techniques, such as using a URL parameter to process an SQL injection. This technique allows the hacker to add code to your database, which can allow them to change (e.g. your password), retrieve, or delete data (i.e. delete all your posts and pages).
A whopping 51% of attacks were made through a WordPress plugin or theme. Hackers can do things such as insert an eval base 64 decode code which allows them to run a PHP function from your website (e.g. to send spam). They may also leave a backdoor somewhere on your website. This is a technique they use to get access to your website in the future, even when you believe you have deleted all malicious files.
Last on the list is a weak password. Hackers continue to gain access in this way by using automated scripts that continually guess passwords until they gain entry; a technique that is known as brute force.

WordPress Security Best Practices

Hackers are not looking for a long battle to gain access to a website. They specifically go after WordPress websites that are vulnerable because of security holes. You can therefore effectively block 99.99% of attacks on your website by simply addressing these security issues.
I would like to walk through techniques that you can apply to your website in order to make it more secure. It should not take you more than 20 to 30 minutes to apply all of these techniques. All you have to do is modify a few key files such as .htaccess and wp-config.php. I will also speak about security best practices and recommend WordPress plugins that will help you make your website more secure.
Remember that prevention is better than the cure. If you follow the advice given in this section, a hacker will find it very difficult to gain access to your website in the first instance. Things to keep in mind related to Security while Developing the WordPress Site:
1. Website Hosts Often, a good place to start when it comes to website security is your hosting environment.
Today, there are a number of options available to you, and while hosts offer security to a certain level, it’s important to understand where their responsibility ends and yours end. Here is a good article explaining the complicated dynamic between web hosts and the security of your website. A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.
Qualities of a trusted web host might include:

• Readily discusses your security concerns and which security features and processes they offer with their hosting.
• Provides the most recent stable versions of all server software.
• Provides reliable methods for backup and recovery.
• Support for the latest versions of PHP and MySQL
• Is optimized for running WordPress
• Includes a WordPress-optimized firewall
• Has malware scanning and intrusive file detection
• Trains their staff on important WordPress security issues

Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.

1. Try to avoid free themes

We’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.
If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.

2. Create Custom Secret Keys for Your wp-config.php File

WordPress Security Keys were first introduced in WordPress versions 2.5, 2.6, and 2.7. The keys improve encryption of the information that is stored in a visitor’s cookies. They will also make it harder to crack your password as it adds random elements to them. A salt key phrase is added to make it even more secure.
The keys can be changed in wp-config.php. This is an important configuration file that can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:
Eight keys and salts can be generated through the WordPress Salt Keys Generator. Once the code has been generated, you simply replace the code above with the uniquely generated phrases.
* Note that the above code is just an example. You should generate unique codes for your website.

3. Change the Database Prefix

A lot of the basic setup stuff for WordPress is the same across lots of sites, especially if you use a one- step install wizard through your webhost. This is super convenient, but lots of common setup values like your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who is trying to hack your site.

4. Protect Your wp-config.php File

As mentioned earlier, the wp-config.php file contains all the confidential details of your site. So it’s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.
order, allow, deny, deny from all

5. Protect Your .htaccess File

We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.
order, allow, deny, deny from all.

The post WP Security Essential Part 1 appeared first on Welcome to Ahex Technologies.