Archive for the ‘Security’ Category

Today i had a great talk with some wordpress developer’s who had a good site of e-commerce, and had seem that rentable site hacked…and all their valuable business ruined…

After that was impossible for me to stop thinking about the subject…And after a big trip of subway i remember some couple of things that answer why so many wordpress sites are hacked.

Sometimes technology create us a fake feeling that everything is easy and we don’t need to think out of the box…Great tools of advertisement and social are like that, but with great power comes great responsibility like spiderman said 😉 .

In this post i will present to you some good security prtaices about WordPress CMS, do your own checklist and when you have an installed wordpress server never forget to check this.

  • When manual installing the WordPress plataform in the wp-config.php file (in the installation named wp-config-sample.php), find the section that deal with the secret keys.  these keys will be added only once…remember this keys will  be the secret to hack your site. Use the link if you want to generate complex passwords. Put that passwords in the wp-config file.
  • Keep your WordPress up to date, is true that this makes you keep working, but enable you also to cover the bugs correction and security walls on.
  • Keep all your secret keys in the wp-config.php file.
  • Hide your WordPress version, this can give some valuable clues to your web presence enemies. Check the file header.php, and if the code “php add_action(‘wp_head’,’wp_generator’)” is there  remove it. This code line outputs the version of WordPress. This represents an additional risk to your site.
  • admin user is comfortable but not a good username. The first thing you should do after installing wordpress should be to create a new user with administration privileges and delete the admin user. This way you hide the administrator, by default the administrator of a wordpress backoffice is admin and every one know that.
  • The My SQL user you create to deal with wordpress should not have to have full writing capabilities in the database engine.
  • Keep your My SQL backups up to date.
  • Your MYSQL users should be aimed with strong passwords.
  • Grant that in every folder of your solution, you have a empty index.php file.
  • Force SSL encryption when logging to the WordPress admin dashboard, do that by adding to the wp-config.php file the following code: define(‘Force_SSL_ADMIN’,true); for this you need to grant also that SSL is supported by your Web Server HOST.
  • Don´t allow the directories of your wordpress core to be avaible for browsing, this is done at your webserver level (apache, internet explorer…).
  • WordPress administration files reside in wp-admin directoryuse .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option. This is done in the .htaccess file in wp-admin with the following code:
    Order Deny,Allow
    Allow from ww.xx.yy.zz
    Deny from all
  • Restrict file access to the contents folder (wp-content directory) this is done on the  .htaccess file with the following instructions
    Order Allow,Deny
    Deny from all
    <files  ?\.(jpg|gif|png|js|css)$? ~>
    	Allow from all
  • There are also some plugin’s who can help you to add an extra layer of security agains sql injection and other atacks i use normally this that’s all for now, with this simple tricks you can add a lot of extra layers of security to your WordPress website and if your site is your life i would strong recommend you to do this. Hope this post can be helpfull.