Make sure WordPress and all its plugins , themes are up-to-date
Every new software releases comes with fixing the vulnerabilities of its old versions. Also, most of the WordPress hacks are coming through outdated wordpress, plugins or themes. So make sure it is up-to-date. If possible, subscribe on WordPress Development ( https://wordpress.org/news/feed/ ) they will inform you whenever a new patch/fix is released.
Change Username and Password
The default wordpress user name is admin, which is very common and all hackers know that. Better we should change this to something else that would be difficult to guess.
Most hackers try to bruteforce the password, so I recommend to change the wordpress admin passwords periodically and use complicated passwords.
Replace WordPress Keys
WordPress security keys are used by WordPress to ensure better encryption of information stored in a user’s cookies when logged in to a WordPress website or blog. You can generate new keys from https://api.wordpress.org/secret-key/1.1/ and find wp-config.php and replace keys in below lines
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);Install WP Security Scan
This wordpress plugin automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc.
Eg: CWIS Antivirus Scanner , VIP Scanner …
Change Table Prefix
The default table prefix for wordpress is wp_. Every wordpress hackers know that. The chance for SQL Injection attacks is high with the default table prefix because it is easier to guess. A good prefix would be complex name including letter and digit. Changing your database table prefix is highly recommended and you can do this in two ways.
Change Table prefix via phpmyadmin:
There are a total of 11 default WordPress tables, so changing them manually would be pain. That’s why to make things faster, we have a SQL query that you can use. Replace “NewPrefix” with your desired table prefix.
RENAME table `wp_commentmeta` TO `NewPrefix_commentmeta`; RENAME table `wp_comments` TO `NewPrefix_comments`; RENAME table `wp_links` TO `NewPrefix_links`; RENAME table `wp_options` TO `NewPrefix_options`; RENAME table `wp_postmeta` TO `NewPrefix_postmeta`; RENAME table `wp_posts` TO `NewPrefix_posts`; RENAME table `wp_terms` TO `NewPrefix_terms`; RENAME table `wp_termmeta` TO `NewPrefix_termmeta`; RENAME table `wp_term_relationships` TO `NewPrefix_term_relationships`; RENAME table `wp_term_taxonomy` TO `NewPrefix_term_taxonomy`; RENAME table `wp_usermeta` TO `NewPrefix_usermeta`; RENAME table `wp_users` TO `NewPrefix_users`;
Search the options and usermeta table for any other fields that is using wp_ as a prefix, so we can replace them.
SELECT * FROM `NewPrefix_options` WHERE `option_name` LIKE '%wp_%' SELECT * FROM `NewPrefix_usermeta` WHERE `meta_key` LIKE '%wp_%'
Block Search Engine Spiders from Indexing Admin Section
Search engine spiders crawl over entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent crawlers from indexing the admin directory is to create a robots.txt file in your root directory. Then place the following code in the file:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*Protect .htaccess
Below rule prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.
# STRONG HTACCESS PROTECTION</code>
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>Prevent Directory Browsing
Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes. In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.
# disable directory browsing
Options All -IndexesPrevent script/SQL injection
Simply copypaste below code to your .htaccess in the root
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]