Tip 1: Secure Your Admin Directory
This is an old tip, but it's surprising how many WordPress blogs -- even the popular ones -- do not secure their admin directory. Bear in mind that an insecure admin directory is susceptible to any form of public attack. These include brute force and other malicious cross side scripting attacks or vulnerabilities that can be discovered by hackers.
This is very important. If your admin directory is secured, it is protected. A hacker may figure out a MySQL injection vulnerability in WordPress and try to extract your admin username and password, but even then, the hacker will not be able to log in to your admin directory if it is protected.
The following are the important steps you need to take to secure your admin directory.
1. Go to http://www.whatismyip.com/ and take note of your IP address.
2. Open a text editor (e.g. notepad).
3. Copy and paste the code below into the text editor:
4. Replace xxx.xxx.xxx.xxx with your IP address.
5. Save it as .htaccess
Note: The filename includes a dot sign before it.
6. Upload the .htaccess to wp-admin directory.
7. Try to check if the wp-admin directory returns a 403 forbidden: http://gsitecrawler.com/tools/Server-Status.aspx
Enter your wp-admin URL, example: http://www.example.com/wp-admin
If your website has more than one contributor, you will need to ask for their IP addresses and add them to the htaccess line above. For example:
Where: yyy.yyy.yyy.yyy and zzz.zzz.zzz.zzz are IP addresses of other admin panel users.
Tip 2: Never Edit the WordPress Core Files!
It is surprising that a lot of tips can still be found on the Internet that suggest tweaking the WordPress core files. This is not recommended; it will only be a security risk in the long run. If you are new to WordPress and still do not know which ones are the core files, the following list will tell you.
One of the biggest disadvantages of editing the WordPress core files is that the functionality will not work if you update the WordPress core files. Once you have updated it, those "tweaks" won't work anymore, and you will need to edit it again.
Therefore, if you need to add some special functionality to your WordPress website, try doing one of three things instead. First, try to see if you can edit your theme files to produce that functionality without resorting to editing the WordPress core files.
Second, if editing the core files to produce that functionality seems impossible, try doing research to find a WordPress plugin that will produce the desired results. There are a lot of released and stable WordPress plugins, so it is a smart idea to search for the appropriate plugin and use it rather than resorting to editing the core files. You can start researching for plugins here: http://wordpress.org/extend/plugins/
Third, if you cannot find the plugins you need, it is time to ask for professional help from the WordPress community. Below you'll find some good links to places online where you can ask for help:
WordPress support- http://wordpress.org/support/
WordPress ideas- http://wordpress.org/extend/ideas/
Tip 3: Use the SSH protocol for downloading and uploading files
To secure your hosting server username and password, you should consider using SSH. This operates similarly to FTP, but the communication between you and the server will be entirely encrypted. Encryption means that communication cannot be compromised using the eavesdropping techniques used by hackers to extract sensitive information.
Most paid hosting accounts already include SSH as part of the package. So make sure you enable it in your hosting account. If you have problems enabling it, consult your hosting support.
Once you have enabled SSH, you can then use an SSH client to connect to the server that hosts your WordPress website. The most recommended is http://filezilla-project.org/download.php, because it is GUI-based and operates in a way similar to an FTP client.
There are a couple of things you need to keep in mind when using Filezilla. First, do not set the logon type to "Normal," as this will save your hosting password in plain text in your computer hard drive. Instead, use "Ask for password." Second, under "Server Type," make sure it is set to SFTP-SSH File Transfer Protocol.
blog comments powered by Disqus