How to Stop Your WordPress Blog from Being Hacked

[BlackHatKnight]

When i was looking in webmaster discussion for someone i can help , i saw thread about wordpress security and i see similar threads here and in other forums so i said to myself why i don't make post here contain some information about wordpress security just for KWWHunction members and guests eyes .

Note:-

all the informations here i get by searching , i just did my homework

Why do hackers attack a website or blog?

Hackers attack your blog for so many reasons but the main one is because they want to hijack your Google ranking in order to promote (and increase) their own Google ranking. And as you can imagine, there are many different types of hacks. One of the most popular hacks is a Pharma hack where the hackers insert spam content into your site that is related to different types of medications. Other hacks are more obvious because they use adult content and software sales.

How do I know if my blog or website has been hacked?

Although it’s usually obvious when a blog or website is hacked, there are times when you may suspect you’ve been hacked but just aren’t sure. Here are a few of the warning signs you’ve been hacked:

• Your Google Page Rank starts to drop for no apparent reason.
• Your blog loads more and more slowly (and you haven’t added a ton of plugins).
• You notice strange links on your website.
• Your Google webmaster tools show strange keywords to describe your site.
• You perform a Google search for your site, the results show titles and descriptions that do NOT describe your site, yet still have your URLs.
• Your website or blog traffic starts decreasing for no logical reason.

If you aren’t sure your site has been hacked (or just want to be sure), do a Google search for a spammy keyword like this keyword:yoursite.com. Try different spam keywords to make sure your site is clear.

1- Keep Your WordPress and WordPress Plugins Updated to the Latest Version

The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times. The latest version is WP 3.2.1 (as of this post).
You can download it here.

2- Hide your WordPress version

A large number of WordPress themes include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability for that version.
To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like this

Code: 

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

3-Change the WordPress admin username

Most hackers know that ‘admin’ is the username and then they only have to guess the password. Make it twice as hard and change the admin username to something other than ‘admin’

4-Remove the Footer Credit

Most WordPress templates will come with a link back to WordPress in the footer saying, "Powered by WordPress". If you don't want to get hacked, this absolutely has to go. It is used as a marker by hackers who query search engines to compile lists of WordPress sites. This is known as dorking; implying that people who leave such footprints on their sites are dorks. Removing this will probably stop you from getting hacked as your site will probably not be found once it is removed. If you would like to give credit to WordPress for making a free publishing platform in some other way, you could link to them on your about page. To remove the footer credit, open up

wp-content/(name of the theme you are using)/footer.php

and delete the link to WordPress.

5-Remove the Meta Generator Tag

Most WordPress templates will also come with a HTML tag in the head like this:

Code: 

<meta name="generator" content="WordPress 3.2.1" />

This has to go too as it gives away what version of WordPress you are using. All a hacker would have to do is look up a hack for your version of WordPress and if you are vulnerable (some vulnerabilities require certain server settings or environments) they will take you down.
To remove the meta generator, open up

wp-content/{name of the theme you are using}/header.php
and delete the meta generator tag.

6-Remove the Generator Tag in the RSS Feed

WordPress also gives away which version you are using in the RSS feed with a generator tag like this:

Code: 

<generator>http://wordpress.org/?v=3.2.1</generator>

Again, this gives away the version you are using so is particularly dangerous. RSS feeds are another way in which hackers compile lists of sites which they might be able to attack.
To remove the RSS generator, open up wp-includes/general-template.php and search for the function called the_generator (around line 1858). It will look like this:

Code: 

function the_generator( $type ) {echo apply_filters('the_generator', get_the_generator($type), $type) . "\n"; 

}

and place a hash (#) in front of the word echo, so it looks like this:

Code: 

function the_generator( $type ) {#echo apply_filters('the_generator', get_the_generator($type), $type) . "\n"; 

}

7- Avoid using free themes and plugins without checking them for malicious code

you can run into serious trouble by installing plugins and using themes without checking them for malicious code. If you don't know PHP, I'd recommend only installing plugins and themes which are listed in the official WordPress directories

8-Encrypt your login

Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.

9- Stop brute force attack

Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you can install the login lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.

10- Use a strong password

Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.

11- Protect your wp-admin folder

Your wp-admin folder contains all the important information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.

12- Hide your plugins folder

If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
Open your text editor. Save the blank document as index.html.
Using a ftp program, upload the index.html to the /wp-content/plugins folder.

13- Do a regular security scan

Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

14- Define user privilege

If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.

15- Backup your wordpress database

No matter how secure your site is, you still want to prepare for the worst.
make sure you back up EVERYTHING, including your posts, comments, files, images, logos, template, links, and HTML coding. That way, even if your blog does get wiped out, you’ll have everything you need for quickly putting it back together.

The best plugin to do this is: Backup Buddy.


If you want free plugin :

Install the wp-database-backup plugin and schedule it to backup your database daily.

but i must warn you this plugin only backup the database

Sorry for the long thread and i hope i cover everything and i wish you happy blogging without worrying about your security

BlackHatKnight Reviewed by BlackHatKnight on 26th Jul 2011. How to Stop Your WordPress Blog from Being Hacked When i was looking in webmaster discussion for someone i can help :) , i saw thread about wordpress security and i see similar threads here and in other forums so i said to myself why i don't make post here contain some information about wordpress security just for KWWHunction members and guests eyes . :D Note:- Why do hackers attack a website or blog? How do I know if my blog or website has been hacked? Rating: 5

[CloudShadow]

Great article, + rep.

[BlackHatKnight]

Great article, + rep.

Thank you very mush for the reply and the rep , but the reply more
i love when people reply to my threads , it makes me happy

[gfxguru]

Excellent article. +1

[BlackHatKnight]

Excellent article. +1

thank you very mush , i love you people who encourage me

[DEViANCE]

Good article

[Mitinew]

Excellent. Very informative.

[ThumperTM]

Thanks +1

[BlackHatKnight]

Good article

thank you for the reply

Excellent. Very informative.

thank you very mush for your reply , you people just made my day

Thanks +1

thank you very mush

[3xupdate]

Many thanks !!!