We are all trying hard to protect our blog with what we know and how we know. But believe me, many blogs out there still don’t know how to protect their blog and or don’t know what step to take to ensure the safety of their blog.
For example; many blogs today still use their username as their admin name or using their name as their admin name, many blogs still has the default table prefix “wp_”, many bloggers still use their name as password and also, 99% of bloggers fail to mask their admin login page “/wp-admin”. Should I still continue?
Have you ever had 3000+ login attempts in a day before? If yes, know that your blog is under attack and taking drastic measures is indeed the best choice for your blog or you might just get hacked someday.
Your Website Is Liable To Get Hacked Because…
On my today’s blog post, I am not going to be discussing the hard ways on how to protect your blog because I have discussed that on my previous blog post. But today, I am going to be discussing the simple and most effective ways to protect our blogs from getting hacked that we hardly pay attention to.
Note: This post might get technical as we proceed but I promise that I will make it as simple and understanding as possible. And if you find any part confusing, just drop a comment and we’ll figure it out together.
Protect your WP-Admin:
Sometime back I was getting serious login attempts. No plugin could have rescued me from the hack attempts I was receiving (I almost got my blog hacked), till my friend Adrienne from AdrienneSmith.net gave me an awesome way to protect my WP-admin from those jobless guys calling their selves hackers :).
Now I am using the style Adrienne gave me and also using the below code as well to maximize the security of my blog.
The truth is, protecting your blog goes beyond plugins. You need to implement some things (code) that will make it hard for those hackers to penetrate your defenses.
Now here is what you’ll do to protect your wordpress WP-Admin page from getting hacked.
Go to your C-panel >>> Click on “Legacy file manager” >>> Thick the “Show hidden files (dotfiles) >>> Click “Go”
Now go to where your “/wp-admin” folder is and create a new “.htaccess” file.
Have you done that, now place the below code in the new .htaccess file…
AuthUserFile/dev/null AuthGroupFile/dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #whitelist home IP address allow from 188.8.131.520 #whitelist work IP adress allow from 184.108.40.2060
Remember to replace your IP with the 220.127.116.110
Please also note that if you are using a dynamic ip, this first tip is not suitable for you.
Now what this code does is, it only allows the IP you white list to access your wp-admin section. If you are using more than one ip, you can add it up by simply pressing your enter key in the “#whitelist home IP address” section and add “allow from 418.104.22.1680”. Hope you understand?
This trick was introduced by Matt Cutts and it is working 100%. How do I know? Because I am using it 🙂
For those using dynamic IP, Using the security plugin to change the address of your /WP-Admin/ is the best option for you to do.
Do you still have your readme.html file?
Do you know that your readme.html file can be your blogs deadly weapon? Yes, hackers can use it against you. Are you asking how? They can simply use it to know the version and info of your blog. Keeping the readme file is a dangerous choice and should be either deleted or renamed.
To delete or rename your readme.html file, simple go to your C-panel >>> Go to your WordPress directory and search for the Readme.html.
Now what you’ll do is either delete it or if you do not feel like deleting it, rename it to something else..
This one is simple right?
WordPress usernames enumeration?
Ok seriously, I too did not know what Username Enumeration means or how it can affect your blog till I was contacted by my security team (6scan) for that same issue.
Even if you change your username, even if your username is totally different from your admin name, those hackers that are good can still easily find out what admin name you’re using. As long as you’re using permalinks, it will only take quick seconds to find out your real user name.
There are two ways to fight this, either by using a plugin or you’re implementing the code directly.
If you’re not tech inclined, then going for the plug-in might be your best idea. You can download the plugin at WordPress directory here
This second is most advisable and do work wonder 🙂 .
Note: Please before you take this step, make sure you backup your blog so that you can always restore any time you make a mistake.
Go to your admin panel Where your WordPress installation is reside >>> Click “wp-admin” >>> Click “user-edit.php”. Click the edit button to edit the file or download the file for editing.
Inside the “user-edit.php” edit, search for: ‘wp_enqueue_script(‘user-profile’);”
Have you seen it? If yes, simply paste the below code right below the code.
if ( current_user_can('edit_user',$user_id ) == FALSE ) wp_die(__( 'Forbidden' ) );
Have you done that? Click the save button to save your work and you’re done with the edit. Now your blog has been saved from username injection 🙂
Seriously, I would have added more strong security measures for you to try out on your blog but the post might just be too long and boring 🙂 . So for now, this post will help you tighten up your security defense.
Do remember that securing your blog goes beyond just using plug-ins. Securing your blog is about using strategies and thinking like them…
Prevention is always better then cures, so be active and apply this step for a better secured blog.
Ha… Look like I have said so much about so much on how to secure our blog right? Now might just be the perfect time to pass the keyboard to you guys 🙂
How well do you secure your blog? Do you rely on plugins alone to protect your blog? Please do drop your answer by using the comment box below
Must Read: My Awesome Blogging Friends
Do you have questions, comments or thoughts you’d love to share with us today? Then please do use the comment box below. Remember that your comments, questions and thoughts are highly welcomed and much appreciated.
Do not forget to share this post on your social networks. To help your blogging friends help better protect their blogs :).
Oh… before I forget, do not forget to subscribe to our feed for your latest and most fresh update on the go.