Sometime towards the end of 2009, a Syrian hacking team hijacked my blog and changed the theme to always display their information. Founding their logo in poor taste and not appreciating their action in the least, I immediately decided to take the appropriate safety measures and make my blog more secure.
Here are the steps I took in order to accomplish that:
Step 1 – Always Backup your files
This is your very first line of defense. And it’s always a great idea to keep a fresh copy of your installation files and a backup of all your posts. Check with your hosting company to see if they offer automatic backup. Do this task on a weekly basis – it only takes minutes if not seconds (depending on the size of your blog).
It is also a good idea to store your files in 2 separate locations (see this article for good backup procedures)
Step 2 – Immediately Change the Admin Password
Make sure you know the email address you provided for the “admin” account. This is where you’ll receive the new password. Login and change the password to something a bit more complicated than your pet’s name. Remember and use a combination of numbers, special characters, lower and upper case letters. For instance – Fluffy is a very weak password while fLu55Y$ is much harder to guess.
Here’s a link on how to reset your password http://codex.wordpress.org/Resetting_Your_Password#Through_phpMyAdmin
Step 3 – Create another Administrator Account
Login as the “admin” of the blog with the newly acquired password and create another account with Administrator privileges. Use the principles of finding a strong password as described above.
Here you can find the step by step on how to add a new user http://codex.wordpress.org/Users_Add_New_SubPanel
Step 4 – Change/Delete the “Admin” Account
The most common method to break into a blog/website is the brute force – the hacker will try to guess the name or password of the admin account and revealed, (s)he will use scripts to try thousands of password combinations with that account name.
In almost all cases the WP install files come “prepackaged” with the “admin” name as the default administrator account.
Fortunately changing this account name is very easy to do:
Log into your blog using the new user account created in Step 3 and delete the “admin” user. If you have posts published with “admin“, WordPress will ask you if you want to move those posts under a new user. I chose “yes” and indicated who the author should be.
As a side note – it’s a very good idea to create this admin account and keep the name and password secured but most importantly is to create another user (I chose “Editor” privileges for this account with my name so I can use it every time I create a new post).
In case your “admin” account does not have a “Delete” command (which happened to me), right next to the “Edit” one, install this WP-Optimize plug-in and rename or even delete the “admin” account.
Step 5 – Hide Your WordPress Version
Another “hole” hackers use to infiltrate is by publicizing the version of your WordPress blog. The fact of the matter is that it will be harder for the hacker to hijack your site if (s)he knows as little as possible about your blog.
By default WordPress broadcasts to the world the version that you are running, and this information can be used against you, because hackers know the security holes on each WordPress version.
Hiding that information is not difficult though. First of all you want to disable the “generator” meta tag. You can do that by adding the following code to the functions.php file of your theme:
function hide_wp_vers()
{
return ”;
}
add_filter(‘the_generator’,'hide_wp_vers’);
Step 6 – Delete the readme File
There is also another place where hackers can find the version of your WordPress – the readme.html file. GO ahead and FTP into your site, find the file and delete it.
Step 7 – Disable Folder Browsing
This is another item you should hide on your site – the content of your folders. If people can browse your folders, they will be able to collect lots of information (themes you are running, plug-ins, etc.) Again – the less they know – the better for you and the safety of your blog.
If your web hosting is based on Linux, you can easily disable folder browser within your .htaccess file placed at the root of your server. You can create that file or open the existing one and add the following line:
Options -Indexes
If your hosting is not based on Linux, you can still protect the content of your folders by uploading a blank index.html page inside each folder.
Step 8 – Rename Your Table Names
I would not recommend any plug-in to accomplish this. You can find some, but they are known to cause problems. Best way – manually and it’s safer.
Here’s a step by step instructions on how to do it:
- You need to locate “phpMyAdmin” which for most people’s setup will be in your cpanel. Look for “MySQL Databases” and click it like so:
- You should now see “phpMyAdmin” opened and the logo at the top left. Click on the database title under the logo. NOT the one titled ‘information_schema’ THE OTHER ONE!! You are of course looking for the database that has all the tables with ‘wp_’ prefixes.
- Across the top of the screen there is now a menu. Locate “Operations” and click it.
- Locate “table options’ then “rename table to”. This is where you rename the table prefix only. That’s the part before underscore “_”. Once you’re done, click “go” to save you change.
- Click back on the database name on the left which should now be BLUE and rename each table from step 4 until you’ve changed all of them.
- Click again on the database name on the left. Then the “Structure” tab next to the table ‘yourprefix_options’. Click on the menu option “Browse” and use arrow buttons to locate the page the option_name “wp_user_roles” is on. Click on the edit/pencil icon and again change the prefix. Then click “Go”
- Click back on the database name on the left. Then the “Structure” tab next to the table “yourprefix_usermeta”. Click on the menu option ‘Browse’ and use the edit/pencil icon on each “metakey” that uses the old ‘wp_’ to your new prefix. Click “Go” each time you’ve altered the prefix.
- Click on the exit/logout icon at the top left of the screen.
Step 9 – Modify the “wp-config.php” File
FTP into your site and find the file called “wp-config.php”. Edit the line that says ”$table_prefix = ‘wp_‘;” and change the “wp” to your new prefix. Save the file and upload back up.
Step 10 – Always Update Your WordPress Version
Every time a new WordPress version is released hackers have to scramble and try to find new ways to damage it and thus hit other blogs and deface them.
Sometimes they find them, but the WordPress community usually responds quickly and releases an updated version protected against the new threats.
That’s it! Happy blogging everyone!
Related articles by Zemanta
- How to Start a Blog in 5 Easy Steps (defactomind.com)
Claudiu Geanta is a successful online business owner and founder of Design by Satori Inc. & ProIncome Marketing, LLC. He teaches businesses how to build an optimum online presence. He is also and accomplished web designer and photographer. You can follow him on twitter.
Read more from this author
- Unique Post
#1 by get tips on January 19, 2010 - 10:44 am
At last, I could find your article once again. You have few useful tips for my school project. This time, I won’t forget to bookmark it.
#2 by forex robot on January 23, 2010 - 2:34 am
nice post. thanks.
#3 by louis vuitton on February 6, 2010 - 2:49 pm
This is a fond blog and I gain ground choice reading it every morning dinghy thanks you
because sharing it!
#4 by SatelliteTVforPC on February 10, 2010 - 2:55 am
hey. Great Blog you’ve got here. I’ve been tooling around trying to find some new information and I think i found it! Thanks a lot!
I have a website too.
#5 by UGG Boots on February 11, 2010 - 11:40 am
I found this article useful in a paper I am writing at university. Hopefully, I get an A+ now!
Thanks
Bernice Franklin
#6 by discount amazon on February 15, 2010 - 5:47 pm
quite interesting read. I would love to follow you on twitter.