Protecting your WordPress Site from Exploits and Hackers

WordPress itself is fairly secure in it’s more recent versions, but there are still some ways you can “sure” up your WordPress site a little to to help avoid malicious scripts being injected by hackers, admin being hacked and other bad things that could potentially happen.

Today I am going to mentioned a few extra steps you can take to secure your WordPress site a little more.

1) Add a directory password to your wp-admin directory

this is one of the best ways to ensure no hackers gain access to the back end of your WordPress site. Yes it is a little bit of a pain for you or your site admins to have to enter in the login for both the directory and then the WordPress admin login, but this simple step adds an extra layer of security. If your hosting runs Cpanel, it’s very easy to do via Cpanel

http://www.siteground.com/tutorials/cpanel/pass_protected_directories.htm

2) Limit Admin Login Attempts

another step i suggest is to install the Limit Login Attempts plug-in for WordPress. This module sets a limit to the number of times an admin account can be attempted to log in, then blocks access to the person for a period of time. This is a great way to stop brute force attacks to try to get access to your admin for WordPress.

http://devel.kostdoktorn.se/limit-login-attempts

3) Use a word press scanner and security checking plug-ins

There are several WordPress “exploit” and “security” scanners that can scan your site files for malicious code injected by a hacker, as well as give you security reports on your site and how to fix them.

Secure Wordpress: http://bueltge.de/wordpress-login-sicherheit-plugin/652/ is one that i use that i find very helpful in securing the site.

• Little help to secure your WordPress installation: Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
• removes error-information on login-page
• adds index.php plugin-directory (virtual)
• removes the wp-version, except in admin-area
• removes Really Simple Discovery
• removes Windows Live Writer

TimesToCome Security Plugin: http://herselfswebtools.com/2008/06/wordpress-security-plugin-block-scrapers-hackers-and-more.html – this one helps stop hackers from using injection scripts to hack into your wordpress and put in iframes and other nastys

Make sure to visit the authors blog to update your list of blocked request types etc.

4) BACKUP BACKUP and then BACKUP Again!

make sure to do backups of your site OFTEN (i do mine once a week) so that if disaster does strike, you have a backup you can restore. There are some good plug-in’s to do a file and database backup of your site, but personally I prefer to do it manually (using my hosting control panel to create a zip file of the site and downloading it, and using phpMyAdmin to download the database.

So there you go, a few tips to help make sure your site is secure and you can also recover