Recently a wide scale attacks on wp-login.php files are occurred on servers which hosted wordpress sites. So a temporary and effective fix for resolving this issues is putting a .htaccess file in /home with following entries
(less than symbol) Files tilde “^wp-login.php”>
Allow from all
less than symbol/Files>”
Then for clients to get access, they could just add this to their wordpress .htaccess:
#Deny from all
#Allow from x.x.x.x
WordPress is opensource software which is used for building websites and blogs.
There is a false belief that wordpress is a blogging software and it can be only used for creating blogs. But that is not the case, it can be used to build many powerful and multipurpose websites.
The main advantage of using wordpress is its simplicity and easy to use structure. Even a newbie can get familiarized with all aspects of wordpress with a couple of minutes. About 40% of top blogs are designed inwordpress.
With the increasing popularity of wordpress blogs, the hackers have redirected their attention towards thewordpress blogs. The wordpress core files are well designed and can’t be accesed or altered in normal way. The main way the hacker gain access to wordpress files are though the third party plugins or themes which we install in our blog. But all of us can’t rely on default wordpress themes and plugins which comes by default with fresh wordpress installation. We can’t block the hacking attempts, what we can do is make our wordpress blogs more secure and immune to hacks.
Here are some easy and common practices to improve the security of your wordpress site::
1) Use The latest version:
Always remember to use the latest version of wordpress available, as in each version, the developers make some security fixes in accordance with the reviews they have received from customers.
The wordpress team before publishing the new version, performs the basic testing but here we the end users are the real time testers. So taking into consideration the customer opinions and suggestions, they develop new version. In each version the developers apply some security patch for the existing ones. So always updateswordpress to latest version if an update is available.
This can be easily done from the wp-admin dashboard. Same is the case with plugins and themes which you might have installed.They too needs to be updated.
2) Backup Your site:
You should also take the backups of wordpress sites in a periodic manner as these backups can be used in any worst cases.
You can take backup of your site yourself or opt for paid service. If you opt for plugin to do WordPress backup, the best one for this is BackupBuddy plugin.
3)Keep your local machine safe:
Before opening the wordpress sites in your local machines you should make sure that your local machine is safe and clean from any viruses or any other potential threat.
For this you can use any of the leading anitivirus products.
4) Use Strong admin credentials:
Never use admin as login user name for your wordpress dashboard. Also practice using strong password ( combination of alphabets, numbers and special characters) for logins.
5)Delete unwanted plugins & themes:
The plugins and themes which are not in use should be removed rather than leaving it as deactivated. There is chance that we leave the deactivated plugins outdated. This outdated plugins become prone to attacks and hack.
6)Change Database Prefix:
It is also a good practice to change the wordpress database prefix to an unconventional one rather than the traditional ”wp_” as the hackers know this is the default prefix with database. Hackers know that the users details are stored in the wp_users table and they try to exploit it. We can prevent the hacker from guessing the name of the table by changing the prefix of database.
7)Use SFTP to transfer files:
Always use SFTP to transfer files rather than the normal FTP. In normal FTP the login details are transferred as clear text which can be accesed by someone who scan this using any programs. All major FTP clients now support SFTP, so all you need to do to enable it, is to change the protocol in your FTP client from “FTP” to “SFTP”. You can ask the hosting provider to get the SFTP port.
8)Moving out wp-config.php file outside the wordpress installation location:
Typically the wp-config.php file is located in the wordpress installation location. This file contains the all important details like database name, server, database user and its password. So if hacker gains access to this file it will cause heck of problem. So it is a good practice to move wp-config.php file one directory level above the wordpress installation. Please remember to move wp-config.php file only one directory level aobe wp installation.
9) Enabling password protection to wp-admin:
Another good practice is to make the wp-admin folder file password protected. You can do this easily by settinghtpasswd for this.
If you have any difficulty in doing this, please get the help of your host.
10) Alter keys in wp-config.php file:
You must be aware that the wp-config.php file stores the confidential information of your wordpress installation. WordPress generates cookies to store the status of the users when they login. It is highly recommended to change the keys if your site gets hacked. WordPress api provides some tool to generate the keys here: https://api.wordpress.org/secret-key/1.1/salt/
If we change these keys it will force all the users who are already logged in to re-login to wordpress site again.
These are only some of the steps to increase the wordpress security which can be implemented by basic bloggers without much technical knowledge. If you take care of these steps, then you will have a secure blog.
When you are trying to use Jetpack plugin on your wordpress site, if you get following error message please follow below steps for override this issue
“Error Details: The Jetpack server was unable to communicate with your site [HTTP 500]. Ask your web host if they allow connections from WordPress.com. If you need further assistance, contact Jetpack Support: http://jetpack.me/support/”
1 Disable all the plugins expect Jetpack via your wp-admin. Then try to activate it.
2 Re-enable all plugins
When you are trying to edit/add posts via your admin panel, if you got above message, you can try following things to recover from this issue.
1 disable each plugin 1 by 1, I prefer disabling of latest one first.
2 Avoid the plugin which cause this issue…
Most of WordPress sites are hacked through vulnerable themes and plug-ins. Plug-ins and themes are generally installed through admin area. So first we need to secure our admin area, so please use strong admin are password for your site…
Also you can use word-press firewall like plugins for protecting your sites…..
Plugins and themes can make modifications on your php files inside WordPress sites. So if some one hack your site through theme or plugin, here he may insert some malicious codes into those php files.
So in my opinion you can protect your php files and admin area via following steps.
Here we turn to our .htaccess file to protect us from the injection of backdoors. You’ll want to create the .htaccess file inside the /wp-content/uploads directory:
php_flag engine off
deny from all
To prevent files being accessed directly, I recommend you blocking direct PHP access to /wp-content with the following additions to your .htaccess file:
deny from all
The admin panel (wp-admin) runs on the same domain and same privileges as the rest of the application. In a perfect world, it would be isolated, but to minimize issues, here I will recommend adding two restrictions to wp-admin access (via .htaccess):
order allow, deny
allow from IP1
allow from IP2
deny from all
Using above steps you can protect your site from malicious attacks…. 🙂
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
* @package WordPress
* Tells WordPress to load the WordPress theme and output it.
* @var bool
/** Loads the WordPress Environment and Template */
1 login to wp-admin
2 go to Settings > Update Permalinks
3 then Save Changes