WordPress is a free open source blogging tool and a content management system (CMS) based on PHP and MYSQL. It has features like plug-in architecture and a template system.
Every website have its own control panel (Cpanel).
So to Secure Website you have to open your Cpanel and login with your details.
Now Go to File Manager and click on <Show Hidden Files>.
Now A New Window Opens and there is file named as <.htaccess> File and open with Code Editor.
Append Following Lines in your <.htaccess> File.
<files .htaccess>
order allow,deny
deny from all
</files>
LimitRequestBody 10240000
SecFilterInheritance Off
<files wp-config.php> [For Wordpress Sites]
order allow,deny
deny from all
</files>
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php
Options All –Indexes
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg|png)$ http://www.yourdomain.com/donnotsteal.gif [R,L]
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{H
TTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Protecting a website or web server is possible only by continued efforts.
Use Open Source Scripts
Update Constantly
Use Strong Passwords
Secure Admin Email Address
Add a Database Table Prefix
Password protect the Database
Delete the Installation Folder
Change File & Folder Permissions
Use Secured FTP Access
Restrict Root Access
Ensure the presence of .htaccess file
Add robots.txt file
Use security plugins
Read leading Tech Blogs
Stay away from Nulled Scripts & Themes
Securing Guestbooks - htmlspecialchars();
Htmlspecialchars(); function is a really useful function, you can use it to take the comment that the user has written, and filter all HTML coding in it, example.A guestbook without htmlspecialchars(); filteration could have HUGE TAGS LIKE THIS Or it could have tiny tags like so.
Javascript injections - How To Avoid Them?!
Javascript scripts can do various different things, a great example is send you a popup which forces you to either cancel, or press Okay. Believe it or not, the coding to make that happen is very easy, and my cousin who is 7 could do it.
<script>alert(‘This is a javascript Alert! ‘);</script>
That just makes a simple alert. Which you are forced take action upon it. Any person on our Planet could copy that code and paste it into a guestbook, but the tricky part is how to stop it! Well heres what you could do first. You could filter the code.
How To Avoid Cookie Hijacking and Cross Site Scripting (XSS)
Cross site scripting is basically, altering sessions on your site, or stealing cookies from other users, and using them for you to force your way into their account. A good video on this can be located here.
There are three easy ways to do this.
1) Stop Javascript Injections and Redirections
2) Do not save passwords and usernames as cookies on your site.
3) Encrypt Users Passwords
Secure your Wordpress Site
1. Regularly Update WordPress:Updating WordPress is possible from within the Dashboard, but always take a backup of your database before doing so.
2. Keep Regular Backups:An important procedure for all WordPress blog owners is to ensure that backups are made regularly and that they can easily be restored should the worse happen.
3. Install an Encrypted Login Plugin.
4. Hide “Powered by WordPress”:By default this information can be found in the footer.php file, reached by entering your blog’s Dashboard, selecting Appearance > Editor to edit within the browser window. Different themes will require different methods for removing this text, so you should check online to find the best approach (if plain text is used to display the legend, then delete this; if PHP code is used, tread carefully unless you know what you’re doing).
5. Change Admin Username:The administrator username in WordPress can be selected when the software is setup, but in the rush to get things done many users leave it at the default choice of “admin”. As obvious usernames go, this comes at the top of the list, which is why changing it is important.
Two ways exist for changing the admin username. First, you can create a second administrator account with a username which isn’t obvious, and then delete the original user. Note, however, that this might have an effect on any articles written under the administrator account (they’ll perhaps be unpublished until a new name is set, or display an error on the post page).
Probably the most effective way to do this is to access your site’s phpMyAdmin, select the WordPress database, find the wp_users table (“wp_”is a default prefix which may have been changed at installation) and use the Browse icon to find the “admin” username.
Find the user_login column, click the edit button on the appropriate row and then change “admin” to your preferred administrator account login name, clicking Go when you’re done.
6. Move the wp-config File:The wp-config.php file contains the admin login details as well as the username and password for the MySQL database.One thing you shouldn’t do, however, is delete wp-config – this would leave your site unusable.