Thursday, 2 May 2013

Wordpress Security

| |
WordPress is a free open source blogging tool and a content management system (CMS) based on PHP and  MYSQL. It has features like  plug-in architecture and a template system.
Every website have its own control panel (Cpanel).
So to Secure Website you have to open your Cpanel and login with your details.

Now Go to File Manager and click on <Show Hidden Files>.
















Now A New Window Opens and there is file named as <.htaccess> File and open with Code Editor.

Append Following Lines in your <.htaccess> File.
<files .htaccess>
order allow,deny
 deny from all
</files>
 LimitRequestBody 10240000
SecFilterInheritance Off
 <files wp-config.php>                                           [For Wordpress Sites]
order allow,deny
 deny from all
</files>
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
 ErrorDocument 500 /error.php
Options All –Indexes
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
 RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
 #RewriteRule \.(gif|jpg|png)$ http://www.yourdomain.com/donnotsteal.gif [R,L]
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
 RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
 RewriteCond %{H
TTP_REFERER} !.*yourdomain.com.* [OR]
 RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]


Protecting a website or web server is possible only by continued efforts.
 Use Open Source Scripts
 Update Constantly
 Use Strong Passwords
 Secure Admin Email Address
 Add a Database Table Prefix
 Password protect the Database
 Delete the Installation Folder
 Change File & Folder Permissions
 Use Secured FTP Access
 Restrict Root Access
 Ensure the presence of .htaccess file
 Add robots.txt file
 Use security plugins
 Read leading Tech Blogs
 Stay away from Nulled Scripts & Themes

Securing Guestbooks - htmlspecialchars();
Htmlspecialchars(); function is a really useful function, you can use it to take the comment that the user has written, and filter all HTML coding in it, example.A guestbook without htmlspecialchars(); filteration could have HUGE TAGS LIKE THIS Or it could have tiny tags like so.

Javascript injections - How To Avoid Them?!

Javascript scripts can do various different things, a great example is send you a popup which forces you to either cancel, or press Okay. Believe it or not, the coding to make that happen is very easy, and my cousin who is 7 could do it.
<script>alert(‘This is a javascript Alert! ‘);</script>
That just makes a simple alert. Which you are forced take action upon it. Any person on our Planet could copy that code and paste it into a guestbook, but the tricky part is how to stop it! Well heres what you could do first. You could filter the code.

How To Avoid Cookie Hijacking and Cross Site Scripting (XSS)

Cross site scripting is basically, altering sessions on your site, or stealing cookies from other users, and using them for you to force your way into their account. A good video on this can be located here.
There are three easy ways to do this.
1) Stop Javascript Injections and Redirections
2) Do not save passwords and usernames as cookies on your site.
3) Encrypt Users Passwords

                        Secure your Wordpress Site

1. Regularly Update WordPress:Updating WordPress is possible from within the Dashboard, but always take a backup of your database before doing so.
2. Keep Regular Backups:An important procedure for all WordPress blog owners is to ensure that backups are made regularly and that they can easily be restored should the worse happen.
3. Install an Encrypted Login Plugin.
4. Hide “Powered by WordPress”:By default this information can be found in the footer.php file, reached by entering your blog’s Dashboard, selecting Appearance > Editor to edit within the browser window. Different themes will require different methods for removing this text, so you should check online to find the best approach (if plain text is used to display the legend, then delete this; if PHP code is used, tread carefully unless you know what you’re doing).
5. Change Admin Username:The administrator username in WordPress can be selected when the software is setup, but in the rush to get things done many users leave it at the default choice of “admin”. As obvious usernames go, this comes at the top of the list, which is why changing it is important.
Two ways exist for changing the admin username. First, you can create a second administrator account with a username which isn’t obvious, and then delete the original user. Note, however, that this might have an effect on any articles written under the administrator account (they’ll perhaps be unpublished until a new name is set, or display an error on the post page).
Probably the most effective way to do this is to access your site’s phpMyAdmin, select the WordPress database, find the wp_users table (“wp_”is a default prefix which may have been changed at installation) and use the Browse icon to find the “admin” username.








Find the user_login column, click the edit button on the appropriate row and then change “admin” to your preferred administrator account login name, clicking Go when you’re done.

6. Move the wp-config File:The wp-config.php file contains the admin login details as well as the username and password for the MySQL database.One thing you shouldn’t do, however, is delete wp-config – this would leave your site unusable.
























1 comments:


Thank you for providing the information. I would like to see some more blogs on this topic The WP Cerber

Post a Comment