Money Critics
Tips and tricks on how to make money online
About Me
I am a full time blogger, already retired from my full time job in my 20s. Like many, I was struggling to make ends meet, until I found "Auto Pilot Profit".

Now that I can stay home all day to blog and play is all thanks to the software. Now that I am financially and worries free, I wish to tell anyone who wanted to make money online, It is actually easy as ABC, made easy by "Auto Pilot Profit".

From the day I on it, money has been flowing into my account non stop and now, I just spend all my time blogging and travelling. Featured on the top Newspaper of many major countries, it certainly will not go wrong. I certainly hope anyone who wish to make lots of money online to give it a try
Auto Pilot Profit
auto
As Featured on Sunday Times
sundaytimes

Jun

03

Protect and Secure your WordPress blog

Filed in: Make Money Online by admin on 06-03-09

WordPress Security is important

WordPress Security is important

I’ve this particular blog which was always hacked.

Hacked in such a way that either the template file of footer.php or header.php is riddled with spam links.

I was clueless as how the hacker is doing it, despite my best effort keeping my blog secure such as setting the file permission to no access.

Nothing was affected or defaced, except the addition of the spam links for obvious reason, as that particular blog of mine was hacked numerous times due to its high PageRank and good search results rankings.

So I did my own CSI and I have a hunch the spam was added via SQL injection. I also noticed that there was an extra admin user in my database, which I did not add.

Plus the fact I also found suspicious PHP files under my “uploads” folder, which might be the source of the spam link making.

Suffice to say my WordPress was breached. So I decided to go online, do a more thorough research of making my blog more secure.

It took me the whole day, but I did the following process below to ensure more security at my blogs. I do hope it is enough security measures, and I hope I don’t have to do the ‘upgrade’ again, as its a pain in the ass considering I’ve plenty of blogs!

Backup Database

Before any changes or editing to your blog, this is the most important thing you should do first. This is so you can revert to the old database if any screw-ups happened.

You can backup your DB by going to your control panel, which most if not all comes with a backup database feature. Save the DB locally.

I used these security WordPress plugins

These WordPress plugins below works well on the latest version of WordPress with no problem. If I had known earlier, I would have used them.

  1. AntiVirus - AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections.
  2. Limit Login Attempts - Limit rate of login attempts, including by way of cookies, for each IP.
  3. Wordpress Firewall - Blocks suspicious-looking requests to WordPress.
  4. WP Security Scan - Perform security scan of WordPress installation.

3. Changed FTP password

I find that I used a very generic password for my server. So I used the provided password generator by the above plugin ‘WP Security Scan’.

I replaced the old easy to guess password perhaps by brute force method, with much stronger ones. You can also use Google to find Password Generator sites.

Exclude Robots.txt

Ensure that your robots.txt excludes folders that you don’t want to be indexed by search engines.

Hackers uses such search engine indexed information to find such blogs with vulnerabilities.

My Robots.txt

User-agent: *
Disallow: /*?*
Disallow: /*?
Disallow: /?s=
Disallow: /tag/
Disallow: /rss/
Disallow: /feed/
Disallow: /category/
Disallow: /trackback/
Disallow: /comments/feed/
Disallow: /cgi-bin/
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Disallow: /wp-content/cache/
Allow: /wp-content/uploads/

Edit .htaccess at root

I added the below code to my .htaccess at blog root level. This means, nothing and no one can tamper with your important wpconfig.php file.

All IP and user are denied access to it. Only those having FTP permission, can have access to it.

# protect wpconfig.php
<files wp-config.php>
Order deny,allow
deny from all
</files>

Add .htaccess in wp-admin

I added a .htaccess file into the wp-admin folder, as this will ensure only YOU has access to the administrative panel. Of course you’ll need to know your IP. You can check it online.

Then add your IP to the below, replace xxx.xxx.xxx.xxx with yours. But if you’re like me, which has dynamic IP which changes, you can still use the method below.

My IP although changes, the first two address are always the same, so I used xxx.xxx only. This lessen the chances of outside tampering by some whoever Russian or South American hacking bot maybe.

If the IP don’t match the below you’ve set, it will redirect the user to a 404 page.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</LIMIT>

Delete install.php

Most say this isn’t necessary, but it gives me a peace of mind knowing the install file is deleted. You can do so by going to wp-admin folder and delete install.php

Add a blank index.php

I did the following so as my server folder won’t be listed when someone checked my WordPress folders. It is advised that you add a blank index.php to the following folder locations, so no listings can be made.

  • wp-includes
  • wp-content
  • wp-content/plugins
  • wp-content/themes
  • wp-content/uploads

Remove default theme

Since I create and use my own WordPress theme, I decided to delete the default theme folder.

It seems when left intact, upon checking, I found the theme has spam links and suspicious files in the default theme folder.

It’s better to have just the current theme present in your WordPress blog server, to minimize spam links injection.

Changed WordPress password

As with the FTP site password, I changed to a more stronger one.

Remove admin username

By default all WordPress blog are installed with the admin username. Well if possible, do change it as its an easy target for hackers as they know already the username.

They just need to find the right combination of password to get access to your blog. They can do so by using brute force technique.

I changed my username via phpmyadmin. Most server control panel has them. The steps are go to “control panel > SQL database > phpmyadmin > choose wp database > choose wp_users > browse user_login > edit admin username and change to another“.

Testing

Logout and login to test the new username.

Use proxy site to test your .htaccess file in the wp-admin folder.

Post from: Sha Money Maker

Protect and Secure your WordPress blog



Article Source

Related posts:

  1. With Your WordPress Blog Start Making Money Today ...
  2. Creating Money Making Affiliate Website Using Easy Website Builder ...
  3. Make a Blog Income Starting Today ...
  4. Get Paid for Answering Questions ...

Related posts brought to you by Yet Another Related Posts Plugin.

RSS feed

Comments »

No comments yet.

Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> in your comment.
Digg it       Save to Del.icio.us       Subscribe to My RSS feed      
Add this to:
Random Posts
Tags
Archives