In previous articles , we looked at ways to eliminate the consequences of hacking sites on WordPress and general security issues, and in this article we’ll look at the real measures to protect your site from hacking:
1. Remove information about the CMS version
By default, in the header of the site WordPress displays information about the current version in the meta tag (on how to remove it, see our article on clearing the wp_head () ).
2. Add salts
The wp-config.php file contains a series of constants containing unique character sets that are added when the user registers and authenticates and complicates the possibility of hacking his account. Replace their value with unique ones, if you do not want to invent yourself, use the special service from the developers https://api.wordpress.org/secret-key/1.1/salt/
3. Specify a unique prefix for the tables
The prefix of the table is added before the table name in the database, do not use the standard wp _ , this will make it easier for the attacker to know the name of your tables in the database in advance. Make it unique, for example str345 _ . The easiest way to set a unique prefix when installing a site, if the database is already created, then you will need to manually change the table names in the database and register a new value in wp-config.php, the variable $ table_prefix.
You can also rename the tables by querying:
RENAME table `wp_commentmeta` TO `str345_commentmeta`; RENAME table `wp_comments` TO `str345_comments`; RENAME table `wp_links` TO `str345_links`; RENAME table `wp_options` TO `str345_options`; RENAME table `wp_postmeta` TO `str345_postmeta`; RENAME table `wp_posts` TO `str345_posts`; RENAME table `wp_terms` TO `str345_terms`; RENAME table `wp_term_relationships` TO `str345_term_relationships`; RENAME table `wp_term_taxonomy` TO `str345_term_taxonomy`; RENAME table `wp_usermeta` TO `str345_usermeta`; RENAME table `wp_users` TO `str345_users`; UPDATE `str345_options` SET `option_name` = 'str345_user_roles' WHERE `str345_options`.`option_id` =96; UPDATE `str345_usermeta` SET `meta_key` = 'str345_capabilities' WHERE `str345_usermeta`.`umeta_id` =5; UPDATE `str345_usermeta` SET `meta_key` = 'str345_user_level' WHERE `str345_usermeta`.`umeta_id` =7;
4. Hide the admin area
The standard path to the /pp-login.php login page is known to everyone. This is another trump card in the hands of the burglar. Open the wp-login.php file from the root directory of the site in the editor and change the name wp-login.php to a new name everywhere, for example adminka749.php or whatever. In version 3.4, you need to do this in 13 different places. Then, just rename the file. The main thing, do not forget the new address yourself :).
5. Protection measures in .htaccess
Below are some rules forbidding external access to wp-cohfig.php files and .htaccess itself, as well as a ban on viewing the contents of directories on the site, adding this rule to the .htaccess file in the root directory of the site:
# Prohibition of access to wp-config.php <files wp-config.php> order allow,deny deny from all </files> # Prohibition of access to .htaccess <files .htaccess=""> order allow,deny deny from all </files> # Empty index instead of directory Options All -Indexes
We really hope that these measures will help you protect your site, but remember, the main security measure is your own vigilance.