This article is a continuation of our Protecting WordPress article, and contains other more advanced steps.
Installing a plugin to help rate limit login attempts is a step in the right direction. However a .htaccess file limiting directory/file access is likely one of the best. <FilesMatch wp-login.php> Order Allow,Deny Allow from xx.xx.xx.xx Deny from all </FilesMatch>
This is done in two places. The first is the meta generator tag in your template. That's found in wp-content/{name of your WordPress theme}/header.php. Look for something like “” and remove it. The other element is in your RSS feed. Open up wp-includes/general-template.php and look around line 1858. Find: function the_generator( $type ) { echo apply_filters('the_generator', get_the_generator($type), $type) . "\n"; } Make sure a hash is applied next to the “echo” command so that it looks like this: function the_generator( $type ) { #echo apply_filters('the_generator', get_the_generator($type), $type) . "\n"; }
If it's not necessary for the form and function of your site, disable it. You can add the following to your wp-config.php file: define( 'DISALLOW_UNFILTERED_HTML', true );
1. In a .htaccess file, add: Options –Indexes
2. Make sure PHP source code is never revealed:
a. Your site's wp-includes/ directory is the most important one to block. Find the .htaccess file there and insert: RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]
b. If there are or will be subdirectories of wp-includes/, insert the following code for each one in the same .htaccess configuration file: RewriteRule ^(wp-includes|subdirectory-name-here)\/.*$ ./ [NC,R=301,L]
1. Remember to only install plug-ins offered through the WordPress control panel since external plug-ins may not be secure. Most plugins offered from WordPress.org are regularly audited for the benefit of your security.
2. Guard against brute force attacks Thousands of failed login attempts happen on servers every day. While we do provide firewall protection to help defend against attacks like this, there are steps you can take as well!
a. Programs like Limit Login Attempts can help you defend your account from brute force attacks.
b. http://wordpress.org/extend/plugins/limit-login-attempts/
c. http://wordpress.org/extend/plugins/si-captcha-for-wordpress/
3. Exploit scanner http://wordpress.org/extend/plugins/exploit-scanner/
4. Install other useful plugins Bad Behavior and User Spam Remover
1. Monitor for malware every day http://www.sitelock.com/ http://sucuri.net/introducing-server-side-scanning.html
2. Do something about it The tools above will actually help you resolve the issues that come up. Make sure that you are proactive in taking care of possible infections immediately.
1. Just like you complete daily chores around the house, you should regularly clean up your site and files that you do not need.
2. Having old files on your account can leave you vulnerable, even if you've deactivated the old plugin or kept a backup of an old version in your web folder.
3. Stay clean and keep things organized - you should know all the files on your account well enough to identify when something is there that shouldn't be.
1. A good plugin that can be used here is WP-DB Manager (note that it may consume excessive resources in a shared environment). This plugin can be useful for reporting other vulnerabilities as well, when it detects accessibility issues. http://wordpress.org/extend/plugins/wp-dbmanager/
2. Remote backups are also good options, if you haven't already, check out ComCure: https://www.comcure.com/