Hardening Wordpress to prevent from hacking and malicious activities.
1. Update WordPress, Regularly
You can check the version of wordpress blog under version.php file and update to latest version regularly.
2.Restrict the access for wordpress folder.
In order to restrict access to the /wp-admin/ section of your WordPress installation, simply create a file named .htaccess, with the following contents, where x is equal to your IP address:
Deny from all
Allow from x.x.x.x
ErrorDocument 403 http://127.0.0.1
Place this file (.htaccess) within the /wp-admin/ directory.
Use SSL Where Possible in WordPress for Added Security
If you have an SSL certificate installed, I strongly suggest using it for your administrative section.
Use SSL for administrative logins:
Use SSL for both login and wp-admin:
Disable Directory Browsing in WordPress
We don’t want users traversing through our site folders and viewing their contents, do we? Let’s disable directory browsing by creating (or modifying) a .htaccess file and placing it in your root WordPress directory, with the following contents:
3. Hide WordPress Reporting
A common method of a WordPress attack is to crawl sites that have a particular version number, with a slew of security exploits and vulnerabilities associated to them.
In order to remove WordPress version reporting (and secure your WordPress install) simply place the following line of code in your theme’s functions.php file:
Let’s hide any WordPress login errors by placing the following snippet of code in our theme’s functions.php file:
add_filter('login_errors',create_function('$a', "return null;"));
4. Blocking Devious Bots with .htaccess
A simple, however extremely effective method of restricting devious bots from scanning your site can be seen below, in the form of a .htaccess file. Place this file in your WordPress root directory, inside .htaccess.
SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (pycurl|casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|planetwork) keep_out
Allow from all
Deny from env=keep_out
5.Create strong WordPress Login Credentials
Use a different username than ‘admin’
In using a different username, you decrease the chance of a succesfull brute force attack, as the username / password pairs are significantly lower.
Use a strong and complex password
A strong password is essential to maintaining your sites integrity, and it’s often overlooked. Generate strong, unique and complex passwords, whether it’s your database, plugin or wp-admin.
Never use the default wp_ prefix for your database
Don’t use the generic wp_ prefix for your database tables, this makes it easier for an attacker to perform search and select queries via an SQL injection
6.Backup the wordpress blog regularly.
7. Useful Security Plugins
“Search the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers.” – Exploit Scanner Plugin
8. Check plugin vulnerabilities before installing
Before installing any WordPress plugins, always check to see if there are any associated exploits or vulnerabilities.
Using mentioned steps it will help to prevent wordpress blog from hacking attempts.