Summary of wordpress blog security configuration methods

In the previous sections, we have made major actions on wordpress security, including modifying admin accounts, hiding version numbers, and protecting login pages based on the preceding settings, security has been improved. For other settings, refer.

Modify database prefix

WordPress uses wp _ as the prefix of the table in the database by default. You can change it to a value immediately. In fact, this can be selected during installation. If you do not want to manually modify tables and configuration files for a blog that has already been installed, you can use the plug-in to do this: Change DB Prefix. You can rename the table Prefix to any string with one click.

Prevent users from browsing the WordPress Directory

Some hosts allow users to access the directory list by default. You can try to access the "domain name/wp-nodes" directory in your browser to see if the file is listed. It is obvious that the directory file structure has some security risks. Open the. htaccess file under the WordPress root directory and add it to the top.

Options All-Indexes

Protect files in the wp-content folder

WordPress php files cannot be accessed through http. Therefore, we need to pay attention to images, attachments, CSS and JS code. Modify the protection method. htaccess. The code is as follows:

Order Allow, Deny
Deny from all
"" ~ = "">
Allow from all

Use SSL

If you are worried about data leakage or interception, you can use the SSL connection method. However, ensure that the host supports SSL. Skip this section if it is not supported.

Open the wp-config.php File (typically in the root directory) and add the following code:

Define ('force _ SSL_ADMIN ', true );

Here, the FORCE_SSL_ADMIN constant is defined and its value is set to true. In this way, SSL is enabled in WordPress.

Prevent Image leeching

Most virtual hosts and VPS restrict traffic, while images usually consume most of the traffic. When we want our articles to be accessed and disseminated by more people, we have to face the huge traffic brought by image links. So you can borrow code to prevent external links

RewriteEngine On
# Replace? Mysite.com/with your blog url
RewriteCond % {HTTP_REFERER }! ^ Http: // (. + .)? Mysite.com/[NC]
RewriteCond % {HTTP_REFERER }! ^ $
# Replace/images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule. *. (jpe? G | gif | bmp | png) $/images/nohotlink.jpg [L]

Tracking WordPress server login activities

You can use the "last-I" command in Linux to obtain all IP addresses that log on to the server. If you find an unknown IP address in the list, you must change the password immediately.

In addition, you can also use the following command to display information about user logon activities grouped by IP address for a period of time (replace USERNAME with your shell USERNAME ).

Last-if/var/log/wtmp.1 | grep USERNAME | awk '{print $3}' | sort | uniq-c

Back up Database

This is required for website Database Backup. If you have regular backup habits, you can use the BackWPup plug-in if not.

Use Security plug-ins

There are many wordpress security plug-ins, and the plug-ins can be used for the content mentioned above. So I will not discuss them much. Please refer to it for more information.
Hide version number

Simple hide

Find the following code in the header. php template file and delete it.

<Meta name = "genrator" content = "WordPress <php bloginfo ('version');?> />

Completely hidden

Add the following code in functions. php to hide the wordpress version number in all output regions of the website.

Function wpbeginner_remove_version (){
Return '';
}
Add_filter ('The _ generator', 'wpbeginner _ remove_version ');

Note: some tutorials may only require the version number to be hidden at the top of the website. However, if other output areas of your site, such as RSS, are available, you can see the version number. Therefore, it is more appropriate to use the completely hidden method.