As WordPress is transformed from a blog system to a CMS system, with unlimited resources, personalized themes, and plug-ins available for users to choose from, more and more domestic users begin to use WordPress to build their own blogs and CMS sites, even enterprise sites. However, building a website is not as easy as you think. Are your sites frequently backed up and configured for security? If you want to know whether your site is secure, check the following items carefully:
1. Open your browser and enter http: // your WordPress installation address/wp-admin/images/in the address bar to see what the effect is?
Solution: Put a blank index.html in this directory. Similarly, you can also set index.html In the directories you don't want others to see, such as the wp-content directory.
2. Open your browser, enter http: // your WordPress installation address/wp-admin/in the address bar, and enter your username and password at will, how many times does your blog allow you to make a mistake?
Solution: Use the Login Lockdown plug-in. Use the Login Lockdown plug-in to prevent others from testing your password to a certain extent. If an IP segment is detected to fail to log on more than a certain number within a certain period of time, the logon function is automatically locked, and users of this IP segment are prohibited from logging on to the system. You can set the number of Logon failures and the maximum logon interval in your background.
3. Can anyone open your WordPress background login page?
Solution:
Method 1: restrict all but its own IP addresses (applicable to static IP Users)
If you use a single user blog, you may need to restrict the permission to connect to WP-ADMIN through an IP address. Make sure that you are using a static IP address. The. HTACCESS file in the WP-ADMIN is as follows:
Order deny, allow
Allow from a. B. c. d # That's your static IP
Please add some example for allowed ip ranges
Deny from all
Save the file and try to access the wp-admin directory through a proxy. The connection should be restricted and then be connected again using your own IP address. If everything is set normally, WP-ADMIN will be restricted to connections, except through the IP address you set.
Method 2: password. htpasswd (Recommended solution)
Of course, the recommended option is to set password protection, which means you can still connect to the wp-admin directory anywhere, but we have added a line of defense to prevent unauthorized operations.
The. htaccess file in WP-ADMIN is as follows:
# This file shoshould be outside your webroot.
AuthUserFile/srv/www/user1/. htpasswd
AuthType Basic
AuthName "Blog"
Require user youruser # making this username difficult to guess can help mitigate password brute force attacks.
The. htpasswd file can be put out of the website directory, and the upper directory is a good choice.
$ Htpasswd-cm. htpasswd blog
New password:
Re-type new password:
Adding password for user blog
The. htpasswd file has been created in the current directory. Make sure that the address of this file complies with the address set by AuthUserFile in wp-admin/. htaccess.
Now let's test whether the job is ready. When you attempt to log on to a blog, you are required to enter the user name and password to obtain the connection permission. If the encrypted password file does not appear, check whether the provided address is correct.
4. WordPress background-user. Does your user list contain admin?
Solution: you should delete the default administrator user name or change it from admin to a name that is more difficult to guess, because the current WordPress version is prone to attacks due to user enumeration. This can ease brute force password cracking attacks. Note: You should assume that the attacker will know your username, so make sure the password is complex enough.
5. Can I find your WordPress background logon username somewhere on the front-end of your blog?
Solution: there is a good way to hide your login name in WordPress. In the "user" Settings, you can change your "display as" to your nickname, so that when you publish an article and reply to a visitor, your nickname is displayed, not your background login name.
6. In the WordPress root directory wp-config.php, is the ** section of the following content code containing a security code, or is it still the default prompt Statement (put your unique phrase here )?
Define ('auth _ key ','**');
Define ('Secure _ AUTH_KEY ','**');
Define ('logged _ IN_KEY ','**');
Define ('nonce _ key ','**');
Solution: Use the WordPress.org private key to generate a service (https://api.wordpress.org/secret-key/1.1/salt/) that generates a security code.
7. Is your blog backed up frequently to ensure that an accident can be recovered immediately?
Solution: using the WordPress Database Backup plug-in can easily back up your blog Database and automatically send it to your mailbox at regular intervals. This can prevent the website server from being suspended and the Backup is also gone. Remember, do not put the backup file on the server!
8. Do you know what plug-ins your blog uses by checking the page source code?
Solution: it is difficult and difficult to modify the source code.
9. Do you know your WordPress version by viewing the page source code?
Solution: Many attackers or automated programs attempt to obtain the software version before launching an attack. Removing the WordPress version information can cause some attackers to lose confidence in attacks based on a specific version. BlogSecurity WordPress Noversion plug-in (bs-wp-noversion) can prevent WordPress version vulnerabilities and is a simple but super practical plug-in.
Note: This plug-in may affect those plug-ins that depend on the WordPress version information.
10. Have you configured monitoring for your blog space to ensure that your blog is suspended and you will be notified immediately?
Solution: You can use a third-party blog Monitoring Service. You can use PHP to easily monitor the running status of your website. For details, refer to here.
11. Are your WordPress and plug-ins the latest version?
Solution: If your blog program or plug-in is obtained directly from the developer's site, you may have used the latest version. you can install the WordPress Plugin Tracker plug-in to track the plug-in, check whether the latest version is used. After installing and activating the plug-in, run the plug-in to check whether you are using the latest plug-in, as shown below:
If the plug-in version is out of date, you will be reminded by the plug-in. Click the plug-in title on the left to go directly to the corresponding plug-in page, and then choose whether to upgrade. It's easy to keep the plug-in up-to-date.
12. Is your WordPress blog set up in free space?
Solution: free space. Maybe it will be suspended after you have a sleep. Currently, the cost of virtual hosts is not very high. You can find a stable home for yourself at 100 or 200 yuan a year. For children's shoes, you can consider the red/Black Internet.
13. Have you placed something similar to a PHP probe in your blog space?
Solution: delete or set access permissions...
14. Can you see this sentence on your blog page: Powered By: WordPress?
Solution: This code is generally located in the footer. php file of the WordPress topic. Find the corresponding code and delete it!
15. Is your character good?
Solution: This... There is no solution.
From: http://www.oome.org/wordpress-site-security-solutions-and-of-your-wordpress-site-safe.html