How to improve WordPress security

Source: Internet
Author: User
Keywords Safe WordPress
Tags .url access block blog code default directory error

Security is the eternal topic, especially on the Internet, this article will introduce 10 tips to improve the security of WordPress blog.

1. Remove the error message.

The error message is displayed when we log in to the WordPress background failure. If someone wants to attack your blog then they get a lot of useful information from the error message and all we need to do is not show any information.

Resolve: Open the functions.php file and add the following code:

Add_filter (' Login_errors ', create_function (' $a ', "return null;"));

This code can leave the returned error message blank.

2. Use SSL.

If you are concerned about data disclosure or interception, use the SSL connection method. However, before making sure that the blog host supports SSL, please skip this section if it is not supported.

Workaround: Open the wp-config.php file (typically in the root directory) to add the following code:

Define (' Force_ssl_admin ', true);

We defined the Force_ssl_admin constant with the value set to true. This opens the SSL in WordPress.

3. Protect the configuration file with the. htaccess.

WordPress users know the importance of wp-config.php files, it holds all the configuration information: User name, password, and so on. So controlling access to wp-config.php becomes particularly necessary.

Workaround: Back up the. htaccess file before you modify it, and then open and paste the following code:

<files wp-config.php>
Order Allow,deny
Deny from all

Any access to wp-config.php files will be rejected after modification.

4. Establish Access blacklist.

Are you often bothered by some spammers? If so, what you need to do is block their IP so they don't have access to your blog anymore.

Workaround: Modify the. htaccess file to add the following code, and do not forget to back up beforehand.

<limit Get POST put>
Order Allow,deny
Allow from all
Deny from 123.456.789
Deny from 93.121.788
Deny from 223.956.789
Deny from 128.456.780

The above IP will be restricted access after modification.

5. Prevent script injection.

Script injection is often used to steal user information, and if an attacker succeeds in most cases the damage is difficult to recover.

Solution: Still the. htaccess file adds the following code, backed up beforehand.

Options +followsymlinks
Rewriteengine on
Rewritecond%{query_string} (\<|%3c). *script.* (\>|%3e) [Nc,or]
Rewritecond%{query_string} GLOBALS (=|\[|\%[0-9a-z]{0,2}) [OR]
Rewritecond%{query_string} _request (=|\[|\%[0-9a-z]{0,2})
Rewriterule ^ (. *) $ index.php [f,l]

After the modification, all requests are checked for replacement script segments, and if included, the request is rejected with a 403 error.

6. Prevent picture hotlinking.

Most of the virtual host and VPS are limited traffic, and pictures tend to consume most of the traffic. We want our article to be more people to visit and spread at the same time we have to face the huge flow of picture links. So it is absolutely necessary to prevent the picture from being outside the chain.

Workaround: Modify the. htaccess file to add the following code before you must remember to back up.

Rewriteengine on
#Replace? Mysite\.com/with your blog URL
Rewritecond%{http_referer}!^http://(. +\.)? mysite\.com/[NC]
#Replace/images/nohotlink.jpg with your "don ' t hotlink" image URL
Rewriterule *\. (jpe?g|gif|bmp|png) $/images/nohotlink.jpg [L]

After the modification is complete, only your site can refer to the picture, and other external references will be replaced with the Nohotlink.jpg file. You can display the copyright information in the nohotlink.jpg. Of course you can also specify that you want to replace it with a nonexistent file.

7. Create a plugin to block malicious requests.

Hackers often use malicious queries to repair the weak points of the blog used to attack, although WordPress itself has a relatively perfect protection mechanism, but it is not no room for improvement.

Resolve: Create a text file to paste the following code and save it as blockbadqueries.php. Upload to your blog Wp-content/plugins folder, into the background to open the plugin.

Plugin Name:block Bad Queries
Plugin uri:
Description:protect WordPress against malicious URL Requests
Author uri:
Author:perishable Press

Global $user _id;

if ($user _id) {
if (!current_user_can (' level_10 ')) {
if (strlen ($_server[' Request_uri ')) > 255 | |
Strpos ($_server[' Request_uri '), "eval (") | |
Strpos ($_server[' Request_uri '), "CONCAT") | |
Strpos ($_server[' Request_uri '), "Union+select") | |
Strpos ($_server[' Request_uri ', "base64")) {
@header ("http/1.1 414 Request-uri Too Long");
@header ("status:414 request-uri Too Long");
@header ("Connection:close");

A 414 error is returned if there are too long requests (more than 255 characters) or if there is a PHP function in the URI.

8. Delete your WordPress version number, remember!

WordPress will display the version number in the header file. Tell an attacker that your version number often means they can take a lot less detours, so why not hide the version number in order not to let them in?

FIX: Paste the following code into the functions.php file, save and refresh your blog.

Remove_action (' Wp_head ', ' wp_generator ');

Now look, there is no version number.

9. Modify the default administrator name.

Brute force attack is one of the easiest ways to crack a password. The method is simple: Try as many different passwords as possible. If they know the username, they only need to crack the password. That's why you should change the default administrator username-"admin". Please note that the 3.0 version of WordPress will let you select the default username you want. But this method still fits the previous version of 3.0.

WORKAROUND: Open the database to execute the following SQL statement, "Your New Username" for the username you want to modify.

UPDATE wp_users SET user_login = ' Your New Username ' WHERE user_login = ' Admin ';

After modification, log in with the new administrator name.

10. Prevent directory browsing.

By default, most hosts allow directory listings. Therefore, if you type in the address bar of the browser, you will see all the files in that directory. This is undoubtedly a security risk because hackers can see the files that were modified last time and access them.

Workaround: Modify the. htaccess file to add the following code before you must remember to back up.


Note that the changes do not affect the user's normal access to these files.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.