Creating and maintaining a secure website is an ongoing process. There is no one single thing you need to
do,or even a definitive list of items, that will result in your site remaining secure from attack
If your site contains user data or other sensitive, or valuable data, then you must do more than if your site is merely a single user blog.
There arenumber of basic techniques that will harden your installation against the most common attacks and provide you with a fair degree of peace of mind.
There is the need to maintain a secure development environment and development process when you are building your site. Poor development practices often leave open avenues for later attacks. If you have inherited a site from another developer, you would do well to investigate whether you have inherited any potential problems as well.
backupof your database
your site contents, comments, and parameters are all stored in a MySQL database. The database is the heart of your site and you don’t want to run the risk that something might happen to it. Having backups of your database is not just important, it’s essential.
There is a plugin WP DB Backup to do automatic backup of the site.
Creating backups of your WordPress files
WordPress database is really important, but what about your files? Core files aren’t really a problem because you can download them when you want from www.wordpress.org. However, when you’re writing posts, you often upload pictures, and maybe even modify your theme; those files are not kept in the database, but rather in the directories on your server. Accordingly, we need to be able to make copies of those files as well in order to create a complete backup of your site.
Removing the WordPress version information from your theme files
By default, WordPress adds the Generator
metatagto the header of your site’s pages. The tag contains the WordPress version you’re site is using. The problem is that, since this data is available to anyone who views the site’s source, hackers who are looking for information about your site can learn what version of WordPress you’re running.
- Open the functions.php file from inside your theme. If that file doesn’t exist, then create it and save it inside your theme’s directory.
- Add the following code to the bottom of the functions.php file:
add_filter( 'the_generator', create_function('$a', "return null;"));
- Save the file.
If you reload your site’s home page and view the page source, you will find that the Generator
metatagis no longer displayed.
Getting rid of the Administrator account
By default, all WordPress sites have an Administrator account. This account is automatically created when you install WordPress. If you have not changed the default value, the username is
admin. The account has administrator rights, which means that someone logged in with the Administrator account can create other user accounts, change the WordPress password, and much more.
Hackers know that every WordPress site automatically creates an Administrator account, and if they want to try to break into a WordPress site, they will typically try to target the admin user account in an attempt to crack the password. A simple, but effective way to avoid being vulnerable to this sort of attack is to create a new administrator account to replace the default admin account and then delete the original account.
Log in to your WordPress Dashboard.
Go to the Users page.
Click on the Add new button.
Enter the details for your new account. Select the role to be Administrator.
After you have created your new account, log out.
Log in again, this time using the new account you just created.
Go to the Users page.
Find the original Admin account, and delete it.
his process is necessitated by the fact that usernames in WordPress cannot be changed. Therefore, we must use our existing Admin account to create another account, give it Administrator rights, and then delete the original account.
Will continue rest of the things in the next part of this blog.
Hope this will help you.