6 years ago (2015-05-09)  computer technology |   First to comment  12 
post score 0 times, average 0.0

This article is mainly to use the .htaccess to set the site, limit directory reading, strengthen the overall security of the WordPress site, but you do not forget to set a stronger password. The next step for the most important guests to introduce is to do a basic reinforcement of the site through .htaccess, protect the wp-admin directory, limit the read of wp-includes directories, prevent spam messages, prohibit directory indexes, and restrict wp-config.php access. Permissions, and so on, are very basic web site security protections. Regardless of whether or not your site is under attack, these are actually necessary security protections.Of course, the following website security protection does not mean that you will not be hacked, but will have a layer of protection and reduce the chance of being attacked. 12 Ways to Strengthen WordPress Website Security  

First, limit the wp-admin directory IP

If you manage a wordpress website, there are usually only a few IPs, and you are very concerned about your website security. For example, if you run a large-scale team website and you are often visited by hackers, and the team is often used by the running A fixed IP, in order to ensure the security of the site, the following method can restrict the IP or IP network segment read wp-admin directory, not the specified IP (or IP network segment) can not access the background, of course, this method is not only for wordpress website. Add a .htaccess file with NotePad++, add the following code in the htaccess file, and upload the file to the "wp-admin" directory. Replace the blue part with your IP. The grammar judgment process is simply to block IP, then open the allowed IP, so change the of "allow from" to yours. IP.If it is a network segment, you can enter "12.34.56."


Second, limit the access wp-includes directory

The "wp-includes" directory is some of the system's core directories, as well as "/wp-admin/wp-includes" and "/wp-includes". There is no page on our website page with a URL that points to these places. (Usually the files in this directory can only be modified by managers or called in code).Use the following syntax to limit access permissions. Add the following code to the root .htaccess file. This is the official proposal setting.

  If you do not add the above syntax, an error message will be displayed; if the above syntax is added, WordPress's default 404 page will be displayed: This tells you that the directory does not exist. This is a relatively safe safeguard.

Third, limit wp-login.php login IP

If your site is not open for registration, then you can implement this method, restricting access to wp-login.php to only the site's administrator. The method of setting is similar to the previous limitation of wp-admin accessing IP method. Please put "12.34 .56.78" changed to your allowed IP or network segment.


Fourth, limit the upload size

Avoid hackers through the Dos attack, use the transmission of large files to explode your traffic, so you can limit the size of the single file to prevent such a situation from happening, add the following syntax to the root directory .htaccess file can be The guest's default is 10MB.


Fifth, protect the wp-config.php configuration file

Used WordPress knows that the "wp-config.php" file is very important to the operation of the entire system. It is missing or misconfigured to connect to the database because this file contains the MySQL account and password. To protect this file, WordPress The official proposal is to first set the file authority to "400", which means that only human rights should be read.However, setting 400 may cause some plugins such as wp super cache to write an error. Therefore, please make an order. However, to protect wp-config.php is to set the. Htaccess directory, modify the root directory of the. Htaccess directory, add the following syntax, this syntax means: prohibit everyone browsing (the host program can be read normally). This is the official suggested setting method:


Anti-spam message attack

The following grammar is to protect your message from being attacked by the robot spam message. It mainly blocks requests without a referrer. However, after the extreme guests found that the effectiveness is limited, it is recommended to add Akismet and quiz protection.Please add the following code to the .htaccess file in the root directory. Replace "wangbaiyuan.cn" with your own website URL.


Seven, prohibit directory index

If your web host does not enable the directory indexing feature, please be sure to add this syntax to protect directories that do not have an index directory and prevent malicious individuals from downloading all content on the site.


Eight, change the data table prefix

The data table prefix word must be a corrective action at the beginning of the installation, avoid the use of the name of the default wp, modification must be careful, otherwise it may cause a website error, must make a backup before making any adjustments.

Nine, reasonably set directory permissions

The permissions set in the website must be adjusted according to requirements. For example, wp-config.php does not recommend setting 777.

 Ten, account security

WordPress system default installation is to use the admin account, but later versions allow users to choose their own webmaster account to avoid malicious users want to try admin login website.If you already use admin, please change your account quickly!Otherwise hackers can easily guess your account, then guess the password should be very fast.It is also recommended to use Login Login Attempts to enhance login security. Of course, you also need to set a password that is not easy to guess.

Eleven, turn off the background theme editing function

WordPress background theme can be directly edited in the background once the permissions are open, and can only be browsed if it is not open.Host suPHP by default if it is installed can be edited.If you feel that this feature is not available, it is recommended that you turn it off. After all, it is dangerous to directly expose it in the background and edit it. It may be due to hacking, or it may be caused by mistakes.Please add the following syntax to the appropriate location of wp-config.php to close the modified permissions.


X. Limiting .htaccess access

After adjusting the above things, don't forget to enforce your .htaccess directory permissions.Add the following syntax to the .htaccess directory to enable self-protection.The syntax is to prohibit everyone from directly browsing the directory, but the system is allowed to use the read.

  In the end, you still need to do a good job of protecting your personal account password. Also, don't go to the Internet or computer to log in to the website. This may cause the account secret to leak. In addition, remind you again that using the above method will only strengthen WordPress security. However, there is no guarantee that the virus will not invade and there will still be opportunities for hackers to invade. Usually, the situation may be due to leaks in your account, website plug-ins, loopholes in the subject, unclear vulnerabilities in the system, incorrect directory permissions, etc. You still have to pay more attention to the situation.


This article has been printed on copyright and is protected by copyright laws. It must not be reproduced without permission.If you need to reprint, please contact the author or visit the copyright to obtain the authorization. If you feel that this article is useful to you, you can click the "Sponsoring Author" below to call the author!

Reprinted Note Source: Baiyuan's Blog>>https://wangbaiyuan.cn/en/12-way-to-enhance-the-wordpress-web-site-security-2.html

Post comment


No Comment


Forget password?