Học hỏi để chạy một site đã khó rồi. Làm cho site phát triển thì lại càng khó hơn. Khi site đã to rồi thì việc bảo vệ cho nó khỏi bàn tay của hacker lại hết sức quan trọng.
Dưới đây là một số cách bảo vệ cho site làm bằng wordpress mà mình sưu tầm được:
Creating a Secure User Name
The default administrator account for WordPress installations is given the user name admin. Most hackers are aware of this, and as a result, have half of the information necessary to access a user's data. The only other piece of information hackers need is the user's password. To protect a user's account, this username should be changed to something unique. This can be accomplished in one of two ways depending on the user's familiarity with MySQL.
Those familiar with MySQL can use a frontend program like phpMyAdmin or the following command: UPDATE wp_user_login='new user' WHERE user_login='admin'.
For those that are unfamiliar with MySQL, the following steps should be taken:
1. Create a new user with a unique username
2. Assign an account to admin role
3. Log out and then log back in using the new user account
4. Delete the admin account
Recommended Security Plugins
There are several plugins available to WordPress users that can assist with blog security. The following are recommended security plugins for WordPress users:
1. Ultimate Security Check
Plugin helps you identify security problems with your wordpress installation. It scans your blog and give a security grade based on passed tests.
2. Better WP Security
Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
Folder Permissions
Another method by which hacker attacks can be thwarted is to make sure the user's folder permissions are set properly. Many blog hosts allow folder permissions to be set through the control panel. If not, stand alone ftp programs offer users the ability to change these permissions. A good rule of thumb for folder permissions is to set files at 644 and folder at 755. This should provide most plugins and themes the access they require. If the user finds that there are folder access problems, permissions may be increased as needed.
Change WordPress Table Prefix
The default installation of WordPress sets the database tables with the prefix wp_. This is another bit of information that hackers know well. Database files may be hidden by making the table prefix unique. This is accomplished by changing the wp-config.php file. Prior to installing WordPress on the user's server, the wp-config.php should be changed. Changing existing tables can be quite complicated if these adjustments do not occur before WordPress installation.
Move wp-config.php File
With the release of WordPress 2.6, users now have the option of moving the wp-config.php file. The ability to move the wp-config.php file prevents hackers from finding the file and making unwanted changes. The file can only be moved to the parent directory of the WordPress installation. For example, if the file is installed in:
public_html/wordpress/wp-config.php
it may be moved to:
public_html/wp-config.php
It must be noted, however, that WordPress is programmed to only search the parent directory. If the configuration file is moved anywhere else, an error message will result.
.htaccess Lockout
While this method of security can become somewhat tricky, it is very effective at preventing a hacker attack. The goal is to specify the IP address or range of IP addresses that can access the administration section of WordPress. To do this, create a .htaccess file in the wp-admin directory on the user's wordpress web hosting account. The file should contain the following information:
AuthUserFile/dev/null
AuthGroupFile/dev/null
AuthName Access Control
AuthType Basic
order deny, allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
Users may specify as many IP addresses as they like, and change the IP addresses easily. There is a drawback to this type of security measure, however. If there are many computers accessing the administration portion of WordPress, there will be many IP addresses to coordinate. For some users, this could present a substantial difficulty.
Force SSL Encryption
WordPress users can force their installation to use SSL encryption at the login or administration pages. This can be accomplished by modifying the wp-config.php file. In the file, add the following lines:
For the login in page define('FORCE_SSL_LOGIN', true);
For the administration page define('FORCE_SSL_ADMIN', true);
In order to use this security function, users must ensure that their server is set-up and configured for SSL encryption.
Backup
Daily backup is important
Dưới đây là một số cách bảo vệ cho site làm bằng wordpress mà mình sưu tầm được:
Creating a Secure User Name
The default administrator account for WordPress installations is given the user name admin. Most hackers are aware of this, and as a result, have half of the information necessary to access a user's data. The only other piece of information hackers need is the user's password. To protect a user's account, this username should be changed to something unique. This can be accomplished in one of two ways depending on the user's familiarity with MySQL.
Those familiar with MySQL can use a frontend program like phpMyAdmin or the following command: UPDATE wp_user_login='new user' WHERE user_login='admin'.
For those that are unfamiliar with MySQL, the following steps should be taken:
1. Create a new user with a unique username
2. Assign an account to admin role
3. Log out and then log back in using the new user account
4. Delete the admin account
Recommended Security Plugins
There are several plugins available to WordPress users that can assist with blog security. The following are recommended security plugins for WordPress users:
1. Ultimate Security Check
Plugin helps you identify security problems with your wordpress installation. It scans your blog and give a security grade based on passed tests.
2. Better WP Security
Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
Folder Permissions
Another method by which hacker attacks can be thwarted is to make sure the user's folder permissions are set properly. Many blog hosts allow folder permissions to be set through the control panel. If not, stand alone ftp programs offer users the ability to change these permissions. A good rule of thumb for folder permissions is to set files at 644 and folder at 755. This should provide most plugins and themes the access they require. If the user finds that there are folder access problems, permissions may be increased as needed.
Change WordPress Table Prefix
The default installation of WordPress sets the database tables with the prefix wp_. This is another bit of information that hackers know well. Database files may be hidden by making the table prefix unique. This is accomplished by changing the wp-config.php file. Prior to installing WordPress on the user's server, the wp-config.php should be changed. Changing existing tables can be quite complicated if these adjustments do not occur before WordPress installation.
Move wp-config.php File
With the release of WordPress 2.6, users now have the option of moving the wp-config.php file. The ability to move the wp-config.php file prevents hackers from finding the file and making unwanted changes. The file can only be moved to the parent directory of the WordPress installation. For example, if the file is installed in:
public_html/wordpress/wp-config.php
it may be moved to:
public_html/wp-config.php
It must be noted, however, that WordPress is programmed to only search the parent directory. If the configuration file is moved anywhere else, an error message will result.
.htaccess Lockout
While this method of security can become somewhat tricky, it is very effective at preventing a hacker attack. The goal is to specify the IP address or range of IP addresses that can access the administration section of WordPress. To do this, create a .htaccess file in the wp-admin directory on the user's wordpress web hosting account. The file should contain the following information:
AuthUserFile/dev/null
AuthGroupFile/dev/null
AuthName Access Control
AuthType Basic
order deny, allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
Users may specify as many IP addresses as they like, and change the IP addresses easily. There is a drawback to this type of security measure, however. If there are many computers accessing the administration portion of WordPress, there will be many IP addresses to coordinate. For some users, this could present a substantial difficulty.
Force SSL Encryption
WordPress users can force their installation to use SSL encryption at the login or administration pages. This can be accomplished by modifying the wp-config.php file. In the file, add the following lines:
For the login in page define('FORCE_SSL_LOGIN', true);
For the administration page define('FORCE_SSL_ADMIN', true);
In order to use this security function, users must ensure that their server is set-up and configured for SSL encryption.
Backup
Daily backup is important
