I have been working with a client (whose site/s I did NOT build) whose WordPress web site has been hacked. Here is the report I just sent him to show him what I have done to secure his site against further hacking attempts. How many of these things have YOU done to ensure your site won’t be hacked?
Use this WordPress Hack Prevention Checklist to determine how prepared YOUR site is for when the hacker tries to get access. At the bottom of this post, you will find links to other posts where you can find out how to do a lot of these things yourself.
Or, Contact Us for details on how we can do all this for you!
Your login area is protected from brute force attacks.
Malware scanning is enabled and running at scheduled intervals on your computer
User’s nicknames are different from their display name.
Your site is protecting against bots looking for known vulnerabilities.
The user with id 1 has been removed.
Your site will detect changes to your files.
You are protecting common WordPress files from access.
Your WordPress site is blocking suspicious looking information in the URL.
Your WordPress installation is not telling every bot that you use WordPress.
Your WordPress installation is not allowing users without a user agent to post comments.
Users cannot execute PHP from the uploads folder.
User profiles for users without content are not publicly available.
Your database table prefix is not using wp_.
You are blocking known bad hosts and agents with the ban users tool.
You have successfully disabled directory browsing on your site.
You are blocking HTTP request methods you do not need.
Your WordPress site is blocking non-english characters in the URL.
Your installation does not accept long URLs.
Your wp-config.php and .htaccess files are not writeable.
Your WordPress installation is not publishing the Windows Live Writer header.
Your WordPress installation is not publishing the Really Simple Discovery (RSD) header.
Version information is obscured to all non admin users.
Users cannot plugin and themes files directly from within the WordPress Dashboard.
Your login page is not giving out unnecessary information upon failed login.
No installed plugins have known vulnerabilities in the installed versions.
Only visitors from Australia and the USA can access the back end (admin login) page (using IQ Block Country)
Visitors from China have been blocked from the front end (using IQ Block Country)
Check if WordPress core is up to date.
Check if plugins are up to date.
Check if themes are up to date.
Check if the login form is protected by captcha test.
Check if readme.html file is accessible via HTTP on the default location.
Check if “anyone can register” option is enabled.
Check if full WordPress version info is revealed in page’s meta data.
Check if EditURI link is present in pages’ header data.
Check for display of unnecessary information on failed login attempts.
Check if Windows Live Writer link is present in pages’ header data.
Check if plugins/themes file editor is enabled.
Check if general debug mode is enabled.
Check if install.php file is accessible via HTTP on the default location.
Check if upgrade.php file is accessible via HTTP on the default location.
Check if server response headers contain detailed PHP version info.
Check if expose_php PHP directive is turned off.
Check if user with username “admin” exists.
Check user’s password strength with a brute-force attack.
Check if database table prefix is the default one (wp_).
Check if security keys and salts have proper values.
Test the strength of WordPress database password.
Check if database debug mode is enabled.
Check if JavaScript debug mode is enabled.
Check if display_errors PHP directive is turned off.
Check if register_globals PHP directive is turned off.
Check if PHP safe mode is disabled.
Check if allow_url_include PHP directive is turned off.
Check if uploads folder is browsable by browsers.
Test if user with ID “1” exists.
Check if MySQL server is connectable from outside with the WP user.
[standout fx=”highlighter”]See below for more details on how to do these yourself.[/standout]
Or, Contact Us for details on how we can do all this for you!