Complete Guide to Total Security WordPress Plugin

A simple, easy yet a powerful WordPress plugin let’s you improve your WordPress blog security in just a few minutes. It checks the whole WordPress installations, provide the reports on time also tells you how about to fix those issues to make your site secure from hackers. This plugin monitors for your WordPress site as a security guard. In this complete Guide to Total Security WordPress Plugin, we’ll show you what are the main facts of being your WordPress site hacked, in your WordPress installations. Before we began just install and activate the plugin Total Security in your blog. Now, you can see a tab just below settings for about Total Security click on it. The Tab Total Security from WordPress Plugin

Step by Step Guide on setting up Total Security

1. Goto Total Security > Vulnerability Scan and the button on one click scan.  Total Security Plugin One Click Scan 2. Check out the results, which things are not correctly placed in your WordPress installation that can harm your website. There will be many things that may placed on default position, which is the most dangerous because most of the hackers try hacking WordPress sites on their default settings.

Guide to Total Security

Complete Solution Set for Total Security Errors

1. UP to date: WordPress core

First of all, it’s not an error. In my opinion you didn’t update your WordPress new version. You should keep your WordPress core updated, it is the most important aspect to make secure your site. It’s is said that the old versions more open to attacks, and this is one of the primary reasons, you should keep WordPress installations up to date. Go to Dashboard > Updates upgrade your WordPress Installations. Please Update New Version WordPress 3.5 Remember: always backup your database and media files before upgrading.

2. UP to date: Plugins

Same as WordPress core, you should keep your plugins up to date. Since most of the plugins are free, therefore the codes are available to anyone having the latest version, and you should keep WordPress plugins up to date to make secure your site. Go to Dashboard > Updates update your WordPress plugins those are not updated. Remember: always backup your database and media files before upgrading.

3. UP to date: Themes

Same as WordPress core, you should keep your WordPress themes up to date. Since most of the themes are free, therefore the codes are available to anyone having the latest version, and you should keep WordPress themes up to date to make secure your site. Also, having the latest version of the theme will ensure that it is compatible with the latest version of WordPress. Go to Dashboard > Themes update your WordPress Themes those are not updated. Remember: always backup your database and media files before upgrading.

4. Header: Reveal full WordPress version info

You should hide the meta data of your WordPress version info. If you did not hide the meta data info, then the hackers can easily use Google to target those site’s using specific version of WordPress. Place the following code in your theme’s functions.php file to remove the header meta version info:

function remove_version() {
  return '';
}
add_filter('the_generator', 'remove_version');

Remember: always backup your theme files before editing functions.php

5. readme.html file is accessible via HTTP on the default location

The readme.html file is the key of your WordPress installations which contains the whole info about your WordPress version. Keeping the file readme.html on the default position means the hackers can easily find your WordPress version info. You should change the default location of readme.html file from (WP root). This can be done by renaming the file to something more unique like “readme-786.html”, delete the file, or move it to another location or using chmod function which will unable to access via HTTP.

6. install.php file is accessible via HTTP on the default location

Same like readme.html, there are already some security issues regarding install.php in WordPress, but this file become useless just after installing WordPress then why it’s available in our root directory if we don’t need this file anymore. I guess, change the name of the file rather install.php, or delete the file or move it to another directory or using chmod function which will let your file to unable to access via HTTP. To access this file goto –> wp-admin > install.php

7. upgrade.php file is accessible via HTTP on the default location

Same like readme.html, there are already some security issues regarding upgrade.php. Without your knowledge, it’s not a better idea to let other people run this file. It’s a useful file but what make sense that it’s accessible for anyone being on the default location. I guess, change the name of the file rather upgrade.php, or move it to another directory or using chmod function which will let your file to unable to access via HTTP but don’t delete this file because you may need this file later. To access this file goto –> wp-admin > install.php

8. wp-config.php file has the writable

This file contains the sensitive information about your WordPress blog database (including username, password in plain text). This mean this file shouldn’t be accessible to anyone else except you and your server. There are some general guidelines to prevent others to access your wp-config.php file. If you’re hosting on a Windows based server ignore all of the following. Try chmod to 0400 or 0440 and if the site works normally that’s the best one to use. Try reading my article on: How to Secure wp-config.php and .htaccess files using chmod? Or directly use the following code in your .htaccess file:

# protect wp-config.php
<files wp-config.php>
    order allow,deny
    deny from all
</files>

9. .htaccess file has the writable

Same like wp-config.php, keep secure your .htaccess file using chmod to 644 and if the site works normally that’s the best one to use and recommended. Or directly use the following code in your .htaccess file:

# protect .htaccess
<files .htaccess>
    order allow,deny
    deny from all
</files>

Hint: don’t use 400 for your .htaccess file because your server will give Forbidden 403 error just after using 400 chmod.

10. Check if server response headers contain detailed PHP version info

This file the makes job easier of attacking your site. This issue isn’t directly related to your WordPress installations but it definitely affects your site. You’ll have to ask your hosting providing company to configure the HTTP server for not to show PHP version info but you also can try adding this code to the .htacces file or if you are using W3 Total Cache then you don’t need to add the following code because the plugin automatically adds this code to your .htaccess file:

<IfModule mod_headers.c>
  Header unset X-Powered-By
  Header unset Server
</IfModule>

11.  Check if WordPress installation address is the same as the site address

Moving your WordPress installation files into a root directory is one of the best way to secure your WordPress website/blog. WordPress makes it easier to move your WordPress core files into root directory by setting your blog address the same (www.yourdomain.com), while your WordPress files will be loaded from (www.yourdomain.com/anything/wp-admin). If you are worried about Moving your WP core files into a root directory, I must say don’t worry. I have wrote Complete Guide on Moving WordPress Core Files into Root Directory.

12. Check if salts security keys have proper values

The WordPress salts security keys basically used to make sure the better information that stored in user’s cookies and hashed passwords. We don’t need to remember these keys like passwords after all once they get set on the proper there will no excuse on not to set them properly. There are 8 eight salts keys that must be used in the wp-config.php file. This is an automated salts keys generation script which gives you new keys on regular pressing the button F5. Get your WordPress Salts Keys. Use the eight salts keys between 45 line to 52 line.

13. Check the Database Prefix (wp_)

Most of the hacker try hacking the WordPress sites from their default settings, the database prefix (wp_ ) is one of the best way for a hacker to get in to your blog database tables and fix some malicious in it and get the password of the database. This contains the sensitive information, I guess use database prefix more unique (786) unlike wp_. Remember: backup your database before changing the prefix (wp_). To to change the database tables prefix, read my article about changing database tables prefix here!

14. Unnecessary Information on failed Login Attempts

WordPress displays advanced information about the failed logins like username and password are incorrect, sometimes username is incorrect. And most of the times WordPress tell you whether username or password is wrong. This will tell the hackers exactly the about which usernames are active on your server and then he use a password hacker to hack the passwords. To set this issue, edit up your theme’s functions.php file, locate the following code in it to force the failed logins about both username and password is incorrect:

function wrong_login() {
  return 'Wrong username or password.';
}
add_filter('login_errors', 'wrong_login');

15. Disable if the plugins/themes file editor is enabled

The plugins/themes file editor is awesome and quickly yet easily edit your files directly from your WordPress admin panel. But a couple of security issues are rounding from time to time and it has become some what suspicious to disable the editor, in order to prevent your site from being hacked please disable this editor. To disable the editor just place the following code in your theme’s functions.php file:

define('DISALLOW_FILE_EDIT', true);

Similar Posts

9 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *