Some tips to Protect your wordpress
- Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.
- Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that
- Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.
Thanks for mattcutts
thanks infonya
mas kalau pengguna m2 gimana?kan ipnya berubah ubah
whehe.. iya sih seep,, tapi klo admin sitenya cuma bisa akses di warnet kayak me ini.. susah juga.. whehehe.. 😀
thanks infonya.. 😀
@midori_s4n : you’re welcome
@ f4r1z : kurang cocok kalau IP nya berubah2 .
@ andri : ya gp2 di add aja IP warnet nya saja 🙂
maksud nya ip yg bisa login hnya yg ber-alamat ip di atas itu yah?
klo membatasi hanya ip2 spidi aja yg bisa login…
gimana mas?
@ArieL, FX : ya gp2
wew..
koq jawabnya gitu aja mas 😛
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language 😉
See you!
Your, Raiul Baztepo
@Ariel
Pakai wildcard*
Untuk Point 1 :
Lock IP sih kurang bisa melindungi kita dari serangan jenis XSS, CSRF or ClickJacking
Untuk Point 2 :
Saya lebih prefer pakai mod_rewrite
Note : Pak Fl3xu5, themenya item banget yaw .. sampai2 mau comment pun musti ketik di notepad duluw ^^
@RaiulBaztepo : helow too, youre welcome 🙂
@zoiz : thanks for share, silahkan bisa di paparkan lebih lanjut untuk implementasi dan contoh nya 🙂
@zoiz
hm..
wildcard tuh plugins buat wp?
*maaf ndak tau*
@Fl3xu5
Kalau yang mod_rewrite. Bisa dengan aktifin permalinks di setting WP
Mengenai lock IP, seorang Administrator WP akan sulit melindungi diri ketika ia diserang dengan teknik2 yang bersifat client side, seperti XSS, CSRF. Contohnya seperti video yang kemaren bro fl3xu5 download 🙂
@Ariel
Wilcard itu kira-kira seperti ini : 125.160.*.*
Jadi misalnya jika Anda ingin menggunakan teknik IP Lock, namun IP Anda adalah dynamic, Anda mungkin isa mengganti .htaccess menjadi kira-kira seperti ini :
# whitelist home IP address
allow from 125.160.*.*
Namun dengan melakukan demikian, sudah melanggar aturan main yang bro fl3xu5 ingin kita lakukan. Jadi saran saya sebaiknya me-request IP static ke pihak telkom.
Hi ! 😉
My name is Piter Kokoniz. Just want to tell, that I like your blog very much!
And want to ask you: will you continue to post in this blog in future?
Sorry for my bad english:)
Thank you!
Piter.