![\"blog_security_128_2\"](\"https:\/\/www.tipsandtricks-hq.com\/wp-content\/uploads\/2009\/03\/blog_security_128_2.jpg\" "\\"blog_security_128_2\\"")
<\/p>\n![\":)\"](\"https:\/\/www.tipsandtricks-hq.com\/wp-includes\/images\/smilies\/icon_smile.gif\"){kind=icon}
<\/p>\nHowever, if you are in the mood for some advanced tweaking then the following security tips should come in handy ![\";)\"](\"https:\/\/www.tipsandtricks-hq.com\/wp-includes\/images\/smilies\/icon_wink.gif\"){kind=icon}
<\/p>\n
NOTE and DISCLAIMER<\/span><\/h3>\nMost of these techniques require you to understand what you are doing.<\/p>\n
It is strongly recommended that you first test these techniques on a test or development site before applying them to your live site. Doing some of the tips suggested here can break your site if not performed correctly.<\/p>\n
We take no responsibility for any mishaps as a result of your efforts in applying the techniques discussed in this article.<\/p>\n
Also note that these techniques assume that your WordPress installation is running Apache and you have mod_alias<\/strong> and mod_rewrite<\/strong> installed.<\/p>\n1. Disable HTTP Trace Method<\/span><\/h2>\nThere is a security attack technique called Cross Site Tracing (XST)<\/strong> which can be used together with another attack mechanism called Cross Site Scripting (XSS) which exploits systems which have HTTP TRACE functionality. HTTP TRACE is a default functional feature on most webservers and is used for things like debugging. Hackers who use XST will usually steal cookie and other sensitive server information via header requests.<\/p>\nYou can disable the trace functionality either via your Apache configuration file or by putting the following in your .htaccess file:<\/p>\n
2. Remove header outputs from your WordPress installation<\/span><\/h2>\nWordPress can often add quite a lot of output in your header pertaining to various services. The following code shows how you can remove a lot of this output.<\/p>\n
Warning<\/strong>:<\/strong> This can break some functionality if you are not careful. Eg, if you\u2019re using RSS feeds then you may want to comment that line out.<\/strong><\/p>\nAdd the following code to your theme\u2019s functions.php file:<\/p>\n
3. Deny comment posting via proxy server<\/span><\/h2>\nYou can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of perishablepress.com) in your .htaccess file:<\/p>\n
4. Change your default WordPress DB prefix<\/span><\/h2>\nYou may already be aware that WP uses a default prefix value of \u201cwp_\u201d for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.<\/p>\n
In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.<\/p>\n
Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.<\/p>\n
A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:<\/p>\n
1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
\n2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies \u2013 one for editing and the other as an original just in case.
\n3) Using a good code editor, replace all instances of \u201cwp_\u201d with your own prefix.
\n4) From your WP admin panel, deactivate all plugins
\n5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
\n6) Edit your wp-config.php file with the new DB prefix value.
\n7) Re-activate your WP plugins
\n8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.<\/p>\n
Caution<\/strong>:<\/p>\nSometimes plugins add their own prefix after the wordpress prefix where both are identical.<\/p>\n
example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.<\/p>\n
Be sure when replacing the \u201cwp_\u201d instances in step 2 above that you only replace the first \u201cwp_\u201d prefix and not the one following it.
\nFor instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called \u201ctrx_\u201d.<\/p>\n
The new name would look like:<\/p>\n
trx_<\/strong>wp_abc_tablename<\/p>\nNote that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.<\/p>\n
5. Deny Potentially Dangerous Query Strings<\/span><\/h2>\nYou can put the following code in your .htacces file to help prevent XSS attacks.<\/p>\n
BEWARE<\/strong>: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.<\/strong><\/p>\n6. Apply PHP hardening to your system<\/span><\/h2>\nYou can install and enable Suhosin <\/strong>which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.<\/p>\nSuhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)<\/p>\n
If you can read more about Suhosin here<\/a>.<\/p>\nFurther reading: http:\/\/codex.wordpress.org\/Hardening_WordPress<\/a><\/p>\nSource:<\/p>\n
1. Disable HTTP Trace Method<\/span><\/h2>\nThere is a security attack technique called Cross Site Tracing (XST)<\/strong> which can be used together with another attack mechanism called Cross Site Scripting (XSS) which exploits systems which have HTTP TRACE functionality. HTTP TRACE is a default functional feature on most webservers and is used for things like debugging. Hackers who use XST will usually steal cookie and other sensitive server information via header requests.<\/p>\nYou can disable the trace functionality either via your Apache configuration file or by putting the following in your .htaccess file:<\/p>\n
2. Remove header outputs from your WordPress installation<\/span><\/h2>\nWordPress can often add quite a lot of output in your header pertaining to various services. The following code shows how you can remove a lot of this output.<\/p>\n
Warning<\/strong>:<\/strong> This can break some functionality if you are not careful. Eg, if you\u2019re using RSS feeds then you may want to comment that line out.<\/strong><\/p>\nAdd the following code to your theme\u2019s functions.php file:<\/p>\n
3. Deny comment posting via proxy server<\/span><\/h2>\nYou can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of perishablepress.com) in your .htaccess file:<\/p>\n
4. Change your default WordPress DB prefix<\/span><\/h2>\nYou may already be aware that WP uses a default prefix value of \u201cwp_\u201d for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.<\/p>\n
In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.<\/p>\n
Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.<\/p>\n
A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:<\/p>\n
1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
\n2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies \u2013 one for editing and the other as an original just in case.
\n3) Using a good code editor, replace all instances of \u201cwp_\u201d with your own prefix.
\n4) From your WP admin panel, deactivate all plugins
\n5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
\n6) Edit your wp-config.php file with the new DB prefix value.
\n7) Re-activate your WP plugins
\n8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.<\/p>\n
Caution<\/strong>:<\/p>\nSometimes plugins add their own prefix after the wordpress prefix where both are identical.<\/p>\n
example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.<\/p>\n
Be sure when replacing the \u201cwp_\u201d instances in step 2 above that you only replace the first \u201cwp_\u201d prefix and not the one following it.
\nFor instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called \u201ctrx_\u201d.<\/p>\n
The new name would look like:<\/p>\n
trx_<\/strong>wp_abc_tablename<\/p>\nNote that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.<\/p>\n
5. Deny Potentially Dangerous Query Strings<\/span><\/h2>\nYou can put the following code in your .htacces file to help prevent XSS attacks.<\/p>\n
BEWARE<\/strong>: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.<\/strong><\/p>\n6. Apply PHP hardening to your system<\/span><\/h2>\nYou can install and enable Suhosin <\/strong>which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.<\/p>\nSuhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)<\/p>\n
If you can read more about Suhosin here<\/a>.<\/p>\nFurther reading: http:\/\/codex.wordpress.org\/Hardening_WordPress<\/a><\/p>\nSource:<\/p>\n
You can disable the trace functionality either via your Apache configuration file or by putting the following in your .htaccess file:<\/p>\n
2. Remove header outputs from your WordPress installation<\/span><\/h2>\nWordPress can often add quite a lot of output in your header pertaining to various services. The following code shows how you can remove a lot of this output.<\/p>\n
Warning<\/strong>:<\/strong> This can break some functionality if you are not careful. Eg, if you\u2019re using RSS feeds then you may want to comment that line out.<\/strong><\/p>\nAdd the following code to your theme\u2019s functions.php file:<\/p>\n
3. Deny comment posting via proxy server<\/span><\/h2>\nYou can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of perishablepress.com) in your .htaccess file:<\/p>\n
4. Change your default WordPress DB prefix<\/span><\/h2>\nYou may already be aware that WP uses a default prefix value of \u201cwp_\u201d for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.<\/p>\n
In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.<\/p>\n
Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.<\/p>\n
A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:<\/p>\n
1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
\n2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies \u2013 one for editing and the other as an original just in case.
\n3) Using a good code editor, replace all instances of \u201cwp_\u201d with your own prefix.
\n4) From your WP admin panel, deactivate all plugins
\n5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
\n6) Edit your wp-config.php file with the new DB prefix value.
\n7) Re-activate your WP plugins
\n8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.<\/p>\n
Caution<\/strong>:<\/p>\nSometimes plugins add their own prefix after the wordpress prefix where both are identical.<\/p>\n
example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.<\/p>\n
Be sure when replacing the \u201cwp_\u201d instances in step 2 above that you only replace the first \u201cwp_\u201d prefix and not the one following it.
\nFor instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called \u201ctrx_\u201d.<\/p>\n
The new name would look like:<\/p>\n
trx_<\/strong>wp_abc_tablename<\/p>\nNote that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.<\/p>\n
5. Deny Potentially Dangerous Query Strings<\/span><\/h2>\nYou can put the following code in your .htacces file to help prevent XSS attacks.<\/p>\n
BEWARE<\/strong>: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.<\/strong><\/p>\n6. Apply PHP hardening to your system<\/span><\/h2>\nYou can install and enable Suhosin <\/strong>which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.<\/p>\nSuhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)<\/p>\n
If you can read more about Suhosin here<\/a>.<\/p>\nFurther reading: http:\/\/codex.wordpress.org\/Hardening_WordPress<\/a><\/p>\nSource:<\/p>\n
Add the following code to your theme\u2019s functions.php file:<\/p>\n
3. Deny comment posting via proxy server<\/span><\/h2>\nYou can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of perishablepress.com) in your .htaccess file:<\/p>\n
4. Change your default WordPress DB prefix<\/span><\/h2>\nYou may already be aware that WP uses a default prefix value of \u201cwp_\u201d for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.<\/p>\n
In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.<\/p>\n
Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.<\/p>\n
A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:<\/p>\n
1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
\n2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies \u2013 one for editing and the other as an original just in case.
\n3) Using a good code editor, replace all instances of \u201cwp_\u201d with your own prefix.
\n4) From your WP admin panel, deactivate all plugins
\n5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
\n6) Edit your wp-config.php file with the new DB prefix value.
\n7) Re-activate your WP plugins
\n8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.<\/p>\n
Caution<\/strong>:<\/p>\nSometimes plugins add their own prefix after the wordpress prefix where both are identical.<\/p>\n
example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.<\/p>\n
Be sure when replacing the \u201cwp_\u201d instances in step 2 above that you only replace the first \u201cwp_\u201d prefix and not the one following it.
\nFor instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called \u201ctrx_\u201d.<\/p>\n
The new name would look like:<\/p>\n
trx_<\/strong>wp_abc_tablename<\/p>\nNote that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.<\/p>\n
5. Deny Potentially Dangerous Query Strings<\/span><\/h2>\nYou can put the following code in your .htacces file to help prevent XSS attacks.<\/p>\n
BEWARE<\/strong>: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.<\/strong><\/p>\n6. Apply PHP hardening to your system<\/span><\/h2>\nYou can install and enable Suhosin <\/strong>which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.<\/p>\nSuhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)<\/p>\n
If you can read more about Suhosin here<\/a>.<\/p>\nFurther reading: http:\/\/codex.wordpress.org\/Hardening_WordPress<\/a><\/p>\nSource:<\/p>\n
You may already be aware that WP uses a default prefix value of \u201cwp_\u201d for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.<\/p>\n
In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.<\/p>\n
Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.<\/p>\n
A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:<\/p>\n
1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
\n2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies \u2013 one for editing and the other as an original just in case.
\n3) Using a good code editor, replace all instances of \u201cwp_\u201d with your own prefix.
\n4) From your WP admin panel, deactivate all plugins
\n5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
\n6) Edit your wp-config.php file with the new DB prefix value.
\n7) Re-activate your WP plugins
\n8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.<\/p>\n
Caution<\/strong>:<\/p>\n Sometimes plugins add their own prefix after the wordpress prefix where both are identical.<\/p>\n example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.<\/p>\n Be sure when replacing the \u201cwp_\u201d instances in step 2 above that you only replace the first \u201cwp_\u201d prefix and not the one following it. The new name would look like:<\/p>\n trx_<\/strong>wp_abc_tablename<\/p>\n Note that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.<\/p>\n You can put the following code in your .htacces file to help prevent XSS attacks.<\/p>\n BEWARE<\/strong>: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.<\/strong><\/p>\n You can install and enable Suhosin <\/strong>which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.<\/p>\n Suhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)<\/p>\n If you can read more about Suhosin here<\/a>.<\/p>\n Further reading: http:\/\/codex.wordpress.org\/Hardening_WordPress<\/a><\/p>\n Source:<\/p>\n
\nFor instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called \u201ctrx_\u201d.<\/p>\n5. Deny Potentially Dangerous Query Strings<\/span><\/h2>\n
6. Apply PHP hardening to your system<\/span><\/h2>\n