Here is a check list for your next WordPress installation to improve the changes of the site begin hacked.
- Change your database prefix “wp_”
- Don’t use the username “admin”
- Use a strong password 8+ characters symbols letters and numbers
- Change the wp_settings.php file permissions to 0644
- Whenever possible move the wp_settings.php file one directory up.
- Install the Login LockDown plugin
- Change the default secret keys in the wp_settings.php file
define('AUTH_KEY', ''); define('SECURE_AUTH_KEY', ''); define('LOGGED_IN_KEY', ''); define('NONCE_KEY', ''); - Add this code to your functions.php file.
//remove WordPress Version from front-end remove_action( 'wp_head', 'wp_generator' ); //force https for admin area, only if you are using SSL define('FORCE_SSL_ADMIN', true); - Add this code to your .htaccess file
RewriteCond %{REQUEST_URI} /(comments-post|setup|thumb|_tbs|timthumb|install)\.php$ RewriteCond %{HTTP_REFERER} !.*domain.com.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L] <files wp-config.php> Order deny,allow deny from all </files> - Upgrade to the latest version for WordPress.
- Always, always backup your site, files and database
- If you site has been hacked check WordPress’ hacked recovery checklist
