the AV-TEST award for “Best Usability” is given to security software that has the lowest impact on the system. Products were tested for an average slowdown of the computer in daily use, amount of false positives, false warnings and false blockings of certain actions during download, installation and use of legitimate software.
ESET Smart Security 5 was awarded “Best Usability” for its low false positives and low impact on system performance.
Users can see version of WordPress you are running from readme.html file.
When WordPress version which is used in your blog is known, hacker can find proper exploit for exact version of WordPRess.
Remove readme.html file which is located in root folder of your blog.
NOTE: It will appear with next upgrade of WordPress.
Installation script is still available in your wordpress files.
Remove /wp-admin/install.php from your WordPress.
When WordPress version which is used in your blog is known, hacker can find proper exploit for exact version of WordPRess.
To remove WordPress version you should do two things:
function no_generator() { return ''; }
add_filter( 'the_generator', 'no_generator' );
Malicious URL requests are requests which may have SQL Injection inside and will allow hacker to broke your blog.
Paste the following code into a text file, and save it as blockbadqueries.php. Once done, upload it to your wp-content/plugins directory and activate it like any other plugins.
<?php /* Plugin Name: Block Bad Queries Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/ Description: Protect WordPress Against Malicious URL Requests Author URI: http://perishablepress.com/ Author: Perishable Press Version: 1.0 */ if (strpos($_SERVER['REQUEST_URI'], "eval(") || strpos($_SERVER['REQUEST_URI'], "CONCAT") || strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") || strpos($_SERVER['REQUEST_URI'], "base64")) { @header("HTTP/1.1 400 Bad Request"); @header("Status: 400 Bad Request"); @header("Connection: Close"); @exit; } ?>
The majority of reported WordPress database security attacks were performed by exploiting SQL Injection vulnerabilities. By renaming the WordPress database table prefixes you are protecting your WordPress blog and website from zero day SQL injections attacks.
A comprehensive WordPress installation, albeit simple to produce, often requires multiple steps — many of which can easily be omitted accidentally. How many times have you forgotten to customize your permalink structure? How about adding in a sitemap plugin? What about changing your timezone? If you’ve installed WordPress more than once, chances are you’ve missed something. Take the following steps and you’ll never miss anything again.
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.
Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
<files wp-config.php> order allow,deny deny from all </files>
source: wordpress
