{"id":111,"date":"2018-04-24T05:42:41","date_gmt":"2018-04-24T05:42:41","guid":{"rendered":"http:\/\/td_uid_62_5adec3d1305c3"},"modified":"2018-05-21T02:25:25","modified_gmt":"2018-05-21T02:25:25","slug":"10-ways-to-limit-local-attack-for-wordpress","status":"publish","type":"post","link":"https:\/\/forumweb.hosting\/blog\/10-ways-to-limit-local-attack-for-wordpress\/","title":{"rendered":"10 Ways to Limit Local Attack for WordPress"},"content":{"rendered":"<p><strong>What is a Local Attack?<\/strong><\/p>\n<p>Local Attack is a very common method used to attack a particular website on the same server. The tool of this attack is to use exploit code written in several programming languages \u200b\u200bsuch as PHP, ASP.Net, Python &#8230;<\/p>\n<p>That code is called Shell. When a server on the server is uploaded to this shell file, the attacker can use the exploit commands to penetrate the hosting account with the server to read the sensitive information such as: Email, Database information (username , password ..) easily. From there the attacker can do whatever they want.<\/p>\n<p>How to limit Local Attack in WordPress?<\/p>\n<p>Let&#8217;s take a look at 10 ways to limit Local Attack in WordPress.<\/p>\n<p><strong>1. Hide wp-config.php file<\/strong><\/p>\n<p>Usually the files of the website will be in the public_html directory and usually the path will be \/home\/username\/public_html\/wp-config.php.<\/p>\n<p>Therefore, the best way to hide the config file is to put the wp-config.php file out of the public_html directory, you can log on to the host via FTP and create a directory of any name horizontally adjacent to public_html. (here we will create a folder named secowcof)<\/p>\n<p>Then download the wp-config.php file in the public_html directory and upload it to the newly created directory. Finally edit the wp-config.php file in the public_html directory as follows, see the link below:<\/p>\n<blockquote class=\"td_quote_box td_box_left\"><p>&lt;php<br \/>\nif ( !defined(&#8216;ABSPATH&#8217;) )<br \/>\ndefine(&#8216;ABSPATH&#8217;, dirname(__FILE__) . &#8216;\/&#8217;);<br \/>\nrequire_once(ABSPATH . &#8216;..\/secowcof\/wp-config.php&#8217;);<\/p><\/blockquote>\n<p>You replace the secowcof into your directory name that you created it on the par with public_html.<\/p>\n<p>Note: This method only applies to websites that have files installed in the public_html directory but not in another folder. You can apply to the www directory if available.<\/p>\n<p><strong>2. Change the database prefix<\/strong><\/p>\n<p>The default WordPress prefix database is wp_, which inadvertently causes the hackers to know the name of each of your site&#8217;s tables if you do not change the prefix.<\/p>\n<p><strong>3. Change the security key<\/strong><\/p>\n<p>Access the wp-config.php file<\/p>\n<blockquote class=\"td_quote_box td_box_left\"><p> define(&#8216;AUTH_KEY&#8217;, &#8216;put your unique phrase here&#8217;);<br \/>\ndefine(&#8216;SECURE_AUTH_KEY&#8217;, &#8216;put your unique phrase here&#8217;);<br \/>\ndefine(&#8216;LOGGED_IN_KEY&#8217;, &#8216;put your unique phrase here&#8217;);<br \/>\ndefine(&#8216;NONCE_KEY&#8217;, &#8216;put your unique phrase here&#8217;);<br \/>\ndefine(&#8216;AUTH_SALT&#8217;, &#8216;put your unique phrase here&#8217;);<br \/>\ndefine(&#8216;SECURE_AUTH_SALT&#8217;, &#8216;put your unique phrase here&#8217;);<br \/>\ndefine(&#8216;LOGGED_IN_SALT&#8217;, &#8216;put your unique phrase here&#8217;);<br \/>\ndefine(&#8216;NONCE_SALT&#8217;, &#8216;put your unique phrase here&#8217;);<\/p><\/blockquote>\n<p>&#8211; Go to: https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/ to get the secret key<br \/>\n&#8211; Replace the entire code with the provided code<\/p>\n<p><strong>4. Do not edit files (plugins, themes) in wp-admin<\/strong><\/p>\n<p>Add to the bottom of the wp-config.php file the following code<\/p>\n<blockquote class=\"td_quote_box td_box_left\"><p>define( &#8216;DISALLOW_FILE_EDIT&#8217;, true );<\/p><\/blockquote>\n<p><strong>5. Do not install plugins, themes in wp-admin<\/strong><\/p>\n<p>Add to the bottom of the wp-config.php file the following code<\/p>\n<blockquote class=\"td_quote_box td_box_left\"><p>define(&#8216;DISALLOW_FILE_MODS&#8217;,true);<\/p><\/blockquote>\n<p><strong>6. Chmod file wp-config.php<\/strong><\/p>\n<p>Chmod file into 400 or 404<\/p>\n<p><strong>7. Secure wp-config.php with .htaccess<\/strong><\/p>\n<p>Add the following code to the end of the<\/p>\n<blockquote class=\"td_quote_box td_box_left\"><p># protect wpconfig.php<br \/>\norder allow,deny<br \/>\ndeny from all\n<\/p><\/blockquote>\n<p><strong>8. Protect the wp-content directory<\/strong><\/p>\n<p>Create the .htaccess file and add the following code<\/p>\n<blockquote class=\"td_quote_box td_box_left\"><p> Order deny,allow<br \/>\nDeny from all<br \/>\nAllow from all\n<\/p><\/blockquote>\n<p>Note: If the wp-content directory contains other files related to the wordpress source code, then you need to add the extension (woff example example) to the list above.<\/p>\n<p><strong>9. Lock the wp-admin path<\/strong><\/p>\n<p>The wp-admin and wp-login.php files are always the attackers if someone wants to visit your site. Therefore, it&#8217;s best to block all visits to these areas except you.<br \/>\nCreate a .htaccess file in the wp-admin directory and insert the following.<\/p>\n<blockquote class=\"td_quote_box td_box_left\"><p>&lt;FilesMatch &#8220;.*&#8221;&gt;<br \/>\nOrder Deny,Allow<br \/>\nDeny from all<br \/>\nAllow from 123.456.789\n<\/p><\/blockquote>\n<p>123.456.789 is your IP, you can use any tools to know your real IP address.<\/p>\n<p><strong>10. Use the malware scan plugin<\/strong><\/p>\n<p>This step may be lucky enough to let you know what hosts your files contain so that you can delete them or download them. Here are the best plugins for you to scan the malicious code on the host completely free that you can use:<\/p>\n<p>Wordfence Scan<br \/>\nAnti-Malware (Get Off Malicious Scripts)<br \/>\n6Scan Security<br \/>\nAnd if you have money, I encourage you to use Sucuri Premium<\/p>\n<p>Here are 10 ways to restrict Local Attack in WordPress. Also, in the process of choosing hosting services for your website, you should also choose reputable hosting providers that support local attack limits to secure your website.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is a Local Attack? Local Attack is a very common method used to attack a particular website on the same server. The tool of this attack is to use exploit code written in several programming languages \u200b\u200bsuch as PHP, ASP.Net, Python &#8230; That code is called Shell. When a server on the server is [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":204,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,12,8],"tags":[89,87,88,17],"_links":{"self":[{"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/posts\/111"}],"collection":[{"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/comments?post=111"}],"version-history":[{"count":6,"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/posts\/111\/revisions"}],"predecessor-version":[{"id":203,"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/posts\/111\/revisions\/203"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/media\/204"}],"wp:attachment":[{"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/media?parent=111"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/categories?post=111"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forumweb.hosting\/blog\/wp-json\/wp\/v2\/tags?post=111"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}