No website is 100% secure if the hacker wants to gain access to the server lets face it with brute force its possible however with a little WordPress hacking protection we can do things to reduce the intrusion. As you may or may not already know from my previous post Security with WordPress config you can move the wp-config.php outside of the root folder and this will reduce access to sensitive information about the database. There’s another little trick we can use with the install file located in the wp-admin folder. With a new installation of WordPress you can trigger the install.php file located in the wp-admin folder to set up a database connection. If there is no wp-config file set up with the database connection the install file would trigger the installation process or if there is a broken connection to the database, WordPress will assume it’s not yet been installed and the install.php file will load. Needless to say after your initial installation if the install file is still available this could be an access point to wipe your database or re-point your website to a completely different database – not good!
What can we do about this?
Well, first thing we can do is delete the install.php file or better still why not use the install.php file to trigger an e-mail so you get notification if an intruder tries to hack your site and give them the finger at the same time. So first of all add another obscure extension to the already existing install.php file e.g. install.php.123abc. By doing this you can refer back to the original install.php file if you need to also, with obscurity you are hardening security against a possible hack. Next create a new install.php file. Then use the code below:
<?php mail("email@example.com", "Install Warning", "Someone tried to trigger the installation process but, it's ok we gave them the finger!"); ?>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Error Establishing Database Connection</title>
<h1>Error Establishing Database Connection</h1>
<p>This is a polite message that could otherwise be the finger!</p>
By using the PHP mail function you can trigger an e-mail every time the install.php file is served up. Next you can add content to the body of the install.php file to give them the finger or a confusing message like “sorry this page doesn’t exist”. To be honest it’s probably better to redirect them to a 404 page. You can do that by adding these two lines to the top of the code above:
<?php header("HTTP/1.1 503 Service Temporarily Unavailable"); ?>
<?php header("Status 503 Service Temporarily Unavailable"); ?>
So there you have it – how to reduce WordPress hacking. For more juicy web design