I recently posted new articles on my blog
I felt we should discuss about it in the forum here now get the 100% proven tips to protecting your wordpress and joomla site from h*ckers .1. For joomla site
First check if your plugins are listed in the exploitable list:http://docs.joomla.org/Vulnerable_Extensions_List
MUST HAVE PLUGINS:
1. Keep Joomla up-to-date:
Keep Joomla up-to-date, particularly when a security release has just come out.
2. Do not use the default jos_ prefix for your database table names:
Many attacks on Joomla sites depend on your database tables starting with “jos_”. h*ckers typically try to get access to the jos_users table so they can get your username and password to login to the admin side of your site.
If you simply change the database prefix for your site to something else, like “mig_”, you would be protected from the kind of security exploit that relies on the default database prefix of “jos_”.
3. Change the default super admin name from “admin” to something else:
When you install Joomla 1.5, the default super administrator username is “admin.” If you don’t change this, you’ll give h*ckers 50% of what they need to login to the administration side of your site.
To do this, when you first Login as Admin, immediately create another user with a completely different name. Assign this new user super administration rights to your Joomla website. Then immediately log out as Admin. Login as the new user that you just created. Delete the user Admin. You’re done.
4. Joomla Files and Folder permissions:
Using cPanel > File Manager or your FTP client, change the permissions of all Joomla folders to 755 and all files to 600, no matter what.
5. index.html in all Joomla folders:
Ensure that there is a blank (empty) index.html within each folder of your Joomla website.
6. Rogue Extensions:
Additionally, there are rouge extensions available for free download and use. These extensions are actually developed for the explicit purpose of infecting a Joomla website, under the guise of doing something useful there. A really good idea is to scan the downloaded zip file of the Joomla extension / plugin / module with the antivirus on your local computer. If there is a PHP trojan sitting quietly in the extension your anti virus should be able to identify this.
7. Uninstall unused extensions on your website:
Remember there are definitely times when uninstalling Joomla extensions uisng Joomla Admin – Extensions > Install/Uninstall does not completely remove all of the associated directories and files for a given extension, so you should manually remove the files from the extensions directory.2. for wordpress site
MUST HAVE PLUGINS: http://wordpress.org/extend/plugins/better-wp-security/http://wordpress.org/extend/plugins/wp-security-scan/http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/http://wordpress.org/extend/plugins/tac/http://wordpress.org/extend/plugins/exploit-scanner/
As a matter of necessity the above plugins must be installed and run/used at least once a week to check your files for harmful code.
1. Always update your wordpress/themes/plugins to the latest versions.
2. Change all PHP file permissions to 600
3. Rename the admin user: On a new install you can simply create a new Administrative account and delete the default admin account by adding a new user with Administrator role, make sure you use a strong password.
4. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this to somethingn like myownsite_ can block at least some SQL injection attacks.
5. Keep wp-admin Directory Protected: Keeping “wp-admin” folder protected adds an extra layer of protection. Whoever attempts to access files or directory after “wp-admin” will be prompt to login. You can set protection easily on any folder via cPanel’s Password Protect Directories graphical user interface.
6. Hide WordPress Version in the Header Tag: Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
7.Nobody should be allowed to search your entire server: If you allow then the h*cker will find the way to h*ck easily. The best way to block them is in your robots.txt file. Add the following line to your list:
8. Protect your wp-config.php file: You can secure your wp-config.php by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>deny from all
This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
got more / questions ? let's discuss about it