First off this is how I did it, You can probably do it another way, but my way is always the best way.

Step one:
BACKUP Everything, your database, your wordpress files, all of your settings. Even though we will be very careful to try to not break stuff it is better to be safe than sorry.

Step two:
Copy all of your files from your current server to your new server. Copy everything you need for the blog. Do not make modifications to anything. When moving your database name needs to remain the same if your new server cannot accommodate this you are stuck.

Step three:
Move your database files. I would do a simple zipped export from phpMyAdmin and import from within phpMyAdmin. For more information on importing and exporting look for future posts.

Step four:
Modifying the database to reflect new domain name, I would also recommend doing this in the SQl statement section of phpMyAdmin.

To do this we need to run some simple commands; replace old-domain.com with your old domain and new-domain.com with your new domain.

First we need to update the wordpress options:

UPDATE wp_options SET option_value = replace(option_value, 'http://www.old-domain.com', 'http://www.new-domain.com') WHERE option_name = 'home' OR option_name = 'siteurl';

Now we need to fix URLs of the WordPress posts and pages:

UPDATE wp_posts SET guid = replace(guid, 'http://www.old-domain.com','http://www.new-domain.com');

Now we need to fix all internal links to the blog in all WordPress posts and pages:

UPDATE wp_posts SET post_content = replace(post_content, 'http://www.old-domain.com', 'http://www.new-domain.com');

Check your blog to make sure everything is ok, you may need to log back in to the blog.

Step five:
Do a 301 redirect to redirect all of your old traffic to your new site.

Bookmark It

Securing WordPress is one of those topics a lot of people need to do, but not many have a defined guide of how to do it. When securing WordPress remember it is about making trade-offs between usability and security. For everything you want lock down it will make access for your users and yourself harder or add an extra step to get in.

Today I will go over the basic things you can do to secure your version of WordPress. For some parts of this guide I assume you have your own server with root access; I will note where you can do things in a shared hosting environment or your own.

Hosting

The first thing to consider when securing WordPress is your hosting. Is your hosting service provide secure? Do they do updates to the newest versions of their respective software? What other measures have they taken to mitigate attacks on your site? If you are using a shared hosting provider or have managed hosting this should all be taken care of for you; don’t be hesitant to ask as not all hosting providers care. If you are managing your own server you need to consider all the steps necessary to secure it all the way down from keeping your OS (Operating System) updated, to how you are going to squelch a DDoS (Distributed Denial of Service) attack when you make someone mad.

The Basics

Throughout my guide you find find the following ideas; they may be repeated but all follow four basic ideas of security:

1. Limit Access – Making decisions on permissions or access to files that will definitely lower points of entry available to a malicious person or bot (most WordPress attacks are carried out automatically.
2. Password Security – Most people don’t realize the easiest points of entry is by knowing the user name and password.
3. Containment – If you know of a weak point in your installation contain it so there will be minimal damage to your system if this point of entry is used. If you get hacked figure out where the point of entry was and harden its security.
4. Snapshot – What I mean by this is keeping a snapshot of your WordPress configuration: Regular database backups, File/Folder backups even noting changes to your code so you know what was changed, why it was changed and can easily be tracked so you know you did it!

Common Vulnerabilities

1. Your Computer – Remember that anything you do won’t matter if your computer has been compromised. Be sure to have the latest updates on your Operating System, Virus Scan, Malware/Adware scan.
2. WordPress Itself – WordPress itself can have vulnerabilities it the way it handles data, form input, etc… The only real way to keep up with this is to use the latest version of WordPress. It may be a pain to do it once a week or bi-weekly but the enhanced security is very important.
3. The Server – What ever server you are using whether it be your own or a shared server needs to be kept up to date. If it is not you may be compromised from outside of WordPress. Things to check for are newer versions of: Apache, PHP, MySQL, IIS (on windows), MsSQL (on windows).
4. The Network – If the network isn’t secure or made to automatically squelch a DDoS attack you are probably hosting in the wrong place.
5. Plugins – Many bots look for known plugins that have easy to exploit vulnerabilities. I have found my plugins tend to be my easiest point of entry. If you can obscure your plugins of versions of the plugins it will mitigate there use.

Attack Types

The most common attack typed against WordPress are:

1. Sending special made HTTP requests to the server with a payload to try to get results from wordpress or a wordpress plugin, this may be automated or not.
2. Brute force password attacks

Implementation

1. Securing your /wp-admin directory. Your /wp-admin directory needs to be secured from outside of WordPress. The way I would recommend you to do this is with a simple .htaccess and .htpasswd file. I would definitely not recommend any sort of plugin to do this as it is vital to add this extra layer of security to stop almost all bot (automated) attacks and attacks from the unlearned hacker. Keep in mind your users will all need to know the user/pass to get in. What I have done is create a .htaccess that lets humans know what user and password to use. The biggest benefit here is making your attacker go through HTTP Auth first, thereby not allowing a http request beyond it without authentication.
2. Changing the admin username – If your attacker has no username he has nowhere to start a bruteforce password attack. You can change your admin username either through MySQL commands or using phpMyAdmin.
3. Obscurity – if a bot or attacker doesn’t know what your running or its version this decreases chance of an attack. Here is a plugin to help: Plugin Page
4. Backups – Please people backup your stuff, regularly (daily or better).
5. Logs – If you don’t have good logs you won’t find any points of entry when you do get attacked.

The moral of the story

WordPress is popular, popular things get hacked more often…..learn from others mistakes take your blogs security seriously.

As always any questions just leave a comment.

Bookmark It