With little effort you can protect your WordPress site following this few easy steps to harden the security of your WordPress installation.

1. Don’t use ‘admin’ username

As of version 3.0, WordPress have the option to change your admin username into whatever you like. I encourage you to do so. Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password.

2. Install Login LockDown Plugin

Potential hacker will try to break your username/password combination using brute force or dictionary attack on your WordPress Login screen. Login LockDown Plugin will prevent that.

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

You can download Login LockDown plugin from here.

3. Install Secure WordPress plugin

There are many places inside your WordPress site that is telling a potential hacker a version of your WordPress installation, as well as other dangerous information.

Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.

• Removes error-information on login-page
• Adds index.php plugin-directory (virtual)
• Removes the wp-version, except in admin-area
• Removes Really Simple Discovery
• Removes Windows Live Writer
• Removes core update information for non-admins
• Removes plugin-update information for non-admins
• Removes theme-update information for non-admins (only WP 2.8 and higher)
• Hides wp-version in backend-dashboard for non-admins
• Removes version on URLs from scripts and stylesheets only on frontend
• Blocks any bad queries that could be harmful to your WordPress website

You can download this plugin from here.

4. Move your wp-config.php file

In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location.

To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.

5. Change database table prefixes

By default, WordPress table prefix is wp_. As WordPress is Open Source, if you leave your table prefixes intact, everybody know the exact names of the database tables.

You can change your table prefix during installation by entering new prefix in your wp-config.php file. For changing the prefix after install, use WP Secure Scan plugin.

6. Change default secret keys

When you open your wp-config.php file, you will see 4 secret keys:
1 define(‘AUTH_KEY’, ”);
2 define(‘SECURE_AUTH_KEY’, ”);
3 define(‘LOGGED_IN_KEY’, ”);
4 define(‘NONCE_KEY’, ”);

I am amazed how many people, even experienced ones, do not change this keys. A secret key is a hashing salt that is used against your password to make it even stronger.

Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. It’s that simple.

7. Update

Always update to the latest version of the WordPress, as it is the most secure one. Don’t forget to update your plugins and themes.

Updating your WordPress installation, plugins and Themes is really easy to do from your admin, so do it as soon as possible. WordPress is terrific piece of software and y updating you will rarely or never brake some site functionality.

8. Protect your wp-admin

AskApache Password Protect Plugin adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. as well.

9. Use strong password

This is the most trivial task to do to protect your WordPress installation. But, many people use weak passwords which are easy to break to modern brute force attack programs used.

There are many tips how to make a strong password, I personally like this Strong Password Generator. Read some tips over there to help you understand what a strong password is.

10. Backup your data regularly

This is not a security tip, but is related. If someone hacks your site and you don’t have a backup, it will be very difficult to return the site back to its previous state.

Regular backup is a must. There is a great list of WordPress Backup Plugins available here.

A few more general tips for securing WordPress installation:

• Remove unused users from WordPress.
• Remove unused WordPress themes.
• Remove all unused WordPress plugins.

If you don’t have time to follow all of the above tips, please follow at least two of them. It will help you to enjoy the effort you invested in your WordPress site.

1. Log in to Google Analytics at http://www.google.com/analytics
2. From the Overview page, select the account that has the profile for the tracking code you’re looking for, as the code is profile-specific.
3. Select the profile from the accounts Overview page.
4. From that profile’s Actions column, click Edit
5. At the top right of the ‘Main Website Profile Information’ box, click Check Status
6. Your tracking code can be copied and pasted from the text box in the Instructions for adding tracking section

When adding your tracking code to your web pages, make sure to paste it into the body section of your HTML code, immediately preceding the </body> tag if you use the ga,js code. If you use the asynchronous code, you should add it immediately preceding the </head> tag.

If this doesn’t work, put this code into a file named 404.php :

<?php header("Status: 301 Moved Permanently"); header("Location:http://www.xxxxxx.xxx"); ?>

(xxxxxx.xxx is your domain name)

Upload 404.php into /wp-content/themes/classic/    – change “clasic” to your theme name

WordPress Not Found Error after this?

The Cause of a WordPress Not Found Error.Why did this happen in the first place?

This error is most likely due to the fact that you’ve changed your WordPress permalink structure. The settings for your permalink structure are found in your Admin panel, under Settings » Permalinks. Basically, it lets you choose how the URLs of your WordPress site will look.

The default is always the first radio button, which says “http://www.mysite.com/?p=123″. However, if you’re like me – you’d rather have something more search engine friendly like “http://www.mysite.com/category/page” — and you probably selected the last option which says “Custom Structure,” then saved the change. This is where the error occurs.

Here’s the reason why: by default, your .htaccess file is CHMODded to 644: disallowing WordPress to successfully edit it. You’ll even see the message in your admin panel under “Permalinks” that says this:

If your .htaccess file were writable, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your .htaccess file. Click in the field and press CTRL + a to select all.

It is very easy to look past this message due to the fact that it’s at the bottom of the screen, appearing in italics, and nearly blending in with the box above it. Anyway – in order to successfully change your permalink structure, you would have had to make the permission settings of your .htaccess file more lenient, so that WordPress can be able to write changes within it.

How to Fix the Error ?

Don’t worry, it’s super easy…and quick

1. Get into your website’s FTP space, and look for the .htaccess file
2. Highlight the .htaccess file in your FTP program, and open its CHMOD settings. It’s probably set to 644. Change it to 666.
3. Go back into your WordPress site’s admin section, and navigate to Settings » Permalinks.
4. Edit the link structure to whatever you originally wanted (I recommend that you use /%category%/%postname%), and then save it. You should no longer see a “grayed out” .htaccess box on this page, saying that the file is not writable.
5. Visit any page of your site and confirm that the error no longer happens. If not, congrats!
6. Finally, as a security measure, go back to your FTP space and change your .htaccess file back to 644, since you probably will never have to edit it through the WordPress admin panel ever again.

To update this file after moving your shop, FTP to your host.
Download    virtuemart.cfg.php
Path to File Here
administrator/components/com_virtuemart/virtuemart.cfg.php

Change your shop URL, and your Secure URL to your new shop address.Both must have either the www. or non-www. They must match UNLESS one is https but it styill must contain the www or non-www like the other one.

If you moved from one host to another, and your thumbnails are not showing
Most of the time you need to re-create the thumbnails. This is done by

Go into your virtuemart administrator. Then to configuration, and then the “site tab”.

Disable “Enable Dynamic Thumbnail Resizing?” Save Your Changes
Then Re-enable “Enable Dynamic Thumbnail Resizing?” Again, and Save.

Also Make Sure The Image Directory is 755

This can cause missing thumbnails

ADDITIONAL IMAGES USUALLY IF CREATED VIA THE MEDI MANAGER HAVE ABSOLUTE URLS. SO, after moving from one domain to another, you need to use csv improved to remove the domain from the url. Or you may use myphpadmin to update the product_files list without the absolute url.

You cannot just put two codes at the end of webpage – it doesn’t work. Here is the code which works:

<script type=”text/javascript”>
  var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-XXXXXXX-X']);
_gaq.push(['_trackPageview']);
_gaq.push(['t2._setAccount', 'UA-XXXXXXXX-X']);
_gaq.push(['t2._trackPageview']);

  (function() {
    var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true;
    ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl’ : ‘http://www’) + ‘.google-analytics.com/ga.js’;
    var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s);
  })();
</script>

Copy this text and change 2 Google Analytics account numbers in it and then place it to the end of your web page, just before </head> tag.

Change the Password in the Database.

If the admin user is still defined, the simplest option is to change the password in the database to a known value. This requires that you have access to the MySQL database using phpMyAdmin.

• Navigate to phpMyAdmin and select the database for the Joomla! site in the left-hand drop-down list box. This will show the database tables on the left side of the screen.
• Click on the table “jos_users” in the list of tables.
• Click on the “Browse” button in the top toolbar. This will show all of the users that are set up for this site.
• Find the user whose password you want to change and press the Edit icon for this row.
• A form will display that allows you to edit the password field. Copy the value:

d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199

into the password field and press the Go button. phpMyAdmin should display the message “Affected rows: 1″. At this point, the password should be changed to “secret“.

• Log in with this user and password (secret) and change the password of this user to a secure value. Check all of the users using the User Manager to make sure they are legitimate. If you have been hacked, you may want to change all of the passwords on the site.

You will want to move your Joomla! installation rather than re-install if you fit one or all of the following parameters:

* Your site has accumulated a large amount of data in the database over time (sections, categories, content items, contacts, newsfeeds, etc.).
* Your site uses multiple 3rd-part extensions already configured and/or customized for your site.

Step 1: Backup everything!

The first thing you want to do is backup all files within your Joomla! installation. Create a folder on your local system, and download all files to that folder using your ftp client application. I used FileZilla as my ftp client application to download all of my files to a folder on my desktop I named “howtojoomla”.

Step 2: Export your database

Note: For this step, it really helps if you have phpMyAdmin installed on your server. Most hosting companies have phpMyAdmin already installed. If you are unsure, ask your hosting provider.

The second thing you need to do is export your Joomla! database. The best thing to do is to export it into an SQL file, which makes importing it easier in a later step. An SQL file will contain all of the necessary SQL commands for creating your database tables and filling them with your data. Be sure you export the entire database.

Step 3: Modify configuration.php

This step is very important. Go to the folder on your local system to which you downloaded all of your Joomla! files. In the first level folder, you will find the file named “configuration.php”. Open this file with a text editor and make the necessary changes. At the very least, you will probably need to change the following parameters:

* $mosConfig_absolute_path: This is the absolute server path to your new Joomla! installation. It will probably look something like “/path/to/joomla/installation”.
* $mosConfig_cachepath: This is the absolute server path to the cache for your Joomla! installation. It will probably look something like “/path/to/joomla/installation/cache”.
* $mosConfig_live_site: This is your website’s url. It will be something like “http://www.yoursite.com”.
* $mosConfig_host: This is the location of the server that hosts your MySQL database. For most instances, this value will be “localhost”. If you are unsure, ask your hosting provider.
* $mosConfig_db: This is the name of your MySQL database.
* $mosConfig_user: This is the database user name. Make sure this user has all privileges on your database.
* $mosConfig_password: This is the password for your MySQL database user.

Step 4: Upload all of your files to your new server

Using an ftp client application (like FileZilla), upload all of your files to the location on your new server where you want to install Joomla!.

Step 5: Import your database to your new MySQL server

Using phpMyAdmin (or console commands if you are an advanced database administrator) and the SQL file you generated in step 2, import your old database into your new database.

Step 6: Test your new installation

Your move should now be complete, but please don’t take my word for it. Test your site to make sure that everything is in it’s proper place and working the way you expect it to. For example, if you did not use relative url’s for your links on your old site, they will not work properly on your new site.

If you are uneasy or uncomfortable with this process, we strongly recommend that you hire a professional to do this for you.

How to change admin password in Joomla?

1. DropSend – Free Large File Sending Service
File too big for email? Send large files of up to 2GB. Paid accounts offer many amenities and can be used to send and receive large files

2. YouSendIt – Free Big File Sending Service
YouSendIt makes it really easy to deliver files larger than what your email service may allow. Various subscription levels cover just about every file delivery need, and desktop applications as well as plug-ins make YouSendIt particularly convenient.
Free YouSendIt accounts offer enough bandwidth only for occasional file sending, however.

3. Pando – Free Large File Sending Service
Pando combines secure P2P file transfers with email attachments so you can send any file to any email address with speed, ease and flexibility. Unfortunately, Pando requires you to use a little Windows or Mac app for the actual file transfers and is not available if you or your recipient uses a different platform.

4. SendThisFile – Free Big File Sending Service
SendThisFile lets you send files with no size limit via email for free, while paid accounts offer many amenities and can be used to send and receive large files in a branded manner through a web site, for example. All accounts do have a six day pick-up time limit, though, and SendThisFile does incorporate secure transfer and storage, but no virus scanning.

5. TransferBigFiles – Free Large File Sending Service
TransferBigFiles makes it easy to deliver larger files (up to 1000 MB) to email recipients, and the files can even be protected with a password. Unfortunately, files sent through TransferBigFiles are available to be downloaded by the recipient for a mere five days. Amenities like an address book, distribution lists and email program integration would be nice.

6. MailBigFile - Free Big File Sending Service
MailBigFile is a fast and simple way to send moderately large files (up to 512 MB) to a single email recipient. A pro version allows for larger files and more downloads as well as secure connections, but you still cannot password-protect your files.

What is favicon?

A favicon , also known as a favorites icon, shortcut icon, website icon, URL icon, or bookmark icon is a 16×16 or 32×32 pixel square icon associated with a particular website or webpage.Web designer can create such an icon and install it into a website by several means, and most graphical web browsers will then make use of it. Browsers that provide favicon support typically display a page’s favicon in the browser’s address bar and next to the page’s name in a list of bookmarks. Browsers that support a tabbed document interface typically show a page’s favicon next to the page’s title on the tab.

Creating a favicon

A favicon should be 16 X 16 pixels with 16 colors and the file name should be favicon.ico. Simply upload the file, favicon.ico to the root web directory of your hosted website with your favorite FTP program, Microsoft FrontPage, Dreamweaver MX or whatever. Make sure your favicon file is named “favicon.ico.” When someone bookmarks your site with a browser that supports favicons, your favicon will appear.

Is it good to have a favicon on my website?

If a website does use a favicon, it makes it all the more easier and quicker to look through a list of bookmarks and find then one that you’re looking for, because your eye will notice the colorful favicons before it does the text of each bookmark’s name and the blank icons surrounding it.

How to set favicon in WordPress?

1. You will now need to edit your header.php of your wordpress blog. Depending on the theme you use, locate the header.php folder and edit the file by adding the following code:
   

   

2. Save your header.php file
3. Hard refresh your browser by pressing the Ctrl+F5 keys. You should now be able to see your favicon next to your URL.

Does Google AdWords Help My Ranking?
No, (un)fortunately it does not. Google has a very strict policy on separating their search engine index and their pay-per-click service Google AdWords. The only way to improve your ranking is to optimize your site and to increase your Google PageRank by doing link exchange.

My web site’s been listed in Google for several months now, but is nowhere near the top rankings for the search queries that I’m targeting. What did I do wrong?
Apparently, Google places new web sites in a so-called “sandbox”, not allowing them to achieve top rankings for competitive keywords right away. This contraversial policy is apparently intended to discourage fly-by-night sites that hope to make a quick buck by exploiting Google’s ranking system. The only way to get out of this sandbox is to wait it out – sometimes the wait is several months, even a year. The good news is that once your site is let out of the sandbox it will immediately get the high rankings it deserves.

How can I tell whether my site is stuck in Google’s sandbox?
One clue is if your site ranks well in other search engines such as Yahoo! and MSN Search, but ranks in the hundreds (or not at all) for the same query on Google. Another way is to use Google’s allinanchor: type search with the same query. If your site ranks well for allinanchor but poorly for the straight query search, it’s likely that your site is in the sandbox.

Does the anchor text of the links to my page influence the position of the page in search results?
Yes, it is one of the most important factors. Do a Google search for the query that you want your page to rank well with, for example “fine wine” (without the quotes). Now use Google’s allinanchor search to find the most popular pages that have the words “fine” and “wine” in the anchor text of their incoming links, like this: “allinanchor:fine wine” (again, without the quotes). Usually, you’ll find that the top 30 results in the straight query search will be almost exactly the same as the top 30 in the allinanchor search. The order may differ, but this shows how great an influence Google gives to the anchor text of incoming links.

When I ask Google, which other sites link to my site, Google does not list any sites. But I know that other sites link to me. Am I doing something wrong?
If you have a web site www.xzy.com, you can find out which other sites link to your site by asking Google for link:www.xyz.com. Other search engines, such as MSN or Yahoo!, have similar features. If Google (or MSN, or Yahoo!) does not list all the links, this might have to do with any of the following reasons:
1.) Google does not list all of the links that it knows about. It tends to list links from pages with higher PageRank.
2.) The link might have been added within the last days, so that Google has not yet spidered the page that links to you.
3.) The web page that links to your site might not be in the Google index at all.

When my friend in New York and I in California both search Google for the same query, we get different results. Does Google provide different results for every region?
No, it does not. Different results are related to the regular updates of the Google index. Google has several data centers around the US and the rest of the world. If you visit www.google.com, it is not guaranteed that your query is sent to the same data center every time. Usually your query should end up at the nearest data center, so that your Google search should be answered by the same data center every time. Thus, if you and your buddy get different Google results, this is because your query has been answered by different data centers.

I tried the Google Toolbar and found out that my Google PageRank is 4. Is that good or bad? How can I improve my Google PageRank?
Most pages with a decent number of links have a Google PageRank of 4. Thus, your PageRank is OK, but of course you can always improve your link popularity and thereby improve your PageRank. If you want to learn more about the PageRank algorithm, please visit the following site (you have been warned: it might get technical): http://pr.efactory.de/

I recently tried out the Google Toolbar. What is the Google PageRank and why does it change from time to time?
The Google PageRank is a web page’s score, based on link popularity, i.e. the number and quality of links from other sites. The Google Toolbar displays the PageRank in a very simplified and sometimes inaccurate way. Even some pages that are not in the Google index, will show a Google PageRank. Thus, don’t worry to much about a low or changing value. Of course, this does not mean, that the Google PageRank itself is unimportant – on the contrary. It still is important for you to have other sites link to you. But for some reason the Google Toolbar does not really reflect the PageRank in a consistent and proper manner.