How To Increase The Security Of Your WordPress Blog

7 replies
I have been seeing a lot of threads recently about WordPress security and it got me thinking, am I doing enough to actually protect my blog? Well, to keep the answer short, no. After doing a bit of on and off research for the past couple of days, I thought I would share what I have found out so far and maybe build a thread around security tips for WordPress.

The basics...

You must keep everything up to date, this means WordPress itself, your themes, your plugins etc..., everything must be at its latest addition. Having older version available will lead to holes in security which hackers can exploit if they want to.

------------------------------------

When you create a WordPress blog don't use the username "admin", "administrator" or common prefixes of them. One of the main problems most of you will have is that you will already have a blog. If you wish to change your admin name you will have to go into PHPmyadmin and change it in the database there.

------------------------------------

Password, this is the most common mistake people online make, their passwords are something they remember easily but are not complicated at all. Make sure your password is a mixture of upper case and lower case letters, numbers and punctuation (Commas, dashes, slashes, etc...).

------------------------------------

You used to have to deny access to your plugins but WordPress does this now, but, to be safe, upload a blank index.php file to your plugin section. As I said, this shouldn't be required but it may help.

------------------------------------

Back up your dam website! Don't be lazy, it is so simple to back up your data with BackWPup (see plugin section at the bottom for the link). Alternatively there are others which can be used, it is up to you to do your research on them.

------------------------------------

Check your hosts security, a quick Google search will tell you how well your hosting company is in terms of security performance.

------------------------------------

File permissions!! You must make sure these are correct, I found a recommend settings

All directories should be 755 or 750.
All files should be 644 or 640. Exception: wp-config.php should be 600 to prevent other users on the server from reading it.
No directories should ever be given 777, even upload directories.

Source: Changing File Permissions « WordPress Codex

------------------------------------

Remove your WordPress version from your code, this is not a big obstacle from a hacker but it makes their job that little bit harder. To do delete this code open up your header.php file and remove.

Code:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
Also, you can add this code to yours functions.php file in the editor.

Code:
add_filter( 'the_generator', 'remove_generator' );
function remove_generator() { return ''; }
------------------------------------

Change your database prefixes, this is the wp_ in your code, by changing this you are making it harder for the hacker, there is a simple plugin which does this: Change DB Prefixes (Links below to two plugins)

------------------------------------

Stop brute force attacks, you do this by limiting the amount of log in attempts, this plugin may help you with this: Better WP Security (Link below.)

Slightly More Complex

Make sure you .htaccess file is correct, this isn't so hard but here is a great source of information which tells you everything you need to know about your .htaccess file.

THE Ultimate Htaccess

Recommend articles to read on there are 6.4, 6.7 and 6.14. (This is slightly complex so if you don't understand it then hire someone who does).

Extra Measures Which You May Want To Take

If you wish to encrypt your WordPress password you can, there are plugins which allow for you to do this quite easily, you can use WordPress HTTPS Plugin (Link below).

------------------------------------

You can limit the access to you wp-admin file by adding this code to your .htaccess file, this will mean that the only IP able to access this is the one you enter.

Code:
// Replace the x's and y's with your IP address. 

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy
If you do not know your IP address, simply type "how to find your ip address" into Google and Google will tell you, or, it will give you lots of ways to find your IP out. Obviously this method is only good if you are working from one place (Which isn't always the case) but I put it in here so you know its an option.

------------------------------------

Add seceret keys to your wp-confing-sample.php file, these are essentialy the things which connects your site to the database, by adding seceret keys you can protect this connection. In your file you will see this code:

Code:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
Go here and generate a key: http://api.wordpress.org/secret-key/1.1/

Paste them keys generated into each field, this will delete your login cookie so you will have to re-log in.

Plugins (Please note I am not affiliate with these in anyway)

BackWPup: WordPress › BackWPup « WordPress Plugins

WordPress HTTPS: WordPress › WordPress HTTPS (SSL) « WordPress Plugins

Change DB Prefixes: wordpress.org/extend/plugins/db-prefix-change/ or WordPress › Change Table Prefix « WordPress Plugins
wordpress.org/extend/plugins/change-table-prefix/

Better WP Security: WordPress › Better WP Security « WordPress Plugins

------------------------------------

This is all I have come up with so far, I hope it helps you, any other security tips to strengthen your blog I would really like to hear them.
#blog #increase #security #wordpress
  • Profile picture of the author bmw040
    Excellent post!

    I thought I knew everything, but you proved me wrong.

    Like to add a free plugin I use: Theme Authenticity Checker (TAC).

    I have hundreds of sites and have found hidden code in a few themes.
    {{ DiscussionBoard.errors[7871885].message }}
  • Profile picture of the author Kingfish85
    I'd like to add password protecting your wp-admin directory would eliminate tons of security problems. In addition, use less plugins & only use those that are still supported.
    Signature

    |~| VeeroTech Hosting - sales @ veerotech.net
    |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
    |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
    |~| Visit us @veerotech Facebook - Twitter - LinkedIn

    {{ DiscussionBoard.errors[7871962].message }}
    • Profile picture of the author butters
      Originally Posted by Kingfish85 View Post

      I'd like to add password protecting your wp-admin directory would eliminate tons of security problems. In addition, use less plugins & only use those that are still supported.
      Further touching upon that, here is a link to site which tells you how to do this via the .htaccess document.

      Apache Authentication in htaccess
      {{ DiscussionBoard.errors[7873549].message }}
  • Profile picture of the author sydsho
    I really like these tips. Lots of stuff I hadn't thought of. Thanks.
    {{ DiscussionBoard.errors[7874859].message }}
  • Profile picture of the author sunny00
    I think this was an important post because not many internet marketers think about the security of their sites. Security is just as important as the product or service itself.

    I remember I purchased a WP plugin and for some reason did not like it so I got my money back. Well, to make a long story short I happen to be on a bit torrent site and seen the plugin being offered as a free download. Obviously, it had been hacked from then on I knew if that plugin was on there many internet marketers products are on these sites too. Made me think twice about releasing my own product.
    {{ DiscussionBoard.errors[7875117].message }}
  • Profile picture of the author daada2010
    thanks very much for this tips
    {{ DiscussionBoard.errors[7875157].message }}

Trending Topics