Validity of this WordPress Blog security advice required
Can anyone out there please advise me on the validity of this WordPress Blog security advice from 'daily blog tips'. Parts 1, 2 and 5 seem like sound advice. Parts 3 and 4 involve modifying code and I want to determine if it's correct and safe.
The advice is as follows:
"Securing your blog is one of the most important things you could do.
Producing content is essential, and so is promoting it, but if your
blog is not secure, you could lose everything overnight (literally!).
In this email I will share some security tips that you should apply
in your blog.
1. Backup, Backup and Backup!
In security circles people always say that if someone wants to break
into your site, with enough time and determination eventually he
will. In other words, no website can be made 100% secure.
If that is the case, your first line of defense are your backups.
With functional backups someone could erase everything in your
server and you would be back online in a matter of hours.
So remember to backup your blog often (preferable daily), and to
have backups in at least two different physical locations (else a
theft or fire could take both your site and the backup...).
2. Change The "Admin" User
One of the most common methods to break into a website is the brute
force one. That is, the malicious person will try to guess the name
of the admin and, once he finds that out, he will use scripts to try
thousands of password combinations with that user name.
If the admin user in your blog is called "admin", well, you just
facilitated things a lot.
Luckily changing that is quite easy. Simply create a new user for
your blog, and give it "Administrator" privileges. Then login with
that user, and delete the "admin" user. If you have posts published
with "admin" WordPress will ask you if you want to move those posts
under a new user.
3. Obscure Your WordPress Version
Another common saying among security geeks is "security through
obscurity." This is related to the fact that the fewer things a
malicious person knows about your blog or server, the harder it will
be to break into it.
By default WordPress broadcasts to the world the version that you
are running, and this information can be used against you, because
hackers know the security holes on each WordPress version.
Hiding that information is not difficult though. First of all you
want to disable the "generator" meta tag. You can do that by adding
the following code to the functions.php file of your theme:
function hide_wp_vers()
{
return '';
}
add_filter('the_generator','hide_wp_vers');
There is another place where hackers can find the version of your
WordPress, and most people forget to deal with that. It is the
readme file that comes with all WordPress installs. Simply access
your server via FTP to delete that file.
4. Disable Folder Browsing
Another thing that you should obscure in your site is the content
of your folders. If people can browser your folders, they will be
able to collect a lot of information, including what plugins you are
running, what themes you have installed and so on. Needless to say
that such information can be used to find security holes in your
site.
If your web hosting is based on Linux, you can easily disable folder
browser with a .htaccess file placed at the root of your server.
Either create that file or open the existing one and add the
following line:
Options -Indexes
That is it. If your hosting is not based on Linux, you can still
protect the content of your folders by uploading a blank index.html
page inside each folder.
5. Always Update
WordPress is an open source software, so its source code is public,
and anyone can have access to it. This means that hackers can
scrutinize the code looking for security holes.
Sometimes they find them, but the WordPress community usually
responds quickly and releases an updated version protected against
the new threats.
If you always run the latest WordPress version, therefore, you will
be minimizing the chances of having problems."
Your feedback would be appreciated
Martin
The advice is as follows:
"Securing your blog is one of the most important things you could do.
Producing content is essential, and so is promoting it, but if your
blog is not secure, you could lose everything overnight (literally!).
In this email I will share some security tips that you should apply
in your blog.
1. Backup, Backup and Backup!
In security circles people always say that if someone wants to break
into your site, with enough time and determination eventually he
will. In other words, no website can be made 100% secure.
If that is the case, your first line of defense are your backups.
With functional backups someone could erase everything in your
server and you would be back online in a matter of hours.
So remember to backup your blog often (preferable daily), and to
have backups in at least two different physical locations (else a
theft or fire could take both your site and the backup...).
2. Change The "Admin" User
One of the most common methods to break into a website is the brute
force one. That is, the malicious person will try to guess the name
of the admin and, once he finds that out, he will use scripts to try
thousands of password combinations with that user name.
If the admin user in your blog is called "admin", well, you just
facilitated things a lot.
Luckily changing that is quite easy. Simply create a new user for
your blog, and give it "Administrator" privileges. Then login with
that user, and delete the "admin" user. If you have posts published
with "admin" WordPress will ask you if you want to move those posts
under a new user.
3. Obscure Your WordPress Version
Another common saying among security geeks is "security through
obscurity." This is related to the fact that the fewer things a
malicious person knows about your blog or server, the harder it will
be to break into it.
By default WordPress broadcasts to the world the version that you
are running, and this information can be used against you, because
hackers know the security holes on each WordPress version.
Hiding that information is not difficult though. First of all you
want to disable the "generator" meta tag. You can do that by adding
the following code to the functions.php file of your theme:
function hide_wp_vers()
{
return '';
}
add_filter('the_generator','hide_wp_vers');
There is another place where hackers can find the version of your
WordPress, and most people forget to deal with that. It is the
readme file that comes with all WordPress installs. Simply access
your server via FTP to delete that file.
4. Disable Folder Browsing
Another thing that you should obscure in your site is the content
of your folders. If people can browser your folders, they will be
able to collect a lot of information, including what plugins you are
running, what themes you have installed and so on. Needless to say
that such information can be used to find security holes in your
site.
If your web hosting is based on Linux, you can easily disable folder
browser with a .htaccess file placed at the root of your server.
Either create that file or open the existing one and add the
following line:
Options -Indexes
That is it. If your hosting is not based on Linux, you can still
protect the content of your folders by uploading a blank index.html
page inside each folder.
5. Always Update
WordPress is an open source software, so its source code is public,
and anyone can have access to it. This means that hackers can
scrutinize the code looking for security holes.
Sometimes they find them, but the WordPress community usually
responds quickly and releases an updated version protected against
the new threats.
If you always run the latest WordPress version, therefore, you will
be minimizing the chances of having problems."
Your feedback would be appreciated
Martin
Creative Web Development and Design, NOT A FIXED PRICE SERVICE, if you want the best don't settle for an off the shelf solution.
We provide cutting edge design, web development with WordPress, WHMCS, PHP, HTML, CSS, jQuery, and personalised hosting solutions to suit any needs.