How To Increase The Security Of Your WordPress Blog
I have been seeing a lot of threads recently about WordPress security and it got me thinking, am I doing enough to actually protect my blog? Well, to keep the answer short, no. After doing a bit of on and off research for the past couple of days, I thought I would share what I have found out so far and maybe build a thread around security tips for WordPress.
The basics...
You must keep everything up to date, this means WordPress itself, your themes, your plugins etc..., everything must be at its latest addition. Having older version available will lead to holes in security which hackers can exploit if they want to.
------------------------------------
When you create a WordPress blog don't use the username "admin", "administrator" or common prefixes of them. One of the main problems most of you will have is that you will already have a blog. If you wish to change your admin name you will have to go into PHPmyadmin and change it in the database there.
------------------------------------
Password, this is the most common mistake people online make, their passwords are something they remember easily but are not complicated at all. Make sure your password is a mixture of upper case and lower case letters, numbers and punctuation (Commas, dashes, slashes, etc...).
------------------------------------
You used to have to deny access to your plugins but WordPress does this now, but, to be safe, upload a blank index.php file to your plugin section. As I said, this shouldn't be required but it may help.
------------------------------------
Back up your dam website! Don't be lazy, it is so simple to back up your data with BackWPup (see plugin section at the bottom for the link). Alternatively there are others which can be used, it is up to you to do your research on them.
------------------------------------
Check your hosts security, a quick Google search will tell you how well your hosting company is in terms of security performance.
------------------------------------
File permissions!! You must make sure these are correct, I found a recommend settings
All directories should be 755 or 750.
All files should be 644 or 640. Exception: wp-config.php should be 600 to prevent other users on the server from reading it.
No directories should ever be given 777, even upload directories.
Source: Changing File Permissions « WordPress Codex
------------------------------------
Remove your WordPress version from your code, this is not a big obstacle from a hacker but it makes their job that little bit harder. To do delete this code open up your header.php file and remove.
Also, you can add this code to yours functions.php file in the editor.
------------------------------------
Change your database prefixes, this is the wp_ in your code, by changing this you are making it harder for the hacker, there is a simple plugin which does this: Change DB Prefixes (Links below to two plugins)
------------------------------------
Stop brute force attacks, you do this by limiting the amount of log in attempts, this plugin may help you with this: Better WP Security (Link below.)
Slightly More Complex
Make sure you .htaccess file is correct, this isn't so hard but here is a great source of information which tells you everything you need to know about your .htaccess file.
THE Ultimate Htaccess
Recommend articles to read on there are 6.4, 6.7 and 6.14. (This is slightly complex so if you don't understand it then hire someone who does).
Extra Measures Which You May Want To Take
If you wish to encrypt your WordPress password you can, there are plugins which allow for you to do this quite easily, you can use WordPress HTTPS Plugin (Link below).
------------------------------------
You can limit the access to you wp-admin file by adding this code to your .htaccess file, this will mean that the only IP able to access this is the one you enter.
If you do not know your IP address, simply type "how to find your ip address" into Google and Google will tell you, or, it will give you lots of ways to find your IP out. Obviously this method is only good if you are working from one place (Which isn't always the case) but I put it in here so you know its an option.
------------------------------------
Add seceret keys to your wp-confing-sample.php file, these are essentialy the things which connects your site to the database, by adding seceret keys you can protect this connection. In your file you will see this code:
Go here and generate a key: http://api.wordpress.org/secret-key/1.1/
Paste them keys generated into each field, this will delete your login cookie so you will have to re-log in.
Plugins (Please note I am not affiliate with these in anyway)
BackWPup: WordPress › BackWPup « WordPress Plugins
WordPress HTTPS: WordPress › WordPress HTTPS (SSL) « WordPress Plugins
Change DB Prefixes: wordpress.org/extend/plugins/db-prefix-change/ or WordPress › Change Table Prefix « WordPress Plugins
wordpress.org/extend/plugins/change-table-prefix/
Better WP Security: WordPress › Better WP Security « WordPress Plugins
------------------------------------
This is all I have come up with so far, I hope it helps you, any other security tips to strengthen your blog I would really like to hear them.
The basics...
You must keep everything up to date, this means WordPress itself, your themes, your plugins etc..., everything must be at its latest addition. Having older version available will lead to holes in security which hackers can exploit if they want to.
------------------------------------
When you create a WordPress blog don't use the username "admin", "administrator" or common prefixes of them. One of the main problems most of you will have is that you will already have a blog. If you wish to change your admin name you will have to go into PHPmyadmin and change it in the database there.
------------------------------------
Password, this is the most common mistake people online make, their passwords are something they remember easily but are not complicated at all. Make sure your password is a mixture of upper case and lower case letters, numbers and punctuation (Commas, dashes, slashes, etc...).
------------------------------------
You used to have to deny access to your plugins but WordPress does this now, but, to be safe, upload a blank index.php file to your plugin section. As I said, this shouldn't be required but it may help.
------------------------------------
Back up your dam website! Don't be lazy, it is so simple to back up your data with BackWPup (see plugin section at the bottom for the link). Alternatively there are others which can be used, it is up to you to do your research on them.
------------------------------------
Check your hosts security, a quick Google search will tell you how well your hosting company is in terms of security performance.
------------------------------------
File permissions!! You must make sure these are correct, I found a recommend settings
All directories should be 755 or 750.
All files should be 644 or 640. Exception: wp-config.php should be 600 to prevent other users on the server from reading it.
No directories should ever be given 777, even upload directories.
Source: Changing File Permissions « WordPress Codex
------------------------------------
Remove your WordPress version from your code, this is not a big obstacle from a hacker but it makes their job that little bit harder. To do delete this code open up your header.php file and remove.
Code:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> Code:
add_filter( 'the_generator', 'remove_generator' );
function remove_generator() { return ''; } Change your database prefixes, this is the wp_ in your code, by changing this you are making it harder for the hacker, there is a simple plugin which does this: Change DB Prefixes (Links below to two plugins)
------------------------------------
Stop brute force attacks, you do this by limiting the amount of log in attempts, this plugin may help you with this: Better WP Security (Link below.)
Slightly More Complex
Make sure you .htaccess file is correct, this isn't so hard but here is a great source of information which tells you everything you need to know about your .htaccess file.
THE Ultimate Htaccess
Recommend articles to read on there are 6.4, 6.7 and 6.14. (This is slightly complex so if you don't understand it then hire someone who does).
Extra Measures Which You May Want To Take
If you wish to encrypt your WordPress password you can, there are plugins which allow for you to do this quite easily, you can use WordPress HTTPS Plugin (Link below).
------------------------------------
You can limit the access to you wp-admin file by adding this code to your .htaccess file, this will mean that the only IP able to access this is the one you enter.
Code:
// Replace the x's and y's with your IP address. AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all # whitelist home IP address allow from xxx.xxx.xxx.xxx # whitelist work IP address allow from yy.yyy.yyy.yyy
------------------------------------
Add seceret keys to your wp-confing-sample.php file, these are essentialy the things which connects your site to the database, by adding seceret keys you can protect this connection. In your file you will see this code:
Code:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here'); Paste them keys generated into each field, this will delete your login cookie so you will have to re-log in.
Plugins (Please note I am not affiliate with these in anyway)
BackWPup: WordPress › BackWPup « WordPress Plugins
WordPress HTTPS: WordPress › WordPress HTTPS (SSL) « WordPress Plugins
Change DB Prefixes: wordpress.org/extend/plugins/db-prefix-change/ or WordPress › Change Table Prefix « WordPress Plugins
wordpress.org/extend/plugins/change-table-prefix/
Better WP Security: WordPress › Better WP Security « WordPress Plugins
------------------------------------
This is all I have come up with so far, I hope it helps you, any other security tips to strengthen your blog I would really like to hear them.
How To Rank A Website Fast And Start Making Money In The Process! Visit The Link Below!
http://howtorankawebsitfeast.com
|~| VeeroTech Hosting - sales @ veerotech.net
|~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
|~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
|~| Visit us @veerotech Facebook - Twitter - LinkedIn