While WordPress in general is pretty secure grounds up, it is still vulnerable to the many kinds of security exploits out there.
WordPress Security Tip # 1: Upgrade your WordPress Blog
Keeping your WordPress blog up to date by installing the latest version of WordPress. You may think it is pain to update every time, but in terms of security and if you don’t want your blog to be hacked, this is very very crucial.
WordPress has detailed and simple instructions on how to update your blog. Check them out and keep your blog up-to-date. You can subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ which will keep you up-to-date on the latest WordPress patches or the latest WordPress releases.
WordPress Security Tip # 2: Remove the version string in your header.php file of your WordPress theme
Again, if you don’t keep your WordPress blog up-to-date with the latest version, WordPress is kind enough to let potential hackers know that you did not update your blog. Say, you want to find a list of WordPress blogs still running WordPress 2.2, a simple google search would generate a list.
Every WordPress theme, in its header.php file has a line that goes
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> <!-– leave this for stats please –>
Make sure that you remove this line from the header.php file of your WordPress theme and prevent any attackers from exploiting an older version of WordPress.
WordPress Security Tip # 3: Secure your /wp-admin/ folder
a. .htaccess file:
After editing your .htaccess file, any attempts to access your wp-admin folder will be shown a Forbidden error message. Note: For this method, you need to create a new .htaccess file in your wp-admin folder and not simply replace/edit the .htaccess file in the root folder of your WordPress blog.
AuthName “Root777 Access Control”
deny from all
# whitelist home IP address
allow from 22.214.171.124
# whitelist work IP address
allow from 126.96.36.199
This method is very good for those with a static IP address. You can find out your IP address here and replace the IP address shown above with your IP address. If you have multiple authors to your blog, you can add their IP addresses too to this whitelist.
b. Use Login Lockdown plugin:
If you have a dynamic IP address though, locking down access to your /wp-admin/ folder will not work by allowing access only from certain IP address. In such a situation, use Login Lockdown plugin which will help in preventing attackers trying to brute force their login.
Any failed login attempts will be recorded. You can also set the number or threshold for failed logins where an IP range can be blocked (an hour by default)
c. Use robots.txt
Ryan lists an excellent SEO Optimized robots.txt file for a WordPress blog. Simply copy the robots.txt file below which also includes a Disallow /wp-* which will prevent any of your WordPress files from being indexed by Google or any other search engines. Note: The robots.txt file below includes exceptions which allows the google image bot, adsense bot and any other bots to index the content.
# disallow all files in these WordPress directories
# disallow all files in these directories
# disallow robots from parsing individual post feeds and trackbacks
# disallow any files that are stats related
# disallow files ending with the following extensions
#disallow WayBack archiving site
# allow google image bot to search all images
# allow adsense bot on entire site
WordPress Security Tip # 4: Change default password to your WordPress blog
When you create your WordPress blog for the first time, WordPress generates a simple 6 character password with just numbers and letters. You not only need to change the default password, but create a strong password. Learn more on how you can create a strong password.
WordPress Security Tip # 5: Put a blank index.html in your WordPress Plugins Folder
If you type in yourwordpressblog.com/wp-content/plugins/, you can see a list of all your installed WordPress plugins. If someone wanted to hack your blog, they can run exploits on any out-of-date plugin on your blog.
To solve this problem, add a blank index.html to your WordPress plugins folder. This will show a blank page whenever someone attempts to view the list of plugins on your blog.
Thanks to Matt Cutts for inspiring this article. Hopefully these tips will allow for more secure and safe blogging.
- Solution to Error 500 after upgrading to WordPress 2.7
- Dan Kaminsky gets hacked
- How to Encrypt Files using TrueCrypt
- External Content Threats Security and Web Beacons
- How to hide your email address from spammers, a thorough guide