WordPress security is not really off-topic for this blog. If your WordPress blog gets hacked, I promise you that the blog will be totally inaccessible to everyone, including yourself.
Without getting too technical, there are certain ‘common-sense’ things you can do to ensure that your WordPress blog is as safe as possible.
- You have to ensure that you have backups at all times. These backups should include backups of your core files as well as of your database. For details see my previous post entitled ‘Backing up your WordPress blog‘.
- Ensure that you regularly change your WordPress passwords. Make sure that you use strong passwords. By this I mean you should use a mixture of alpha-numeric characters with a minimum length of 10 characters. Including one or two special characters (e.g. %, $ etc. can also help to make a password stronger).
- Ensure that you have the latest stable version of WordPress installed. When new versions are released many say they first wait to see if the version is really stable. This is your decision, but you will be playing with fire. My advice, download the latest version as soon as it becomes available.
- if you allow anyone to register on your blog, you must ensure that the new user default role is set to no more than ‘contributor’ level. If you are making use of multiple authors on your blog you might want to reconsider this, but you never give higher access than this to the general public.
- When you first install WordPress it automatically creates a user called Admin. User names along with passwords form an integral part of the protection on your blog. By leaving the default user name you have already given half of your first-line security away. This default user name has to be changed to something else.
- You should not show the version number of the WordPress you have installed. Many templates love having this info in the footer. Why provide a potential hacker with any information. The version number currently installed is normally also included as a meta tag in the markup. This information you will normally find near the top of your template’s header.php file.
- You need to ensure that the following directories in your WordPress installation has a CHMOD (file attributes) of no more than 0755:
- root directory
- wp-admin/
- wp-admin/js/
- wp-content/
- wp-content/plugins/
- wp-content/themes/
- wp-includes/
- Over and above these directories you need to ensure that the following do not have a CHMOD higher than 0644:
- wp-admin/index.php
- .htaccess (in the root directory in which WordPress is installed)
- I would seriously reconsider using any template and/or plugin that insists that you give more rights than these mentioned to any of the mentioned directories and/or files.
- You need to create a blank html file, call it index.html and place it in your wp-content/plugins/ directory. This will make it a bit more difficult to gather information about the plugins you are using.
- You need an additional .htaccess file. This one should be placed in your wp-admin/ directory. In this file you need to restrict access to this directory to only your own IP address. This file will have to look something like this:
-
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Your Name" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xx.xx.xx.xx allow from xx.xx.xx.xx </LIMIT>
- There is one drawback of using this mentioned file. You will have to update your .htaccess file if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
- Lastly, you have to ensure that the prefix of your tables in the WordPress database are changed from the default wp_. If you are not used to making changes to databases, this is a task that I would not recommend you doing yourself.
This list is by no means a sure-fire way of ensuring that your WordPress blog is safe. The hackers keep on finding new ways of making our lives uncomfortable. I suggest that you subscribe to a good technical blog that covers WordPress just to ensure that you are aware of any changes as they become known.
Now who was it that said blogging is easy?
Interesting article sailor! I do back-up my wp database at least once a week and also optimized them to prevent my blog being forced down again.
I also want to restrict the access to some folders, but unfortunately my IP address is dynamic, do you have any info on how to do this with dynamic IP’s?
shearyadis last blog post..The origin of world most famous sports
Dynamic IPs do leave you with a problem here. I do not know of a way of doing what you ask off-hand. If I stumble onto something somewhere I will let you know. Thanks for the Stumble, much appreciated.
Cool tip Sailor!
I use this plugin which makes a backup of my database once a week.
About the cmod’s.. Going to check it when I get back home from work!
BioTecKs last blog post..Adobe Photoshop Shortcuts
Sailor I’ve checked all the dir’s mentioned above and there all ok!
About the .htaccess file. When updating wordpress you need to update your .htaccess and your permalinks, so shouldn’t it be 777??
BioTecKs last blog post..Adobe Illustrator Shortcuts
You are correct about the .htaccess. You need higher rights if you want Wordpress to change your .htaccess itself when you change the permalinks. It is not a good idea to leave this file open like this. You do not change your permalinks very often. When you do and Wordpress cannot write to the file, Wordpress will tell you what should be in the file and you can change the file manually. If you do not want to do this, simply change the rights before you change the permalinks and then revert to the old setting when you have finished.
Your right. I’ve changed this to 644.
By the way I have added a secret key into my wp-config file.
Quote from wordpress.org:
Released with Version 2.5, this new, optional entry, called SECRET_KEY, causes better encryption of information stored in the user’s cookies. The secret key is a unique phrase.
More info:
http://codex.wordpress.org/Editing_wp-config.php#Secret_Key_IMPORTANT
BioTecKs last blog post..Firefox’s Download Day: 17 June
You’re right again. I also added this secret key but totally forgot about it when I wrote this article. Every little bit helps. Thanks for reminding us all about this.
Nice post. I use only wordpress backup. nothing more. I need to tighten the security…
I suppose, in the end of the day, backups are the most important thing. If and when things go wrong, the backups are really all we have. Thanks for dropping in.
Hi Sailor, I just came back to read this post on Wordpress security. I am going to do a post on a fellow blogger that was hacked awhile back and she wants to tell her story. But after reading this article I can safely say that I’m not sure if MY OWN wordpress is as secured as it should be. I am not a techi so it seems alittle no a lot over my head. I will be back to read more of your post, and hope to slowly learn some tech stuff. Thanks so much…
jj-momscashblogs last blog post..Using Affiliate Ads in Your Posts
Really really good informations summed up here Lyndi. Thanks!
Eva, it is not my post but thanks for the nice words.
Lyndi,
Thanks for the information on the .htaccess file, that does work and like you said if your IP address changes, there are some issues.
You may want to checkout some WordPress plugins, which help with some security issues.
login lockdown for protection from brute force attacks:
http://www.bad-neighborhood.com/login-lockdown.html
wp security scan, which checks for security vulnerabilities and suggests corrective measures:
http://semperfiwebdesign.com/plugins/wp-security-scan/
Squeaky, sorry you were thrown in the moderation queue, it is the links you provided that caused this. Thanks for these links, I will investigate both of them.