WordPress Security
WordPress security is not really off-topic for this blog. If your WordPress blog gets hacked, I promise you that the blog will be totally inaccessible to everyone, including yourself.
Without getting too technical, there are certain ‘common-sense’ things you can do to ensure that your WordPress blog is as safe as possible.
- You have to ensure that you have backups at all times. These backups should include backups of your core files as well as of your database. For details see my previous post entitled ‘Backing up your WordPress blog‘.
- Ensure that you regularly change your WordPress passwords. Make sure that you use strong passwords. By this I mean you should use a mixture of alpha-numeric characters with a minimum length of 10 characters. Including one or two special characters (e.g. %, $ etc. can also help to make a password stronger).
- Ensure that you have the latest stable version of WordPress installed. When new versions are released many say they first wait to see if the version is really stable. This is your decision, but you will be playing with fire. My advice, download the latest version as soon as it becomes available.
- if you allow anyone to register on your blog, you must ensure that the new user default role is set to no more than ‘contributor’ level. If you are making use of multiple authors on your blog you might want to reconsider this, but you never give higher access than this to the general public.
- When you first install WordPress it automatically creates a user called Admin. User names along with passwords form an integral part of the protection on your blog. By leaving the default user name you have already given half of your first-line security away. This default user name has to be changed to something else.
- You should not show the version number of the WordPress you have installed. Many templates love having this info in the footer. Why provide a potential hacker with any information. The version number currently installed is normally also included as a meta tag in the markup. This information you will normally find near the top of your template’s header.php file.
- You need to ensure that the following directories in your WordPress installation has a CHMOD (file attributes) of no more than 0755:
- root directory
- wp-admin/
- wp-admin/js/
- wp-content/
- wp-content/plugins/
- wp-content/themes/
- wp-includes/
- Over and above these directories you need to ensure that the following do not have a CHMOD higher than 0644:
- wp-admin/index.php
- .htaccess (in the root directory in which WordPress is installed)
- I would seriously reconsider using any template and/or plugin that insists that you give more rights than these mentioned to any of the mentioned directories and/or files.
- You need to create a blank html file, call it index.html and place it in your wp-content/plugins/ directory. This will make it a bit more difficult to gather information about the plugins you are using.
- You need an additional .htaccess file. This one should be placed in your wp-admin/ directory. In this file you need to restrict access to this directory to only your own IP address. This file will have to look something like this:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Your Name"
AuthType Basic
<LIMIT GET> order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
</LIMIT>- There is one drawback of using this mentioned file. You will have to update your .htaccess file if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
- Lastly, you have to ensure that the prefix of your tables in the WordPress database are changed from the default wp_. If you are not used to making changes to databases, this is a task that I would not recommend you doing yourself.
This list is by no means a sure-fire way of ensuring that your WordPress blog is safe. The hackers keep on finding new ways of making our lives uncomfortable. I suggest that you subscribe to a good technical blog that covers WordPress just to ensure that you are aware of any changes as they become known.
Now who was it that said blogging is easy?
These posts might be related:
Hi, my name is Lyndi. Here we talk about all things related to WordPress. You are more than welcome to join in the discussion.
There are currently 107 posts with 952 comments on this blog.
Really really good informations summed up here Lyndi. Thanks!
Eva, it is not my post but thanks for the nice words.
Lyndi,
Thanks for the information on the .htaccess file, that does work and like you said if your IP address changes, there are some issues.
You may want to checkout some WordPress plugins, which help with some security issues.
login lockdown for protection from brute force attacks:
http://www.bad-neighborhood.com/login-lockdown.html
wp security scan, which checks for security vulnerabilities and suggests corrective measures:
http://semperfiwebdesign.com/plugins/wp-security-scan/
Squeaky, sorry you were thrown in the moderation queue, it is the links you provided that caused this. Thanks for these links, I will investigate both of them.