How to Secure WordPress Blog

September 26, 2008 | By MostWanted In How To's, Tips and Tricks |

Securing WordPress Blog

Securing your WordPress blog is the most important thing that you must do after you have set it up on your server. There shouldn’t be any reason for you to leave your WordPress wide open for hackers to creep in and steal your information and/or destroy your data.

However , Securing Blog is just basic step towards security of your Web Application. One should also think about the server side security.

For Example: Keep your Operating System updated . Linux / Unix is preferable rather than Microsoft Windows , Installing Patches i.e. Suhosin Patch or mod_security.

Here are are few steps for securing your WordPress blog.

1. Encrypt your login

Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network or local area network (LAN) , hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login Plugin. This Plugin adds a random hash to your password and authenticate your login with the CHAP protocol.

2. Stop brute force attack

Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you can install the login lockdown Plugin. This Plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.

3. Use a strong password

Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.

5. Remove WordPress version info

A large number of WordPress theme include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability for that version if you have not updated to the latest version.

To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

Delete it and press Update File.

Or For depth you can refer to one of my tutorials :-

Click Here!!!

6. Hide your Plugins folder

If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of Plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the Plugin directory.

Open your text editor. Save the blank document as index.html or index.php.

Using a ftp program, upload the index.html to the /wp-content/plugins folder.

Your Done!!!

7. Upgrade to the latest version of WordPress & Plugins

This is the most important and one should always look out for the latest updates. The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times. The latest version is WP 2.6.2 (At the time of this post) . You can download it here.

9. Do a regular security scan

Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

10. Backup your wordpress database

No matter how secure your site is, you still want to prepare for the worst. Install the wp-database-backup Plugin and schedule it to backup your database daily.

You can refer to one of my tutorials for How To Backup A Complete Website :-

Click Here!!!

11. Define user privilege

If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.

12. Captcha System

Captcha system is to protect by Automated Attacks by BOTS , but I do have captcha in place for logins with Raz-Captcha and for Registration process , Comment you can use this WP-Recaptcha . This keeps bots from spamming and trying to crack your login.

13. Protect wp-admin directory by IP-Address :-

Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.

Append the following contents where XXX.XXX.XXX.XXX = your outside IP address. Append multiple “Allow from” lines for multiple IPs:

Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX

14. Restrict access to wp-config file

I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password.

Create a file within your WordPress root install directory named “.htaccess” if there isn’t already one.

Append the following to your “.htaccess” file inside of your wp-admin directory:

<Files wp-config.php>
Order Deny,Allow
Deny from All
</Files>

14. Restrict access to the wp-content and wp-includes directories:

Create a file within your wp-content and wp-includes directory named “.htaccess” if there isn’t already one.

Append the following to the “.htaccess” file.

NOTE: you may have trouble with some Plugins with this method:

Order Allow,Deny
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

Goodluck! :)

If you have any queries or problems Please contact for assistance.

Don’t Forget to give your comments about it.

Suggestions are always welcomed.

Copyright and All Rights Reserved - HowToWordPress.Net

Share and Enjoy:
  • Digg
  • del.icio.us
  • Netvouz
  • description
  • ThisNext
  • MisterWong
  • Wists

Other Related Posts:

  • 1.0.1 “Miles” Release
  • WordPress 2.0.7
  • WordPress 2.5.1
  • WordPress 2.2.1
  • WordPress 1.5

    • No Comments

    Leave a reply