WordPress Security Tips and Hacks
We all agree that having a secure wordpress weblog should be our first priorities when keeping a successful blog. In this post we’d like you to share your knowledge and help us create the Wordpress Security guide to keep the bad guys out.
Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.
1) Nobody should be allowed to search your entire server.
- WPdesigner advices us to NOT use this search code in the search.php
<?php echo $_SERVER ['PHP_SELF']; ?>
Nobody should be allowed to search your entire server, or? Use this one instead:
<?php bloginfo ('home'); ?>
- Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
Disallow: /wp-*
2) Directories should not be left open for public browsing
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:
Options All -Indexes
3) Drop the version string in your Meta Tags
A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn't upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.
This tag is in the header.php file that displays your current version of wordpress.
- <meta content="WordPress <?php bloginfo('version'); ? />" name="generator" />
4) Protecting your Wordpress wp-admin folder
Attackers can use bots for a brute force style of attack that simply guesses the admin password until they come up with the correct one and login. There are a couple of solutions out there, we will highlight each below.
- Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
- AskApache Password Protect- The plugin is simple, it adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. All you have to do is choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
- Login Lockdown plugin- records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
5) Stay up to date
You need to keep your on your plugin/widget, theme, and Wordpress versions updated. Also, subscribing to the plugin/widget/theme Author's RSS feeds makes keeping up with them much easier.
6) Take regular backups of your site and Database
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
7) Update your wordpress to latest version
Probably the first thing you should do! Install the Instant Upgrade Plugin or the Wordpress Automatic Upgrade Plugin. Make sure you back everything up before performing the upgrades.
8 ) Use SSH/Shell Access instead of FTP
It is one of the best tips i found here.If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.
9)Stop worrying about your wp-config.php file
Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>
deny from all
</FilesMatch>
This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
Protect Your Blog With a Solid Password
Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check.
Also you might check lorelle's article on blogherald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.
Thanks for the tips! With all the hackers out there it is important to be safe. I will take some extra measures to protect my wordpress blogs.
I’m always searching for things about topics that I don’t know about. It’s tough to find things that you do not know about, because what do you search for? ;) Your blog is the type of thing I love to read about regarding something new to me. Nice share! Thanks.
Thanks for the tips. As I am using wordpress for my websites, this post is really useful for me.
Wow!!! Nice Stuff buddy…..
Recently there is a attack over WordPress Blogs by Hackers.The saddest part is exploited security Hole not yet Identified,
Dirty Attack Over Hundreds Of WordPress Blogs
http://www.techpraveen.com/2010/04/dirty-attack-over-hundreds-of-wordpress.html
Hi there, I tried to follow the steps you mentioned, and I did great with changing passwords, but I really messed up my wp_config.php and deleted a bunch of code out the header.php. I actually ended up seeking help from WPSecurity.com. They were great and fixed everything for me, but I have come to the conclusion that I’m just not meant to mess with this stuff myself. Oh my head.
Great blog!. I like it. Thanks.
I’ve been trying to get your feed? Having trouble can someone tell me how?
Llegué a tu blog y todo el contenido me pareció genial. Me la pasé leyendo un rato largo. Agregaré la dirección a mi lector de noticias. Si no estás haciendo nada interesante, date una vuelta por mi blog. Nos mantenemos en contacto!
Very useful list. Thanks for sharing.
However you can apply few more useful tips on wordpress security like not to use default administrator account.
Read more here
shoutmeloud.com/10-useful-facebook-tools-and-tips-for-bloggers.html
Very useful list. Thanks for sharing.
However you can apply few more useful tips on wordpress security like not to use default administrator account.
Read more here
shoutmeloud.com/wordpress-security-7-essential-tips.html