Wordpress BLOG Security Tips, Hacks and Plugins
BLOGS continue to be attractive targets for hackers seeking to replace your BLOGS content, promote pornographic content or to place malicious piece of code.
Damage can be anything from a denial-of-service attack, the placement of pornographic material, the posting of messages, leaked personal info of your website users or the deletion of files and the placement of malicious code.
Wordpress is a very popular blogging engine and its high popularity increases the number of hackers targeting wordpress for nefarious activities. But good security practices can protect (or at least decrease the chances of hacking) your BLOG from the risks such compromises create.
After creating my wordpress BLOG I continued to research for good BLOG hosting practices for decreasing security risks (I would say DECREASING and not STOPPING because there is really no fool proof way to stop hacking, each day hackers find new ways to compromise BLOGS)
One thing you must remember is - Protecting your BLOG is a continuing practice.
I am mentioning some of the best practices that I have followed and some that are recommended. I will start with BLOG security practices that are easy to follow by non technical BLOG users, we will be increasing the technicality as we move down the list.
| 1. | First and the most important step - is to update your BLOG regularly to the most recent version available. Studies suggest that by following this practice you can reduce the chances of hacking by around 70% to 80%.
This is a very good tutorial that gives you step by step instructions on upgrading your wordpress BLOG - Upgrading WordPress |
| 2. | Change your default Administrator username from admin to something else. A lot of people I know have there default Administrator login username left as admin. As soon as you set up your BLOG please change your Administrator username to something other then admin. |
|
|
| 3. | Change your password periodically, and make sure it’s a strong password with alphanumeric and special characters. Please don’t use your dogs name or anything related to you that a lot of people might know about. |
| 4. | Directories should not be left open for public browsing. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root. Options All –Indexes |
|
|
| 5. | Delete the version string in your Meta Tags and replace it with something generic. This step is important because a lot of hackers target there attack based on the version of your wordpress blog and this parameter in the source code tells the user of your BLOG’s version. <meta content=”WordPress <?php bloginfo(’version’);?>” name=”generator”> Replace the above line with anything generic e.g. <meta content=”Any Generic Text” name=”generator> You can find this directive in header.php. In newer versions of wordpress generator meta tag was moved into the core and standardized, since so many themes did it differently that it didn’t make much sense anymore. You can remove meta tag generator (newer wordpress versions 2.5 and 2.6) by adding this to your wordpress theme’s functions.php: remove_action(’wp_head’, ‘wp_generator’); |
| 6. | Take regular back ups of your BLOG. There are various wordpress plugins that you can use to take or schedule backups. WP-DB_Backup is a very good plugin for taking regular and scheduled backups of your database. |
| 7. | Check random posts on your blog for unwanted content and links. Edit these through the Administration Panels to remove the unwanted content from the database. Examine your WordPress Theme template files, especially the header.php and footer.php for unwanted content and links. Search your template files, stylesheets, and database for display:none and/or height:0 as these are common styles used to hide unwanted content and links. Remove them from the posts or files accordingly. You can use WP-phpMyAdmin WordPress Plugin for searching the database directly from your WordPress blog. For checking this in FireFox you can go to Tools > Page Info > Links and check each link to ensure you put it there and it goes to sources you trust. Manually view the page source code of your blog (View > Page Source) and check to ensure each link is trustworthy. |
| 8. | Limit access to wp-admin folder by IP address. If you are tehnical and can handle .htaccess file, then you don’t really need a plugin to do this. You can create an .htaccess file in your /wp-admin/ folder (not directly in your WordPress root!) containing the following code: order deny,allow You will only be able to login from the above mentioned IP address’s. This setting is not recommended if you are very mobile and a frequent traveler as your IP address might keep on changing. For non-technical users, you can use the following plugins – Login LockDown Plugin - WordPress Security Plugin to ban ip addresses from accessing the wp-admin login if they have had 3 failed login attempts within 5 minutes. |
|
|
| 9. | Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list
Disallow: /wp-* I would like to add here that a “disallow” in robots.txt does not provide much security. A malicious bot can simply choose to ignore it and your server will be helpless. There are programs which can act like bots, but adhere only to the rules for browsers. wget and curl are two examples. So - if any of your internal links lead into sensitive territory, make sure the target is password protected. Its still okay to use this directive as people will not be able to find your directory browsing content on search engines. |
| 10. | Use SSH/Shell Access instead of FTP for accessing your BLOG files on the server. SSH access is always more secure as communication flows through an encrypted channel. Or you can use SFTP; there are a lot of SFTP clients available in the market. |
Another Good post on wordpress security - Hardening Wordpress |
|
| 11. | WordPress permissions: All folder permissions should be set to 755. Files should be set to 644. Files that you want to edit in the WordPress Theme editor should be 666. Never use 777 for WordPress permissions – you’re letting all users on the server do whatever they want with your site. On a shared or badly configured server, that can mean trouble. You need to ensure that the following directories in your WordPress installation has a CHMOD (file attributes) of no more than 0755: |
| 12. | Ensure that the prefix of your tables in the WordPress database is changed from the default wp_. BlogSecurity.net has a plugin to make changing the Wordpress table prefix much easier - Click here for the plugin page. |
| 13. | Restrict access to your wp-config.php file. Open up the .htaccess file in your Wordpress wp-admin directory and add the following code to the end: <Files wp-config.php> This modification keeps people from being able to view your config file, even if your PHP installation messes up. |
| 14. | Make sure you’re using a secure contact form. I recommend using this secure contact form plugin for your site. It will keep out the spam and make sure your form isn’t exploited. |
| 15. | Encrypt your web browsing session You can encrypt your entire browsing session so that your WordPress login info is sent over the net as a scrambled message when you log in to your admin panel, rather than in plain text. To get started, check out this guide on Lifehacker. |
| 16. | Set your firewall to drop connections to your web server on all ports but http (port 80) or https (port 443). |
So these were my 2 cents regarding wordpress security, if you have other effective security measures please add it to the comments for our readers.
