Although blogging can be fun, you also run many security risks that can leave you dead in the water. No one likes to think it can happen to them, but the truth is, it can. It’s not a matter of if, but when, especially if you your blog is vulnerable.
I’ve done alot of research into security vulnerabilities with wordpress and have come across some shocking information, including things you have probably never heard of. So I’ve compiled a checklist of things to do in order to minimize your chances of being hacked.
1. Upgrade WordPress
I can’t tell you how many people do not upgrade to the newest version of wordpress. You should always upgrade, especially if it’s a security upgrade. Not upgrading to the newest version leaves your blog wide open for an attack from hackers and spammers that know the security vulnerability. Your wordpress dashboard page in your admin panel will tell you when the newest version of wordpress is released. It may seem scary to upgrade, but it’s not that difficult once you get in there and walk through the steps.
If you have trouble understanding the wordpress instructions on upgrading or you’re not very tech savvy, you can download a plugin called WordPress Automatic Upgrade, which walks you step by step through the process and does everything for you. If you have this plugin, there is no reason you shouldn’t upgrade to the newest version.
2. Change Default Admin Account
Every hacker and spammer on the internet knows there is a default “admin” user for wordpress that has full god-like power over your entire blog. By leaving this user account you are asking for an attack. When you log in to you wordpress control panel for the first time, you should go to the Users page, create a new user with admin privelages (named something other than admin), and delete the default admin user. This makes hackers have to guess the username as well as the password of your admin account. If you want even further security, you should set up another user with posting privelages only and use that user account everytime you login to wordpress to post a new blog entry.
3. Remove Version String From Header
The header file of your wordpress blog includes some code that tells everyone what the current version is you’re running of wordpress. The best way to decrease vulnerability from this is to always upgrade like I talked about earlier, however, if you still have reservations about upgrading, you should at least remove the version string from the header file.
To do this, log into wordpress with your admin account, click design and then theme editor. Choose the header.php file to edit, and find the piece of code that looks like this and remove it:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
4. Know Your Plugins
There are thousands of plugins written for wordpress and new ones are being created everyday. Even though we all want to believe it, not all of them are safe plugins. They can contain malicious code that allows the creator to access your blog through the back door. The absolute best way to ensure the plugin you’re using is safe, is to only download and install plugins from the wordpress.org website. The plugins listed on wordpress.org have been tested by the wordpress team which ensures they are not maliciously written.
5. Rename Your WordPress Database Tables
Don’t get scared at this one. If you are tech savvy, you probably already know how to do this, and if you don’t there are plenty of step by step instructions available on the web. If you aren’t as tech savvy and aren’t sure what you’re doing, your best bet would be to download some plugins that step you through the process. One of these plugins is called WP Prefix Changer. It’s a great plugin and very easy to use, but you should beware some plugins that are incorrectly written may be affected because they hardlink to the specific database table name. But having to deactivate a plugin or two to increase your blog security is well worth it.
6. Hide Your Folder Directory
By default your wordpress plugins directory is viewable by anyone interested in looking at it simply by typing http://www.yourdomainname.com/wp-content/plugins. Try it right now and see what I’m talking about. If you can’t see it, you are ahead of the game and can skip this item in your checklist, but if you can see your plugins, you are vulnerable to an attack on your blog. As with alot of wordpress users, you may have also created some extra folders on your hosting account that may be viewable as well, and these can be fixed in the same way as your plugins folder.
There are two methods to use:
- Add a blank “index.html” file into every folder that doesn’t have one.
- Add this line of code to your “.htaccess” file in the root directory of your blog: Options All -Indexes
The second choice is the best method, because it allows you to block directory access to all folders, as opposed to finding each folder manually and creating a new file for it. You may end up missing important folders using the first method. If you’re not sure how to write to your .htaccess folder, you can find alot of step by step instructions by googling “.htaccess”.
7. Block WP Folders From Search Engines
By default search engines index everything from your root directory of your website down to the smallest file. There are alot of files and directories in your wordpress install that you don’t want the search engines indexing. If anyone found those particular folders and files in google, you can have the same problems as the afore-mentioned vulnerability. The only method to keep search engines from indexing particular files you don’t want them to see (besides not allowing your entire blog to be indexed – which is not recommended) is to create a “robots.txt” file.
When a search engine bot comes to your website the first thing they look for is your robots.txt file. This tells them what they can’t do. Like and rule book. If you want to know all the features of the “robots.txt” file, you can google it and find millions of links to helpful websites. In order to keep google from indexing your wp-admin, wp-content, wp-includes, and other wp folders, simply add the following line to your robots.txt file:
Disallow: /wp-*
These are simply the basic and most important things you can do to increase security and minimize your chances of being successfully hacked. There are alot more suggestions found all over the internet, all you have to do is look. If you’re interested there is a plugin called WP Security Scan, which scans your blog for vulnerabilites and lets you know what you need to fix. There is also a plugin called Login Lock, which locks a particular username for a specified amount of time (default 1 hour) if too many unsuccessful attempts were made at entering the correct password.
Do you know of any more tips for increasing wordpress security?
Get a Gravatar
Loading ...
My name is Steven Sanders and I'm a Professional Blogger, Izea Insider, Web Designer, Social Media Enthusiast, Dad, Husband, and Friend.
Wow, that was a great and informative post!
Mike
Dropthemike.com
mikes last blog post..WHIR TV brings you inside OpenSRS
Great information my friend. Thanks for sharing.
Dustys last blog post..Turning off DNS Caching under Microsoft Windows
Every time I think I’m somewhat techy I read something like this. The plugin for upgrade is wonderful!
I lost my feature to post at a future date with the last upgrade. I cant’ get an answer anywhere, tried forums, google, other wordpress websites…no answers, actually no responses! I don’t think it’s a bug in the upgrade but that’s when it stopped working. the post goes into never never land if I set the date to a future time. any idea where I would begin to look?
@BloggerNewbie: Let me look into it. To tell you the truth, I never use the future date option. I just save my drafts, and post them when the date comes.
This post leaves me speechless. Thanks Steve for the work. I’m actually fixing my site as I type this comment! It’s amazing how much we take for granted. Please keep up the good work.
Well, Steve, I just had to get back to you…lol. When I tried out http://myblogdomain/wp- bla bla bla, and I saw the files, I almost freaked out!!!
Well, I uploaded the .htaccess inserting the code line you suggested and , Oh, what a relief, the page is now forbidden…THANKS MAN!!
Now let me run along and get in all the security suggestions you made here as well as get a few more plugins
Again, a discussion for WP users only.
I’m a Blogger user, so just want to say hi and you write a great post. Thanks.
Great information Steven! By the way, I like your new logo, that’s a win over JohnChow already
100kjobs last blog post..Useful Resources And Articles On Using StumbleUpon And Digg
[...] so willing to share his expertise on computer technologies that he has helped me and others improve security and design for our sites . For this, my thumbs are up for him. Congrats man and keep up the good job! You are an [...]
Hey Stve, Thanks for doing all this hard work! I’m going to have to update my site now…Thanks:) Sorry about getting around to you late, I’m only after figuring out the “You have pages waiting for you” feature on StumbleUpon toolbar…I should have been blond!
Webdesi3s last blog post..A Rough Guide to Blogging
[...] WordPress Plugins & CountingEstablishing A Sense Of Security On Your BlogYou’ll Never Make Money BloggingIf You Don’t Like What You’re Doing… Stop3 [...]
[...] 1. Steven Sanders with 7 WordPress Security Tips [...]
[...] will find something in here to make your website somewhat more secure. 1. Steven Sanders with 7 WordPress Security Tips 2. Matt Cutts on WordPress Security 3. Skull Bits’ “Stealth Login” Plugin for WordPress 4. [...]
[...] Establishing A Sense Of Security On Your Blog [...]
hello
Thanks for creating this post, it was very helpful to me.
andres last blog post..Article Marketing: Using Article Marketing To Promote Your Website
[...] Establishing A Sense Of Security On Your Blog – Steven Saunders [...]
[...] #split {}#single {}#splitalign {margin-left: auto; margin-right: auto;}#singlealign {margin-left: auto; margin-right: auto;}#splittitlebox {text-align: center;}#singletitlebox {text-align: center;}.linkboxtext {line-height: 1.4em;}.linkboxcontainer {padding: 7px 7px 7px 7px;background-color:#eeeeee;border-color:#000000;border-width:0px; border-style:solid;}.linkboxdisplay {padding: 7px 7px 7px 7px;}.linkboxdisplay td {text-align: center;}.linkboxdisplay a:link {text-decoration: none;}.linkboxdisplay a:hover {text-decoration: underline;} function opensplitdropdown() { document.getElementById('splittablelinks').style.display = ''; document.getElementById('splitmouse').style.display = 'none'; var titleincell = document.getElementById('titleincell').value; if (titleincell == 'yes') {document.getElementById('splittitletext').style.display = 'none';} } function closesplitdropdown() { document.getElementById('splittablelinks').style.display = 'none'; document.getElementById('splitmouse').style.display = ''; var titleincell = document.getElementById('titleincell').value; if (titleincell == 'yes') {document.getElementById('splittitletext').style.display = '';} } Outdoor Lighting Perspectives of Nashville captures the magic of the holiday season with stunning lighted wreaths.New Product Development: LED Lighting Dimming Controller – Title 24 CompliantLights ChandeliersBuyer beware. If you pay peanuts, you will get monkeys.Commercial LightingGet Professional Results With Designer LightingExcellent landscape with slopes, turf and evergreen plantsSearchlight: Kirsten LeporeBilly Cobham (Safe From Harm….) YoutubeEstablishing A Sense Of Security On Your Blog [...]
[...] inserted a new line in robots.txt based on advice from here. If you enjoyed this article, please consider sharing [...]