Essential WordPress Security Tips – Is Your Blog Protected?
Categories: Blog Setup, Featured
I have been revisiting the various security settings of my WordPress blog after the sudden database table corruption of this blog for unknown reason last week. In this post I have highlighted some of the security tips that can help protect your blog from possible outside attacks.
Use Strong Passwords for all Entry Points
I was surprised to find out how many of my friends use the WordPress admin password generated by WordPress during install time and thinks that their blog is protected from attacks as they are using a strong password! The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. I was mainly shocked to find out that their ftp/cPanel password for that domain is not that strong. It gets even better… one of them were using his partners name as the password (Did I mention that his partner’s name was mentioned on his blog’s ‘About’ page?)! The ftp/cPanel password for your domain is equally important. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->Databases->MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points not just one.
Protect the ‘wp-admin’ Directory
Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses (your home, work etc). The WordPress htaccess tips post has more htaccess related tips and tricks. Below is an example .htaccess file that can be used for this purpose (replace ‘x’ and ‘y’ with your IP address)
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy
If you don’t have static IP addresses then the above method can be a bit hard to implement. In that case I would recommend the use of AskApache Password Protect WordPress plugin. The ‘AskApache Password Protect’ plugin adds some serious password protection to your WordPress Blog. Not only does it protect your ‘wp-admin’ directory, but also your wp-includes, wp-content, plugins, etc. Use the Login Lockdown Plugin to protect your blog against brute force attack (a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities)
Deny access to your Plugins and other directories
A lot of bloggers don’t protect access to their WordPress plugins directory. What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser it shows all the plugins that you are using. Many wordpress plugins can have vulnerabilities which the attacker can use to harm your blog. So, its a good idea to block access to these directories. You can use a .htaccess file or just upload a blank ‘index.html’ file to that directory to block access to these directories. (download a blank index.html)
Update Wordpress to the Latest Release
As new WrodPress versions are released the security bugs for previous release becomes public information. WordPress could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen. So always upate your WordPress to the latest version to make sure that you are protected against any known security bugs.
Don’t Show Wordpress Version on Your Blog
You should not make the WordPress version that you are using visible to others for the same reason explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.
Backup Your Data
I can’t stress this enough… always keep backups of all the important files. I always backup my WordPress Database and WordPress files in case of emergency. Read my ‘What would you do if you lost all your blog’s content‘ article to find out how backups can help you sleep better at night 
I am not the ultimate blog security expert so feel free to share your thoughts or add to this post in the comment area below.
#1 by RaiulBaztepo on March 28, 2009 - 7:57 pm
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language
See you!
Your, Raiul Baztepo
#2 by admin on March 28, 2009 - 8:14 pm
Hi RaiulBaztepo, You are most welcome. Who said your English is bad?
#3 by yoso tattoo on July 23, 2009 - 7:21 am
yeah your english is good
more security tips please
yoso tattoo´s last blog ..japanese murder, New Style Japanese Tattoo By Gakkin, Kyoto, Japan.
#4 by Madeglobal on September 14, 2009 - 11:59 am
You could also try the “better-protected-pages” plugin available from http://www.wordpress.org/extend which allows your users to “re-lock” a password protected page when they have finished reading it. We found this to be a major problem on public computers because the password protected page remains “unlocked” even when you log out or close the browser … the plugin fixed this issue.
Madeglobal´s last blog ..Better protected pages now V1.1
#5 by Security Chicago on November 3, 2009 - 3:18 pm
Nowhere did I see FTP as a concern. I think it should be, as the security is pretty basic and not as good as SSH.
#6 by PC Security on November 28, 2009 - 12:28 am
Hi,
Nice compilation.
I must vote for lOgin LockDown. It is a great plugin and an essential fo ryour wordpress security.
PC Security´s last blog ..Avoid Ads, Clutter when Printing Webpages in Internet Explorer (IE)
#7 by social bookmarking site on December 28, 2009 - 3:02 pm
Ya nice tips. We should back up our data because hackers can do anything at any time. So backup your data to protect the data base.
social bookmarking site´s last blog ..Bollywood Videos