Essential WordPress Security Tips – Is Your Blog Protected?
Categories: Blog Setup, Featured
I have been revisiting the various security settings of my WordPress blog after the sudden database table corruption of this blog for unknown reason last week. In this post I have highlighted some of the security tips that can help protect your blog from possible outside attacks.
Use Strong Passwords for all Entry Points
I was surprised to find out how many of my friends use the WordPress admin password generated by WordPress during install time and thinks that their blog is protected from attacks as they are using a strong password! The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. I was mainly shocked to find out that their ftp/cPanel password for that domain is not that strong. It gets even better… one of them were using his partners name as the password (Did I mention that his partner’s name was mentioned on his blog’s ‘About’ page?)! The ftp/cPanel password for your domain is equally important. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->Databases->MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points not just one.
Protect the ‘wp-admin’ Directory
Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses (your home, work etc). The WordPress htaccess tips post has more htaccess related tips and tricks. Below is an example .htaccess file that can be used for this purpose (replace ‘x’ and ‘y’ with your IP address)
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy
If you don’t have static IP addresses then the above method can be a bit hard to implement. In that case I would recommend the use of AskApache Password Protect WordPress plugin. The ‘AskApache Password Protect’ plugin adds some serious password protection to your WordPress Blog. Not only does it protect your ‘wp-admin’ directory, but also your wp-includes, wp-content, plugins, etc. Use the Login Lockdown Plugin to protect your blog against brute force attack (a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities)
Deny access to your Plugins and other directories
A lot of bloggers don’t protect access to their WordPress plugins directory. What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser it shows all the plugins that you are using. Many wordpress plugins can have vulnerabilities which the attacker can use to harm your blog. So, its a good idea to block access to these directories. You can use a .htaccess file or just upload a blank ‘index.html’ file to that directory to block access to these directories. (download a blank index.html)
Update WordPress to the Latest Release
As new WrodPress versions are released the security bugs for previous release becomes public information. WordPress could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen. So always upate your WordPress to the latest version to make sure that you are protected against any known security bugs.
Don’t Show WordPress Version on Your Blog
You should not make the WordPress version that you are using visible to others for the same reason explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.
Backup Your Data
I can’t stress this enough… always keep backups of all the important files. I always backup my WordPress Database and WordPress files in case of emergency. Read my ‘What would you do if you lost all your blog’s content‘ article to find out how backups can help you sleep better at night 
Be Careful When You Upload Something to Your Site
When you upload a script (example: a plugin, a theme or just a normal script) to your site you need to be extra careful as it can harm your site if it was designed to do so. Only upload authentic content to your site. Never download a plugin or a theme from a warez or torrent or file sharing sites. The content on these sites can be disguised as a plugin or a theme but it will harm your site when uploaded to your server. You can read more on these types of attack from the free premium plugin and theme downloaders beware article.
I am not the ultimate blog security expert so feel free to share your thoughts or add to this post in the comment area below.
Articles you may also like:
#1 by Linda on December 18, 2011 - 12:01 am
these tips aren’t just applicable to wordpress, alot of them can apply to joomla or other cms platforms
#2 by Rockabilly Clothing Australia on November 20, 2011 - 1:14 am
Excellent tips mate,
I always found it hard to administrate my wordpress site
so your tips are a godsend
#3 by admin on October 4, 2011 - 7:19 pm
Go with WordPress
#4 by New Look Discount Code on October 4, 2011 - 3:40 pm
Is WordPress the best software to use for blogging? I’m looking to add a blog to my website but am not sure which type of blog software i should go for. Any tips?
#5 by USANA on September 22, 2011 - 7:37 am
The problem with some of my .htaccess file contents disappearing occured when updating permalinks. It appears that was because my custom entries were inserted between the # BEGIN WordPress and # END WordPress comments. Moving my entries outside the WordPress BEGIN END solved my problem.
#6 by USANA on September 17, 2011 - 9:46 am
I recommend you check the contents of your .htaccess file. Mine seems to loose some of its contents (eg. Options All -Indexes and …deny from all) on occasion. I think its either when I turn on/off directory level password protection or possibly update permalinks.
#7 by Vintage Clothing Australia on September 9, 2011 - 12:05 am
Thank you for this wordpress tips. Strong password is a good start and then learn to use the htaccess file to secure your website. its a jungle out there!!!
#8 by kevin on August 29, 2011 - 3:59 pm
Ha! I wish I’d read this last week. thanks for the tips
#9 by Zumba High Wycombe on August 3, 2011 - 6:44 am
I’m just looking into setting up a wordpress site, so thanks very much for the great information. Book marking this now to keep returning back as I configure mine.
Thanks
#10 by alternative therapies edinburgh on July 8, 2011 - 6:19 am
Some very useful tips here. WordPress is susceptible to security issues and it’s so important to protect your site and make sure you always have the latest updates installed, including your plugin updates.
#11 by Arsenal blog on July 6, 2011 - 10:14 am
I have started my blog and have been looking for tips….wordpress or blogger?
#12 by admin on May 23, 2011 - 8:40 pm
If you are on a shared server then it is hard for you to do anything on your end if the server gets hacked (if the root account gets hacked then there is nothing you can do). Just make sure to take regular backups so you can restore from a know point.
#13 by Brand on May 23, 2011 - 10:31 am
Great tips, although is there any way to protect WordPress from other websites on a shared server getting attacked (i.e. to limit potential damage)?
#14 by web design on March 30, 2011 - 8:55 am
Nice technique as I ever seen.
#15 by SEO on March 21, 2011 - 1:02 am
Whoa, very cool WordPress security tips… thank you for share
#16 by Mailing Fulfilment Services on March 15, 2011 - 11:06 am
I stick to a policy of using 6 letters and 6 numbers. This is the case for all of my passwords, not just my wordpress and blogspot ones.
#17 by Allen Resha on February 15, 2011 - 6:03 am
I have had my blogs hacked a few times. It is not fun to have to fix it. Since this has happened I have taken measures to keep it from happening again. This article adds insight and has given me some new ways to ensure that I don’t get HACKED again!
#18 by bird cage cover on February 1, 2011 - 8:36 am
! I’ve been searching for some decent stuff on the subject and haven’t had any luck up until this point, You just got a new biggest fan!
#19 by Kirk on January 18, 2011 - 3:51 pm
Many Thanks, i atleast can walk away knowing i’m a bit more secure without calling security LOL..
#20 by robin on January 11, 2011 - 12:18 am
Wow great article very interesting
.-= robin´s last blog ..What everyone ought to know about brewing coffee =-.
#21 by รับทำเว็บไซต์ on January 2, 2011 - 11:07 am
OMG Useful tips
Thanks you
#22 by John Gamings on January 2, 2011 - 4:50 am
Wow this is incredibly helpful. I’m fortunate enough to never have had any security troubles but I know a guy who got his blog hacked into and it cost him thousands. Thanks so much for this article
#23 by Robin on December 3, 2010 - 9:43 am
Useful tips.
Thanks a lot.
.-= Robin´s last blog ..24 Best ON PAGE OPTIMIZATION Tips & Techniques =-.
#24 by admin on November 22, 2010 - 9:07 pm
Use the “Akismet” plugin.
#25 by Handmade Knitwear on November 22, 2010 - 8:12 am
I know this post is predominately about preventing your blog from being hacked however, how do you prevent the endless amount of spam comments that a blog receives. Admittedly i turn comment moderation on so i can delete them before they are added to the blog but it is laborious to keep deleting spam comments. Is there somewhere within the settings of WordPress, or indeed a plugin i could use to stop these comments?
#26 by Making a Will on November 19, 2010 - 5:22 am
I have two WordPress blogs and both seem to constantly be attacked i now use 18 character passwords for both.
#27 by Freedom iq on November 10, 2010 - 5:46 pm
It looks like that picture is covering a solid paragraph of your post. As for people hacking into wordpress accounts, wow. I’ve never been that unlucky, or known anyone that unlucky. I have to give it up to the hackers that have though.
#28 by Marketing Digital BH on September 18, 2010 - 8:52 am
For contact forms, pay special attention to comments spam. Using contact forms with capcha code is the best choice.
.-= Marketing Digital BH´s last blog ..Google Real Time- nova interface de pesquisa fornece informações em tempo real =-.
#29 by Chloe @ Cheap dog clothes on September 14, 2010 - 2:33 pm
Very useful tips, especially the .htaccess part. Thanks a lot!
#30 by Ferrowtech on September 6, 2010 - 1:31 pm
Very good point! Thanks for the tip
Cheers
.-= Ferrowtech´s last blog ..Affordable Email Marketing =-.
#31 by new homes on August 30, 2010 - 7:20 am
It saves time when you are with the right application. And I think it never goes wrong with WordPress.
#32 by Edinburgh Airport Parking on August 16, 2010 - 9:05 pm
Yes, I always use strong password for all important sites. As with commercial ones, all passwords include alphabets and numbers. They are random, but all are using almost the same combination.
.-= Edinburgh Airport Parking´s last blog ..Flights to Granada =-.
#33 by Security Products on July 14, 2010 - 4:55 pm
I have started a wordpress security products site and this post has probably saved me a lot of headaches. I was worried if my site was hacker safe or not. Now I’m not so worried. Thanks again.
.-= Security Products´s last blog ..Self Defense Weapons-Violence like This can be Stopped! =-.
#34 by iluminação on June 15, 2010 - 7:48 am
I recently made a wordpress based hotsite to my company. After reading this post I decided add all protections listed above.
#35 by decoupage on June 15, 2010 - 7:44 am
Recently I’ve received a lot of spams through contact form. I’ll try add the suggested protections. Thanks for the tips.
#36 by Ningbo Airport on May 18, 2010 - 9:03 am
THANK YOU for your great and useful article!
I would also suggest to rename the famous “admin” default username by something totally different.
To rename the admin or any other username you can try WP Optimize (http://wordpress.org/extend/plugins/wp-optimize/) , it does the job in 1 second…
Thanks again for sharing!
Paul
#37 by iolo on March 17, 2010 - 3:20 pm
Hi,
Thumbs up tips!
i’m wondering if there any way that may help change or just rename wp-admin URL to something else!
for example instead of wp-admin/profile.php i suppose it shoud be http://www.SiteName.com/UserName/profile.php or http://www.SiteName.com/RandomNumbers/profile.php
Thanks in advance
#38 by Riva Sinjal | AWC on February 11, 2010 - 9:32 am
Nice tips…
There are also a few useful security plugins at http://wordpress.org/extend/plugins/
* WordPress Firewall – Identify and stop most obvious attacks (sql injects).
* Security Scan – Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
* CopyrightPro – Disable right click on your WordPress, disable selection of text,
and protects from iframes.
#39 by social bookmarking site on December 28, 2009 - 3:02 pm
Ya nice tips. We should back up our data because hackers can do anything at any time. So backup your data to protect the data base.
.-= social bookmarking site´s last blog ..Bollywood Videos =-.
#40 by PC Security on November 28, 2009 - 12:28 am
Hi,
Nice compilation.
I must vote for lOgin LockDown. It is a great plugin and an essential fo ryour wordpress security.
.-= PC Security´s last blog ..Avoid Ads, Clutter when Printing Webpages in Internet Explorer (IE) =-.
#41 by Security Chicago on November 3, 2009 - 3:18 pm
Nowhere did I see FTP as a concern. I think it should be, as the security is pretty basic and not as good as SSH.
#42 by Madeglobal on September 14, 2009 - 11:59 am
You could also try the “better-protected-pages” plugin available from http://www.wordpress.org/extend which allows your users to “re-lock” a password protected page when they have finished reading it. We found this to be a major problem on public computers because the password protected page remains “unlocked” even when you log out or close the browser … the plugin fixed this issue.
.-= Madeglobal´s last blog ..Better protected pages now V1.1 =-.
#43 by yoso tattoo on July 23, 2009 - 7:21 am
yeah your english is good
more security tips please
.-= yoso tattoo´s last blog ..japanese murder, New Style Japanese Tattoo By Gakkin, Kyoto, Japan. =-.
#44 by admin on March 28, 2009 - 8:14 pm
Hi RaiulBaztepo, You are most welcome. Who said your English is bad?
#45 by RaiulBaztepo on March 28, 2009 - 7:57 pm
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language
See you!
Your, Raiul Baztepo