14 Effective Practical Security Tips for WordPress

Article Last Updated: 3^rd Nov 2009
Posted by Ruhani Rabin in Resources, Wordpress | Comments | |

Wordpress is the most user friendly expandable blog platform around. "With power comes more responsibilities", says Spiderman’s uncle. So what if your valuable Wordpress blog get hacked? You will be literally devastated, violated and humiliated. Now you need to know how a attacker or cracker hack or exploit your site.

• They know about your security weakness points about your site
• They know about the important directories are open and accessible
• They know about the version of Wordpress has security issues
• They know what outdated unsecured plug-in you are using and they can take advantage of it
• They brute force attack your site login for random username and password
• They know Wordpress uses "Admin" as the administrator name, so they keep generating passwords and keep trying

So how do you overcome these situations? Well, you just need tighten up the security principal to avoid these problems. These are very practical options to protect yourself from getting hacked. In truth, every protection can be broken but the point is not to cure but to prevent.

1. Knowledge: Keeping backups, knowing the state of your Wordpress installation at regular time intervals, documenting your modifications all help you understand your Wordpress installation. Use the WP-DB backup plug-in to schedule your database backups.
2. Keep your Wordpress install and plug-in up to date: The newest versions of Wordpress automatically notify you if there is an update for your Wordpress and your plugins. Keeping these up to date will keep black hats from using known vulnerabilities to gain access where they shouldn’t be.
3. Rename the administrative account: You can do this in the MySQL command-line client with a command like

   update tableprefix_users
            set user_login='anothername'
            where
            user_login='admin';
      

   or by using a MySQL frontend like phpMyAdmin.

4. Use strong password: Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check. Here is Lorelle’s article on blog herald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable.

5. Disable directory browsing: An attacker can reveal your files because they have been indexed by search engines, so you can use a simple one line code inside your .htaccess file

      Options -Indexes
      

   also use a robots.txt file to disallow the search engine robots to index the subfolder contents. Here is an example of a robots.txt file

       User-agent: *
       Disallow: /cgi-bin/
       Disallow: /wp-content/
       Disallow: /wp-admin/
       Disallow: /wp-includes/
      

6. File permissions : Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.

7. Do not advertise the WordPress version you are running: If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as you can, there will be lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string in your theme can be a pain. It is still best to make sure you are running the latest WordPress version. An easier way to do this is with the Replace WP-Version plugin (newer and better version with more features is Secure WP).

8. Stay on top to Security Releases: Subscribe to the WordPress Development blog. When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

9. Use Captcha whenever possible: Captcha solution for the comments and login also build contact forms with Contact Form 7 or CFORMS II. This keeps bots from spamming and trying to crack your login.

10. Limit access to your wp-admin directory: Protect wp-admin directory by IP address or password, which will another level of password access to the wp-admin folder: if you are using CPanel then you can use the directory protection tool to password protect folders.

11. Restrict access to your wp-config.php: I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password.

    Create a file within your Wordpress root install directory named “.htaccess” if there isn’t already one. Append the following to your “.htaccess” file inside of your root directory:

    
          deny from all
     
     
    

12. Use AskApache Password Plugin: This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site

13. Use the Wordpress online security scanner: This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities.

14. Use a .htaccess based intrusion detection system, details here.

References:

Hardening WordPress

3 tips to protect your wordpress installation

10 Ways to Secure your Wordpress install

Wordpress security tips and hacks

• Integrate social networking in wordpress using facebook connect api and wordpress plugin tutorial
• Wordpress 2.5 – The Upgrade Resources
• WP-Optimize Database Cleanup and Optimization Plugin for Wordpress
• How to Change Wordpress Permalinks without affecting Google
• Wordpress 2.3 Tag Support for Windows Live Writer
• How to make your wordpress and flickr uploads working again
• How to use different header for different categories and pages in wordpress
• How to style the latest post in wordpress

About Ruhani Rabin

Ruhani Rabin is the original owner and author of this blog. He also reviews web 2.0 startups at Tech2all.com. Largely interested in web 2.0 apps & Social Media. Currently the Vice President of MOL Access Portal (MOL is owner of Friendster.com). Also he is Web 2.0 & Social Media Researcher and a Total fun Geek!.. There you have it ;)

Twitter Profile: http://twitter.com/ruhanirabin