14 Effective Practical Security Tips for WordPress

wordpress tips tricks

WordPress is the most user friendly expandable blog platform around. "With power comes more responsibilities", says Spiderman’s uncle. So what if your valuable WordPress blog get hacked? You will be literally devastated, violated and humiliated. Now you need to know how a attacker or cracker hack or exploit your site.

Advertisement
  • They know about your security weakness points about your site
  • They know about the important directories are open and accessible
  • They know about the version of WordPress has security issues
  • They know what outdated unsecured plug-in you are using and they can take advantage of it
  • They brute force attack your site login for random username and password
  • They know WordPress uses "Admin" as the administrator name, so they keep generating passwords and keep trying

So how do you overcome these situations? Well, you just need tighten up the security principal to avoid these problems. These are very practical options to protect yourself from getting hacked. In truth, every protection can be broken but the point is not to cure but to prevent.

  1. Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation. Use the WP-DB backup plug-in to schedule your database backups.
  2. Keep your WordPress install and plug-in up to date: The newest versions of WordPress automatically notify you if there is an update for your WordPress and your plugins. Keeping these up to date will keep black hats from using known vulnerabilities to gain access where they shouldn’t be.
  3. Rename the administrative account: You can do this in the MySQL command-line client with a command like


    update tableprefix_users
    set user_login='anothername'
    where
    user_login='admin';

    or by using a MySQL frontend like phpMyAdmin.

    Advertisement
  4. Use strong password: Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check. Here is Lorelle’s article on blog herald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable.

  5. Disable directory browsing: An attacker can reveal your files because they have been indexed by search engines, so you can use a simple one line code inside your .htaccess file


    Options -Indexes

    also use a robots.txt file to disallow the search engine robots to index the subfolder contents. Here is an example of a robots.txt file

    User-agent: *
    Disallow: /cgi-bin/
    Disallow: /wp-content/
    Disallow: /wp-admin/
    Disallow: /wp-includes/

  6. File permissions : Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images.

  7. Do not advertise the WordPress version you are running: If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. Why not simply hide the WordPress version entirely? Even if you update packages as quickly as you can, there will be lag between the version release and your deployment, potentially enough time for a malicious person to carry out an attack. However, editing out all the places where WordPress advertises its version string in your theme can be a pain. It is still best to make sure you are running the latest WordPress version. An easier way to do this is with the Replace WP-Version plugin (newer and better version with more features is Secure WP).

  8. Stay on top to Security Releases: Subscribe to the WordPress Development blog. When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

  9. Use Captcha whenever possible: Captcha solution for the comments and login also build contact forms with Contact Form 7 or CFORMS II. This keeps bots from spamming and trying to crack your login.

  10. Limit access to your wp-admin directory: Protect wp-admin directory by IP address or password, which will another level of password access to the wp-admin folder: if you are using CPanel then you can use the directory protection tool to password protect folders.

  11. Restrict access to your wp-config.php: I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password.

    Create a file within your WordPress root install directory named “.htaccess” if there isn’t already one. Append the following to your “.htaccess” file inside of your root directory:



    deny from all


  12. Use AskApache Password Plugin: This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site

  13. Use the WordPress online security scanner: This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities.

  14. Use a .htaccess based intrusion detection system, details here.

 

References:

Hardening WordPress

3 tips to protect your wordpress installation

10 Ways to Secure your WordPress install

WordPress security tips and hacks

  • Xx

    Use protectionx.info :)

  • http://inkjam.blogspot.com Sandipan@inkjam

    Great Post! Really helpful. Thanks a lot!

  • http://dissertation-service.co.uk/ Dissertation Help

    >great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.
    Really great article! Thanks!

  • http://forexhug.com forexhug

    thanx for this usefull codes

  • http://www.directorysubmissionservices.net Nick

    really nice list here. as for the ssh tip – bravo. it’s one of those really nice things that is super convenient as well as secure. soon, you find yourself using ssh for nearly every server admin task you can think of.

  • http://www.tapety.cjb.net D.F.

    hi.
    nice post. thanks for this one

    D.F.

  • http://compixels.com Binoy xavier

    Nice tips buddy. Will try to implement some on my blog too :)

  • gjperera

    #11 Did not work, I keep getting a Server 500 error…

    • http://www.kitacreative.com Jenn

      It worked for me by omitting the at the end. So it looks like:

      deny from all

      And when I type in the address to my wp-config.php file, I get a 403 error, so it looks like it works!

      • http://www.kitacreative.com Jenn

        The comment form messed up the code. Just leave out the last /files part.

  • gjperera

    Great tips…what do you know about Windows Live Writer vulnerabilities? It appears that there are security issues with Live Writer, does this apply to Word 2007/2010 also?

  • http://www.jenandisrael.org Israel

    Help! I used WP-Optimize to delete my admin account and now I can't login and I didn't notice whether WP-Optimize creates an alternate admin account for me?

  • Mark

    I use http://wpantivirus.com
    Works fine for me.

  • http://sizlopedia.in/ ravi

    great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.

  • http://sizlopedia.in/ ravi

    great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.

  • http://www.magwp.com/ Premium Wordpress Themes

    great article. thanks a lot. my sites were hacked yesterday.:( I hope these security measures will help.

  • http://kangnawar.com/ Munawar Am

    Useful Tips, remind me that blogging security are the important one, and I have bookmark its.

  • http://www.ruhanirabin.com Ruhani Rabin

    Actually you've got a point my friend that I would agree too. I should've
    written minor updates not the major ones.. minor ones are more important..
    major updates can be hassle.. thank you so much for the insight :D

  • http://www.millionclues.com/ Arun Basil Lal

    I have a small disagreement to the tip : Update as soon as an update is available. I would prefer to wait for a few days and see if its working fine for others. What if the new version have a bug and all the updated blogs are attacked?

    I would wait for at least a day :)

  • http://www.ruhanirabin.com Ruhani Rabin

    Thanks that is useful too .. :) Will update the post later on

  • http://michaelwillow.com/ BSM

    Also important, use the wordpress ban plug in.
    http://wordpress.org/extend/plugins/wp-ban/
    You can ban all the spammers. It is unbelievable, I use it and I saw over than 200 attempts of the banned spammers to access my account.
    DO NOT ban your IP
    Thanks

  • http://seira277.blogspot.com aries

    Nice post…thanks for sharing it with us… cheers :)

  • http://seira277.blogspot.com aries

    Nice post…thanks for sharing it with us… cheers :)

  • http://homebusiness.search-datas.com/index.htm Mike Liwsi

    thanx! very good article about wp.

  • http://www.ruhanirabin.com Ruhani Rabin

    Yes you are right my friend .. the reason i've posted the robots.txt is to prevent search engines to crawl inside those folders that's all :)

  • http://projectbee.org/ Bipin Upadhyay

    Although your concern regarding usage of robots.txt is valid, it doesn't apply here. Everyone (at least those who wish to attack a WP installation) knows about the directory structure.

    Come to talk about it, using robots.txt won't solve any real issue per se.

  • http://www.facebook.com/people/Syed-M-Ruhani-Rabin/664895507 Syed M. Ruhani Rabin

    Yup Nilen, You've made a very good point such as rely on .htaccess protection and not completely rely on plugins , I'm going to hook up your post over here.

  • http://blondish.net Nilen

    My suggestion if you are self-hosted and not planning use cgi, then delete the cgi-bin folder. Also remove any unnecessary files you do not need. You can also use Recaptcha in WordPress too in orer to protect comments. For contact forms, I prefer Dagon Designs formmailer plugin.

    I think it is okay to reveal what version you are using if you have taken other precautions, especially with the htaccess functions. If you deny access to these files, then they will not be seen unless your host gets hacked. I illustrated this in my tutorial section, mainly focusing on the htaccess. Never rely totally on plugins to do the job.

  • http://go-indonesia.co.cc robet

    tutorial yang sangat bagus

  • http://satelite-keys.blogspot.com free satellite keys

    Development of digital technologies occurs prompt rates. Does not lag behind progress and digital TV. Speaking about digital TV, we first of all mean satellite TV. The digital satellite TV becomes more and more accessible to simple users. The market paid satellite tv also is not necessary on a place. The new digital standard of TV of high clearness HDTV actively develops and takes root. The satellite TV becomes more and more directed on the spectator. Besides digital quality of the image, advantage of satellite systems also is also the extensive cover zone of the companion.

  • http://www.ruhanirabin.com Ruhani Rabin

    Thanks @AskApache for dropping by, You yourself is a very respectable person. You Made the awesome AskApache plugin :)

  • http://www.askapache.com/ AskApache

    Nice list… these are still so very true even with the newest release. Dugg!

  • http://www.news-shit.de NewsShit!

    That’s a fine compilation of things to secure a WordPress installation. But I don’t like this “robots.txt” thing:

    With all the directories listed inside the robots.txt you invite people to have a view into them. Because they know now that those directories do exist :)

  • http://www.news-shit.de NewsShit!

    That’s a fine compilation of things to secure a WordPress installation. But I don’t like this “robots.txt” thing:

    With all the directories listed inside the robots.txt you invite people to have a view into them. Because they know now that those directories do exist :)

  • http://joomlafaqs.org Joshua

    Hi,

    Great article there…

    Didn’t know u’re a WP aficionado ;)

  • http://joomlafaqs.org Joshua

    Hi,

    Great article there…

    Didn’t know u’re a WP aficionado ;)