How To Secure Your WordPress Blog

How To Secure Your WordPress Blog

September 30, 2010 12:00 pm 1 comment

Here are some of my favourite top tips for keeping your WordPress website or blog more secure and less susceptible to malicious attacks.

Attacks to your website/blog can come in different variations, some are made to take advantage of wrongly set file permission settings on the server, while others are more targeted at database attacks, using this small but helpfull list below it should keep the door closed to most of these attacks…

1: File Permissions

Setting up your wordpress website/blog with wrongly set file permissions could lead attackers on a wrecking spree across your entire blog, The WordPress Codex has an outline of what permissions are acceptable.

File and directory permissions can be changed either via an FTP client or within the administrative page from your web host. This page details more about how file permissions work and how to change them using a number of different systems.

2: Using Secret Keys in WP-Config.php File

The wp-config.php file is the heart of your wordpress site that stores all the database connection information that WordPress needs inorder to connect to the database. This file contains the name, address and password of the MySQL database that stores all of your user info, blog posts and other important content.
Using a secret key, you can make it even more difficult for someone to gain access to your account.

Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.

3: Strong WordPress Passwords

In addition to adding a secret key to your wp-config.php file, also consider changing your user password to something that is strong and unique. WordPress will tell you the strength of your password, but a good tip is to avoid common phrases, use upper and lowercase letters, and include numbers. It’s also a good idea to change your password regularly — say once every six months.

4: Stay Up To Date

keeping your WordPress site up-to-date is one of the easiest things you can do. For the last few versions, WordPress has included the ability to install automatic updates. Not only that, but sites are notified every time a new upgrade becomes available.

If you aren’t running the latest version of WordPress, upgrade now. Leaving your site on an old version is like keeping your door unlocked when you leave for vacation.

5: HTAccess Tips

Using a .htaccess file, you can set access limits to certain directories. You can tie those limits to a specific IP address, which means that only people from that location can access your information. below is my top tips for keeping your site secure using the htaccess file.

Disable Hotlinking

Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as ‘hotlinking’. To disable this you can add these lines to the .htaccess

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

Stop Spammers

Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’. Add these lines to stop the spammers

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Protect WP-Config

The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.

# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Disable Directory Browsing

Someone who knows the directory structure of a WordPress installation, may use his knowledge to do some damage. Besides you should not let them know what plug-ins are you using.

# disable directory browsing
Options All -Indexes

Protect .htaccess itself!

Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starttng with .hta

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

Better still, you can rename the .htaccess to any other name you like

# rename htaccess files
AccessFileName ht.access

6: Plugins That Help

The wordpress plugin community has loads of helpful & some not so helpful plugins that can help lock down your site to anyone wishing to cause it harm :| heres a few that i can recommend to anyone wishing to give them a try…

WP-Security-Scan

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
Download it here

TTC WordPress Security Tool

This plugin blocks scrapers, cross-site scripting attempts, and other ill behaved bots. This is the second of three security plugins.
Download it here


Final Thoughts

Even though every step has been taken to secure your blog/website, there are still people out there that will still find a way in even with all the security messures in place.. hopefully this list of tips will at least make there hacking attempts a long and pain ful experience, Have any other helpful tips for securing your blog/website? let us know in the comments below…!!!

The following two tabs change content below.

Marty

Web Developer
Senior Web Developer who combines passionate coding skills, strategic vision with strong hands on leadership and enormous personal drive. I create re-usable industry standard code that is used time and time again, producing outstanding results for every project I work on! I also like Classic Motorbikes, Quad bikes, Downhill Mountain biking & Learning electronics using the Arduino.

1 Comment

  • Excellent article. I’m really glad I came across it. WordPress security is an important subject to me and to date I’ve mainly used plugins like the WP firewall and Login Lockdown but this article throws up some other areas that need looking at, especially with the use of htaccess being used more effectively.

Leave a reply

You must be logged in to post a comment.