Welcome back!
Over time I have become a regular Wordpress fanboy, there really is no other free software that I know of that is as good at its job. Everything works, everything is intuitively easy, it is easily customizable… its awesome. There are, however, a few things that a site administrator can do to ensure security. I’ve learned these things the hard way, my own personal site has been hacked twice over the years. The second time I got serious about protecting myself. Here are ten steps that you can take to protect your site.
Back Up – okay so this first one is more for protection ‘in case’, but I’m including it here because its saved me twice. I start by backing up all of the files on my server, then I back up the database as well. I keep these files on my home computer (which is also backed up, by the way). No harm in being prepared.
WP-Config – The wp-config.php file within your site’s root directory contains the keys to your database. It isn’t directly accessible from the external web, but it is worth spending a bit of time here to ensure security. There are a couple of things you can do here to help yourself.
- Database name, username and password – Your database name can be anything, no one but you will ever see it, so make it something that is not easy to guess. The username and password that you enter here will only be used by Wordpress, so once again, make them something that is not easy to guess, and different from the credentials for your server, GoDaddy account, bank accont, Wordpress users, etc. This way if someone does get access to your server they can’t go crazy on the web getting access to everything you’ve ever owned. You’ll still have access to your database as the domain administrator, and if you ever do need these passwords again they’ll be safely stored in your site backup files.
- Security Keys – Wordpress 2.7 has four keys that you can add to the config file. The point of these keys is to add random elements to the passwords that are stored, making them more difficult to crack. You’ll never need to refer to these ever, so make them long and include every character you can get your fingers on. If you have trouble grasping the concept, use the generator that Wordpress provides.
File Access – Most people use FTP to access the files on their server. That’s great for ease of use, but this is an insecure method. If a sniffer picks up your traffic, they now have the credentials to access your server. Avoid the possibility by using SSH, which IS secure. If you need an SSH client, PuTTY is free.
Admin Account – When Wordpress is installed, it creates an admin account automatically, with a username of ‘admin’. If you use this account to either write for or administer your site, then anyone wanting access already has half of the information they need. Make them work, create an administrative account with a different username and then delete the ‘admin’ user. You can take this a step further by creating an ‘editor’ account to publish with. This prevents a would be hacker from finding out what your administrative credentials are.
Strong Passwords – Now for your account passwords. You want them to be long, and you want them to contain upper and lower case letters, numbers and special characters (# * @ ^, etc). Also, don’t use the same password for your Gmail, bank and GoDaddy accounts. If you have trouble remembering them get a password manager (I LOVE Roboform).
Protect Folders – Wordpress does a pretty good job of promoting itself as software, which is unfortunate because it gives would be hackers information that can be used against your blog. There are two folders that you need to think about protecting. We’ll tackle the easy one first.
- wp-content/plugins/ – This folder is where plugins are stored. By default, anyone that navigates to this folder can see which plugins you’re using. If someone wanted to hack your blog they would check here for potential security holes. Protect yours blog by adding an index.html file. It doesn’t need to contain anything in particular, in fact it can even be blank.
- wp-admin – This is the administrative section of Wordpress, all of the back end and many of its functions. This is the prize for hackers. There are a couple of ways to protect it, writing an .htaccess file yourself, or installing the Wordpress AskApache security plugin. Both will be effective. Once you select a method, and before you begin implementing it, take a few minutes and back up everything sixteen ways from Sunday, then read the instructions. You’re about to lock down your site for real, which means that its possible for you to lock yourself out.
Remote Publishing – One feature of Wordpress is that you can post to it from email or an external blogging platform such as Windows Live Writer or Ecto. This is pretty handy if you’re on the go, have limited access or like the features of your preferred blogging platform more than those within Wordpress. I would venture a guess that most people either don’t know or don’t care about this feature, and if that’s you then turning this off will leave one less opening. I do not mean to suggest that if you do choose to use this feature that you’re leaving your site exposed, I would not consider this an opening. But, if you aren’t using it then why leave it open? To disable this feature log in as an administrator and go to ‘Settings’, then ‘Writing’ and deselect ‘Atom Publishing Protocol’ and ‘XML-RPC’.
Stop Advertising Your Version – By default Wordpress lists its version number in the header code of your blog. Once again, this is giving a hacker information that he can use against you. Open your theme’s header.php file and remove this line “<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->“.
Keep Current – As security holes are discovered the Wordpress development team addresses them. If you don’t stay current then your blog likely has security holes that you’re unaware of. When a new version of wordpress becomes available, install it. Be sure that your plugins are up to date as well. With version 2.7 this can be done with the click of a button so upgrade to 2.7 and then keep it current. No excuses.
Scan for Vulnerabilities – Now that your site is current with the latest software and locked down, scan every once in a while to ensure that a new vulnerability hasn’t exposed you. It takes only seconds to run, and provides valuable information on you site’s security.
Congratulations. Your blog is now more secure than it has ever been before. Go outside and do something fun. But remember, it may be safe today, but it may not be safe tomorrow. Hackers are always looking for ways of gaining accees to Wordpress. You’re never ahead of them, so there’s a good chance that within the next six months you’re going to need to take further action to keep yourself protected.
24 Comments
Wow, I’ve used Wordpress for years but I never gave much thought to all the potential security holes. Thanks for the heads-up, I”ll have to go through and make some changes!
I just started with wordpress. Before I was a hardcore blogger platform guy. I would spend hours dealing with the coded templates. I didn’t know basically every feature you can think of wordpress already has a widget to do it.
Great advice on keeping your blog secure, I know a lot of people that have very insecure blogs even through following your tips are pretty easy. I just don’t think the common user thinks about these things until it’s too late. So I’m glad your wrote this post, thanks again.
I almost became a victim to this recently. One more thing I’ve noticed is that contact form plugins tend to have a lot of vulnerabilities.
Great post
– John
Great batch of security tips all in one place. I generally follow most of them but a few caught me by suprise.
Call me paranoid but what do you think about removing the uploads directory?
@John Acai
That’s true. I wouldn’t say that contact forms themselves are insecure, but they do open up the possibility for exploitation. If you want or need a contact form you can protect yourself by keeping the plugin updated with the latest version. Most plugin authors are good about plugging security holes as they learn about the vulnerabilities.
@Entrepreneur
I wouldn’t discourage anything that increases security. AFAIK there isn’t anything here that could be used to gain access to your blog, but someone could steal bandwidth from you by linking to an image or media file that you have stored here. For some users this is the place that their media files are stored, so it would be inconvenient to remove it. Locking it down with .htaccess would probably accomplish the same thing.
Geeez! I’m gonna start watching out more!
Great tips Chris.
I use WP security plugin to protect our clients wordpress blogs.
I will see if I can make it more secure.
The best article I’ve read in a while Chris.
The reason why is… so much of this stuff is new to me! The insecurity of the ftp protocol… the idea of making another admin account… I have to say… I’m just used to web based applications where you simply make-do with whatever security the system has. I forgot that there is so much we could do to improve security on our part.
I’ve already investigated SSH clients having read this, and I’ll probably make the transition next week. Thanks a bunch. I’ll link to you from a site of mine.
This is a great post!! Thanks a lot for your WP security tips
I agree with you on all security keypoints, but the Security Keys is one of the most found mistakes over the wp’s installations
Thanks for the tips. I’ve been trying to lock down WP for about a week now after getting hacked twice in 3 weeks (I’m still relatively a WP newbie, and am surprised at how many vulnerabilities there are).
I have implemented most (if not all) of your points, and installed several security related plugins as well (I hope to list them in a future post on my site).
I have also installed Norton Antivirus (Mac) and found some infectious code had been inserted even after many of my attempts at protection. Some of them may have respawned from backup files.
Right now I’m debugging and editing my .htaccess files since one of them is apparently preventing my FCKEditor from working, so I need to find the balance between security and functionality. So it is still a work in progress.
Other than that I think I am in a more secure position than a few days ago.
Thanks for the great post!
Once in while we find good articles on internet. Thanks for sharing your views. I appreciate
This are great tips i have using the WP since then..I’m very thankful that I have found this article and this really help to be caution…
Thanks for the great tips !
Anyone where I can start my own blog.
Thank you for the tips. I’m really new in blogging and I don’t understand the Wordpress thing completely but I will watch out.
Nice security tips given here, very useful for all people.
This is a great post!! Thanks a lot for your WP security tips
I really need to get around to upgrading my site to the latest version, am I right in saying that the newer versions can upgrade automatically? I hope so, it will save me so much time and hassle.
I have the wp-backup plugin that emails me a backup of my site every night just in case something does go wrong.
Thanks for the tips..
I have used Wordpress for days but I never much thought to all the security tips. many things for security so Thanks for security tips..
Thanks for the great info. I knew a couple of these, but a couple were news to me. I’ve bookmarked this so I can refer back to it when I get around to improving the security of my wp sites!!!
I certainly agree with keeping current with WP. Unfortunately, the downside with regularly updating a WP website is that often something on the site breaks, especially on a complex site and this can take a while fixing so can be a pain with regular updates. The downside to having a secure website, I guess!
4 Trackbacks
[...] Wordpress Security Tips | Lost In Search [...]
[...] 10 WORDPRESS SECURITY TIPS | LostInSearch.com [...]
[...] Third, do all the little things that may or may not help, but certainly don’t hurt. For example, here’s some great tips from Lost In Search: [...]
[...] 10 WordPress Security Tips – Lost in Search [...]