Keeping your self hosted WordPress Blog safe should be a Blogger’s number one priority. Below are a few hints and tips that should make your life a little bit easier when creating or using your WordPress Blog.
1. Keep WordPress updated to the latest version. The latest version can be downloaded from wordpress.org.
2. Keep all of your WordPress plugins and themes updated to their latest version. New versions of plugins and themes could contain security fixes.
3. Secure your plugins directory so plugins you are using can’t be seen. If your WordPress Blog was to be hacked it might be done by discovering an out-of-date plugin on your server with known security flaws.
By typing the following link into your browser you will be able to check if your WordPress plugins are being displayed.
http://www.mywebsite.com/wp-content/plugins/
Note: Replace www.mywebsite.com with your own domain name.
An easy fix to the issue above can be made by just placing a blank index.html file within your plugins folder. A more secure fix would be to edit your .htaccess file in the root of your WordPress directory on your server.
Open the .htaccess file in a text editor, I prefer to use PSPad which is a freeware program then add the following two lines to the bottom and save the file.
# Prevents directory listing
Options -Indexes
4. If, for some strange reason, you are using an earlier version of WordPress then you might want to hide your WordPress version number from the entire world by using the Replace WP-Version plugin. The version number that is being shown via the page source can be disguised by using The Replace WP-Version plugin.
5. The WordPress folder and file permissions is an important security aspect that quite a lot of people forget. All WordPress folders should be set to 755 and all files should be set to 644. If you like editing your theme via the Edit Themes panel within WordPress you will need to CHMOD your theme files to 666.
File permissions can be changed by your webhosting account’s administration panel (ex: cPanel) or by using a FTP program like FileZilla.
6. Backup your WordPress files and database on a regular basis.
For detailed information on backing up your database please go to the link below:
http://codex.wordpress.org/Backing_Up_Your_Database
You could also be like me and use a terrific database plugin called WP-DB-Backup. The plugin can be downloaded below:
http://www.ilfilosofo.com/blog/wp-db-backup
For backing up your files you can use a FTP program or see if your website host has a built-in file backup system.
7. Simple passwords for your WordPress blog should not be used. We have all done it at one time or another, using passwords like 123456 and abcdef is not a good idea at all! Be creative and create hard passwords using numbers, letters or even symbols like #, @, !, %.
Try a password generator if need be:
http://www.pctools.com/guides/password/
8. One security tip that is rarely done is to delete the default admin user account. Creating your own account is a much safer idea. Hackers would only need to crack your login password because the username and ID number is already set when installing WordPress.
- Create a new administrator acount in the Users section.
- Log out of the default admin account.
- Log in as the new user.
- Delete the old admin from the user list.
- Assign all posts, pages and links to the new user account.
9. A security exploit has been found in some themes on the internet. One method to check if your theme has this exploit is to search for the following line of code in your search.php:
This exploit allows your entire server to be searched.
Use this code instead:
< ?php bloginfo ('home'); ?>
10. WordPress allows unlimited login attempts and this can give experienced Hackers a chance to crack your password by doing brute-force attacks. I recommend using a plugin called Limit Login Attempts.
Well that’s it for our WordPress security guide. I hope some of these tweaks will help protect you from the evil people on the internet!