Security is a very important, but often overlooked aspect of blogging.
There are many tools and plugins that can be integrated into your WordPress blog that can help harden and secure it from hackers and spammers.
This guide on WordPress security will hopefully add an extra layer or two in helping to secure your online asset – your blog.
Brad Williams: WordPress Security – Word Camp Montreal 2009
WordPress is an open source publishing platform, which means its source code is freely available for anyone to see, use, modify.. or exploit.
Often developers of worms and viruses take advantage of the older, more vulnerable WordPress versions as they are more susceptible to these kinds of malicious activity.
Every new WordPress release improves on its predecessor both in terms of functionality and security, so it is very important that your blog is running on the latest version of WordPress.
Backing up WordPress
Backup early.. backup often! It is as simple as that.
When did you last backup your blog?
How much would you lose if your web host’s hard drives permanently failed right now, and your blog was gone with it? Or you installed a new plugin or upgraded an existing one, which caused major conflicts resulting in data loss?
You get the picture.. your website is only as safe as its last backup.
I backup a fair bit and have made a habit out of it. It has certainly been a lifesaver on those rare occasions when I have needed to do a restore.
I personally do a full backup of my blog and database after every post I publish.. as well as any progress I make on a draft post I am working on.
I will also do a full site and database backup prior to installing a new plugin.. or even upgrading an existing plugin. That way if there are any conflicts I can always revert.
I recommend creating a backup folder on your hard drive, and underneath that creating a folder with the current WordPress version.. and just put your backups in each of these folders. Everytime a new WordPress release comes out, just add a new versioned folder and continue doing the same.
They don’t take up that much space and in time you can always do a cleanup and delete some of the older backups you have got.
Here is an example of how my backup folders are setup,
I think it is a good idea as well to take screenshots of any customized settings you have made to your blog such as your Permalink Settings,
I also take screenshots of all my active plugins as well as their version numbers.
This can come in handy if you need to restore your blog, you can easily identify the version of the plugin needed for the restore.. as a newer plugin version may not be compatible,
Taking screenshots of various plugin settings can also be very helpful if you’ve needed to delete a plugin and reinstall it,
Likewise with your backups, just create a plugins screenshots folder and put all your screenshots here.
As I already do regular full backups.. I tend to update my screenshots every month or so.
Exporting your Content
Exporting your WordPress data (posts, pages, comments, custom fields, categories, and tags) is sometimes necessary and useful. If you are moving to a new host or just want a backup of your blog, then exporting your blog is the answer.
In the Tools section click on Export,
If you select All Authors from the drop-down menu this will export all the posts, from all authors on your blog.
If your blog has more than one author, you can restrict the exports to a certain author, by selecting that particular person.
Next click on <Download export file>,
Click on <OK> to save the exported file,
As before, just put this exported file in your backups folder.
The wp-config.php file is the key to the WordPress database. It is where you set the database name, username, password and location. So it is a good idea to back this up as well.
Using your FTP client copy this file to your backup folder,
See also the Securing WP-Config.php section below
Changing the Default Admin User
When you started your blog right at the beginning, WordPress by default names the administrator account “admin“.
A lot of bloggers don’t bother to change this and just choose and strong password. It is a very good idea to change the admin account this to something different.
Hackers who want to gain access to your blog often employ brute-force attacks by using automated tools to guess passwords, by cycling through different combinations of letters, numbers and characters.. and if you leave this administrator account as admin, then they are 50% closer to gaining access.
To change this login to your WordPress blog as normal.
Under the Users section, click on Add New,
Fill out the details for adding a new user.
Make sure you choose a hard to guess username by using letters and numbers, and that it’s not similar to the one you publicly display on your blog . For example, the word “WordPress” could be turned into “wOrdpr3ss”.
I recommend choosing a really hard and long password as well.
If you are thinking ‘not another password to remember‘, then you should checkout my post LastPass Guide to Online Password Management which shows you how to manage all your online passwords and usernames by remembering only one master password. You can generate very strong random passwords with LastPass.
Also, make sure you select Administrator from the Role drop-down menu.. and when you are done click on <Add User>,
This new user has just been created.
Just double-check that the Nickname isn’t the same as the secret username you have just created. If it is change it,
Now logout of WordPress.
Log back in using your new username and password.
Under Users, click on Authors & Users,
You will see both users – admin and your newly created user.
Delete the admin user by clicking on Delete,
You now want to transfer all the posts that were authored using the admin account to your new account.
Select Attribute all posts and links to your new username.. then click <Confirm Deletion>,
Your new username is setup and the old default admin account has been deleted. And all posts and links have been transferred across to your new username.
According to the official
you can move the wp-config.php file to the directory above your WordPress install.
This means for a site installed in the root of your webs pace, you can store wp-config.php outside the web-root folder.
Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation.
Preventing Directory Listing
In many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folders on your server.
Often plugin and theme developers make mistakes in their code that allow unexpected access. This means that hackers can browse through your directories to potentially look for vulnerable files and attack your site.
There are a couple ways you can prevent directory listing.
Hiding Your Plugins
Type your blog’s URL into the address bar, followed by /wp-content/plugins/,
If a list of your plugins are displayed.. then you need to fix this asap,
If your plugins are visible by the people snooping around, then they could potentially exploit a known weakness in one of the plugins.
To prevent this, create either a blank index.html file or a blank index.php file, and upload it to the /wp-content/plugins/ directory.
Refresh the page and if you see either a blank page or a 404 (file not found) page then you are a lot safer than you were before.
Hiding Your Theme’s Files
Now type your blog’s URL into the address bar, followed by /wp-content/themes/,
Just like above, if your themes are visible, then you need to hide them by creating either a blank index.html file or a blank index.php file, and upload it to the /wp-content/themes/ directory.
Refresh the page and if you see either a blank page or a 404 (file not found) page then you can be assured that these folders are hidden from public view.
Editing Your .htaccess File to Prevent Directory Listing
The method I’ve just described by uploading a blank file into a directory doesn’t solve the problem of preventing directory listings of sub-folders (beneath).. not to mention all other folders.
It is just too cumbersome uploading a blank index.php file into every folder on your server.
The recommended way to prevent directory listing of all folders is it to edit your .htaccess file (in your WordPress root directory “/”), and insert the following at the bottom of the file,
# Prevents directory listing
To do this login to your webserver.. if you are using cPanel or an FTP client, make sure that you have Force showing hidden files enabled (so you can actually see the .htaccess file),
Now navigate to WordPress’ root directory, find the .htaccess file and edit it,
Add the two lines of code at the bottom of the file.. when you are done click on <Save> to save the changes,
This method now prevents directory listing of all your blogs directories.
Changing WordPress Database Prefix
By default all the tables in your WordPress database have a prefix of “wp_“.
It is advisable to change this as it will bring your blog’s security to a higher level. This prefix can be changed to any combination of letters, numbers and underscores.
David Potter has done a nice guide on Changing the WordPress Table Prefix.
WordPress Security Plugins
There are plenty of WordPress security plugins available, so please check that the plugin’s version is compatible with your WordPress version before installing!
Here is a list of some good plugins that help to harden your blog.
WP Security Scan
WP Security Scan is probably the most downloaded security plugin for WordPress.
It scans your WordPress installation for file/directory permissions security vulnerabilities and suggests corrective actions,
WP Security Scan also scans for general security vulnerabilities and lets you know of areas that can be further secured,
WP Security Scan also has a password tool and allows you to change database table prefix automatically.
Plagiarism and content theft is a serious problem for bloggers.
Often people will copy and paste content from your blog and re-publish it themselves without your permission and without referencing your work.
WP-CopyProtect is a simple plugin that allows you to,
- Disable right-click on your blog
- Disable text selection
It certainly isn’t an all encompassing solution. If someone really wants your content they could always get it from your source code or RSS feed, but it does the trick in deterring the average person trying to rip-off your posts.
I currently have text selection disabled on my blog and am quite happy with this plugin.
Secure WordPress helps to secure your WordPress installation and includes the following,
1. removes error-information on login-page
2. adds index.html to plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update information for non-admins (only WP 2.8 and higher)
9. Add string for use WP Scanner
WordPress scanner is a free online resource that blog administrators can use to provide a measure of their WordPress security level and comes bundled with the Secure WordPress plugin (see above).
To run wp-scanner add <!– wpscanner –> to your current WordPress template.. I added mine in the header.php file, before the closing body tag,
Once this code has been added, head to WPSCAN and scan your blog,
When the scan is finished you will be given a summary of the state of your blog and any security risks associated,
When you have finished don’t forget to go back and REMOVE <!–wpscanner–>, otherwise others will be able to also scan your blog!
Login Lockdown records the IP address and timestamp of every failed WordPress login attempt.
If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Lockdown times can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
WP-DBManager is a plugin that manages your WordPress database.
It allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries.
It also allows you to schedule your backups and have them emailed to you,
I have configured mine so I get a scheduled email backup everyday,
This is quite a handy plugin as you can set it and forget it. That way you can be sure you always have an up-to-date backup of your blog’s database.
WordPress Security Resources
Security Related Codex Articles
- Changing File Permissions – WordPress Codex
- Editing wp-config.php – WordPress Codex
- Hardening WordPress – WordPress Codex
- How to Keep WordPress Secure – WordPress Blog
- htaccess for Subdirectories – WordPress Codex
50 Other WordPress Security Resources
- 5 WordPress Security Essentials – LGR
- 8 Security Tips and Guidelines for your WordPress Blog – Online Tech Tips
- 9 Best WordPress Security Plugins – Quick Online Tips
- 9 SEO Security Tips for WordPress – Ante zeta
- 10 Steps To Protect The Admin Area In WordPress – Smashing Magazine
- 10 WordPress Security Tips – Lost in Search
- 12 Essential Security Tips and Hacks for WordPress – Six Revisions
- 14 tips to wordpress practical security [How-to] – Rhulani Rabin
- 15 Plugins to Boost up your WordPress Security and a Special Tip! – Smart Bloggers
- 16 Excellent WordPress Security Plugins To Secure Your Blog – Tuazon
- 18 WordPress Security Plugins & Tips To Secure Your Blog – Make Use Of
- 20 WordPress Security Plug-ins And Tips To keep Hackers Away – Simple Thoughts
- 20+ Powerful WordPress Security Plugins and Some Tips and Tricks – Speck Boy
- Advanced WordPress Security Tips – Website In a Weekend
- Basic WordPress Security Tips – Lyle Ham
- Best practices against hacking – Google Webmaster Central Blog
- Current Events: Lazy Admins and WordPress Security – Monday by Noon
- Did your WordPress site get hacked? – Caoimhe
- Essential WordPress Security Tips – Is Your Blog Protected? – Tips and Tricks HQ
- Establishing A Sense Of Security On Your Blog – Steven Saunders
- How to secure WordPress – Site round
- Increasing your WordPress Security – Pixel Apes
- Interview with Deutsche Welle on WordPress Security – Mark on WordPress
- Protect Your Blog With a Solid Password – The Blog Herald
- Protecting the WordPress wp-admin folder – Reuben Yau
- Regarding WordPress and Security – Daring Fireball
- Top 5 WordPress Security Tips You Most Likely Don’t Follow – WP Tavern
- Top 10 ways to stop spam in WordPress – Cats who Code
- Top 21 WordPress Security Plugins for Hacker-Proof Blog – Binary Head
- Top Ten WordPress Security Tips – Moonlight Blog
- Triple “P” Of Total WordPress Security – How To Spotter
- WordPress Security – Netcom (PDF download)
- WordPress Security – WP Security
- WordPress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! – Programmer Fish
- WordPress Security and How I’m Going to Take All Your Money – Techno sailor
- WordPress security: Hide login error messages – Blog Building
- WordPress security plugins – Insane Security
- WordPress Security Presentation – Brad Williams
- WordPress Security Prevention, Reactions, and Scares – Lorelle on WordPress
- WordPress Security Tip: Remove the Admin User – Daily Blogs Tips
- WordPress Security Tips – Dev shed
- WordPress Security Tips – Saki Blog
- WordPress Security Tips – Too Many Secrets
- WordPress Security Tips and Hacks – Nape
- WordPress Security Tips for non-geeks – You Are
- WordPress Security Tips — For the untrained – Tech Link blog
- WordPress Security Tips How to Keep WordPress Secure – Deals n Discounts
- WordPress Security Tips How to Secure a WordPress Installation – Suite 101
- WordPress Security Whitepaper – Blog security (PDF download)
- WordPress SEO: WordPress Security Why it Matters to SEO – Wolf Howl