How horrible would it be if you woke up tomorrow and your blog was gone. All that hard work you have put into it up in smoke. Ok, so I think we can agree that it’s worth taking a few precautions to ensure our Wordpress blogs are as secure as possible. Here are some tips to go about achieving this.
Keep Wordpress Current
Keep your Wordpress setup up to date. From time to time people find security issues in Wordpress. These issues get addressed by the developers of Wordpress who then release an update. If you don’t update, you may be vulnerable. Wordpress can be a real pain to update, so the more lazy amongst us tend to leave it for a bit. If this sounds like you then maybe you should download Wordpress Automatic Upgrade Plugin. It automates the process of backing up and upgrading Wordpress.
Backup Your Posts and Comments
Create a folder on your PC and regularly create backups of your blog content. It’s easy enough to do, just go to ”Manage” in your Wordpress dashboard, and select “Export”, then click “Download Export File” to save a copy of all your valuable posts, comments and categories. It’s a good idea to name these export files with a date.
Drop The Version String In Your Header.php File
Quick Online Tips explains how displaying the version of your Wordpress installation can leave you vulnerable. If the version is left viewable, anyone can easily figure out which version of Wordpress you are using just by viewing the source file of your site, then if there is a known flaw in the version you are using you’re in trouble.
To fix this change:
<meta name=“generator” content=“WordPress <?php bloginfo(’version’); ?>” />
To:
<meta name=“generator” content= “WordPress” />
Put A Blank index.html In /plugins/ Directory
In a default Wordpress installation, anyone can access your Wordpress plugin folder to see which plugins you have installed. This is a problem if certain plugins are known to have security issues. The default path is “http://www.yourdomain.com/wp-content/plugins/"
If you type this address in your browser using your Wordpress blog’s domain you will see the entire directory with all of your plugins. A method to hide this as describe by Quick Online Tips (and Originally Matt Cutts at WordCamp 2007) is to place a blank file named index.html in the root of your plugin folder. People will no longer be able to view your plugin directory.
Wp-admin Folder
Past versions of Wordpress have had vulnerabilities with the wp-admin folder. So for extra tight security Reuben Yau gives a method to Protect the Wordpress wp-admin folder. However if the computer you access your blog from has a dynamic IP address assigned by your ISP this won’t work. It may be worth looking into if these sorts of security issues keep you up at night.
Login Lockdown Plugin
Login Lockdown is a plugin that monitors how many times a person tries to log in during a short period of time. If they exceed some key number, LogInLock down will lock them out from logging for some period of time. This will stop those types who will try and guess your user names and passwords.
I hope this information has helped you to secure your Wordpress blog.
41 Responses to “How To Make Your Wordpress Blog Safer”
- How To Check What Plugins Other Bloggers Are Using? | TenthOfMarch.com
- “How-To” Group Writing Project: Final Entries List | bluejar.com - the webmasters guide to the galaxy
- Blue Jar Group Writing Project Review
- 3 Bloggers That Right Good And Should Win That There BlueJar Contest - Internet Marketing Sucks!
- Bluejar’s Group Writing Project : My picks
- BlueJar Contest: Voting My Favourites
- Blue Jar - How To - Group Writing Project : Pingable.org | Blogging & Design
- [2007.09.22] Miscellaneous Updates
- blueJAR.com “How To” Group Writing Contest - My Top Picks by Internet Marketing Mind
- » Why You MUST Write Better Headlines J-NE.WS: The “Social Viral Marketing” Weblog: Using Social Media to drive Viral Marketing
- Bluejar Group Writing Project: My Picks
- Bluejar Group Writing Project: My Picks - Contest Beat
- Roberta Ferguson » Blog Archive » BlueJar Group Writing Project - My picks
- The Fit Shack
- BlueJAR How To Group Writing Contest | Karol Krizka
- 150+ Tips and Tricks to Make Money Online | Anthony Jude Lawrence Dot Com
- Top 10 Security and Protection Plugins for Wordpress | Creation Robot
Leave a Reply
Thanks for the information. Had never really thought about it myself, but have implemented the suggestions. Looks like you’ve got a few more interesting posts here as well. Will check them out.
I have thought about WP Security…
But I didn’t think of all those - lol
I’m going to have work on those!
Thanks for the heads up!
P.S. - Because of your comment, I’m back!
That’s great Brian, I am happy to have you back as a reader. You wouldn’t believe what a hit my feed count took in the days following that ProBlogger article. Maybe I need to place more focus on topics that aren’t blogging…i.e. more web design stuff to ensure I am not labled as a blogger that blogs about blogging. Cheers for coming back though Brian
Nice post. I noticed the version string was killing me for a while. Once removed, a lot of spam actually ceased. It’s been a few months and I’m pleased with the results. Nice that you posted it as well.
Ironically Akismet thought your comment was spam
I have entered this article into a group writing project contest at: http://www.bluejar.com/how-to-group-writing-project/ - Check it out, there is still a few days left before the deadline, so there is plenty of time to write an article an enter.
Thanks for entering my project. Good advice you have shared here, I guess I should probably go update my WP :c). Also thanks for mentioning my group writing project, everybody has until next week on the 18th to enter.
This is a good list and thanks for the idea
Great article Simon , this reminds me to update my WP and create a backup
Thanks for the useful tips!
One point above that i always did is “Backup Your Posts and Comments”. I export my content after I submit a new post.
I shall try that Login Lockdown Plugin
Thanks for these tips! I use a plugin to backup and I update WP as soon as there is a new version, and I am implementing your other tips. Thanks again, this is a great addition to the writing project.
Nice tips.
Another useful thing is to create a good robots.txt file to avoid spiders indexing all directories.
Good check list of security vulnerabilities. I was particularly worried about my plug-ins directory, not having considered it before.
Interesting. There are some good ideass presented here. I need to do spend some time reading more about these topics.
Thanks for the tips, I will surely put these to use on my blog. I’ve been getting a lot of traffic lately and would hate to compromise my website because of a few simple mistakes.
I like your blog theme. I want to use it on my blog.
Can you please tell me from where I can download these theme?
Many thanks
——————————————————————————–
Dan owner of the future gadgets blog future gadgets and inventions
Dan, it is a custom made theme by Nathan Rice! His blog design package will cost you $600 - http://www.nathanrice.net/services/.
does anyone knows if there is any other information about this subject in other languages?
this is a great read! i’ve been doing a little research on how to make my WP blog more secured and this is certainly a big help!
Great post. I noticed the version string was killing me for a while. Once removed, a lot of spam actually ceased. It’s been a few months and I’m pleased with the results. Nice that you posted it as well. Thanks for that.
thanks very good.
You should use a secure password as well. I suggest changing your password every month, and the password should not be anything contained in the english dictionary. A blank index file should be located in every folder, whether it has valuable information in it or not. Also it is important that your PHP and MYSQL stay updated and secure. Check with your hosting company as many of them handle the upgrades for those. Also check your logs and look for repeated attempts. A repeated IP could mean an attacker, but they can use proxies so it will be a different IP ever time. Look for attempts on weird port numbers against your server. Also look for attempts at weird directories or commands/files. Most sites get port scanned and scanned for vulnerabilities often. But if it is something that it occuring often (multiple days) then it may be a direct attack against you. If you feel it is a direct attack targeting you soley, then contact your web host. They should be able to check out your logs and they will evaluate. If they are nice, they may give you the IPs to add to your blacklist. If they don’t do that due to policy, then they may block them on their end. If the attempts continue, then notify them and you can pursue an investigation.
I don’t recommend blacklisting and IPs yourself unless you are 100% positive it is an attack. You may end up banning one of your frequent viewers.
I used to be at the opposit end of the computer. I wont go into techno babble though.
Shudogg Dot Com - Make Money Online Blogging
Thanks for the in depth input - Make Money Online Blogging - I will even leave your anchor text for your effort.
I had alot of changed done to blogs. I definately figured out how to rid of all spam. Great post