pingable wordpress banner
12
Sep

How To Make Your WordPress Blog Safer

Written by Simon Ward. Posted in Wordpress and was last updated on

How horrible would it be if you woke up tomorrow and your blog was gone. All that hard work you have put into it up in smoke. Ok, so I think we can agree that it’s worth taking a few precautions to ensure our WordPress blogs are as secure as possible. Here are some tips to go about achieving this.

Keep WordPress Current

Keep your WordPress setup up to date. From time to time people find security issues in WordPress. These issues get addressed by the developers of WordPress who then release an update. If you don’t update, you may be vulnerable. WordPress can be a real pain to update, so the more lazy amongst us tend to leave it for a bit. If this sounds like you then maybe you should download WordPress Automatic Upgrade Plugin. It automates the process of backing up and upgrading WordPress.

Backup Your Posts and Comments

Create a folder on your PC and regularly create backups of your blog content. It’s easy enough to do, just go to ”Manage” in your WordPress dashboard, and select “Export”, then click “Download Export File” to save a copy of all your valuable posts, comments and categories. It’s a good idea to name these export files with a date.

Drop The Version String In Your Header.php File

Quick Online Tips explains how displaying the version of your WordPress installation can leave you vulnerable. If the version is left viewable, anyone can easily figure out which version of WordPress you are using just by viewing the source file of your site, then if there is a known flaw in the version you are using you’re in trouble.

To fix this change:

<meta name="generator" content="WordPress 
<?php bloginfo('version'); ?>"
/>

To:

<meta name="generator" content=

"WordPress" />

Put A Blank index.html In /plugins/ Directory

In a default Wordpress installation, anyone can access your WordPress plugin folder to see which plugins you have installed. This is a problem if certain plugins are known to have security issues. The default path is “http://www.yourdomain.com/wp-content/plugins/"

If you type this address in your browser using your WordPress blog’s domain you will see the entire directory with all of your plugins. A method to hide this as describe by Quick Online Tips (and Originally Matt Cutts at WordCamp 2007) is to place a blank file named index.html in the root of your plugin folder. People will no longer be able to view your plugin directory.

Wp-admin Folder

Past versions of WordPress have had vulnerabilities with the wp-admin folder. So for extra tight security Reuben Yau gives a method to Protect the WordPress wp-admin folder. However if the computer you access your blog from has a dynamic IP address assigned by your ISP this won’t work. It may be worth looking into if these sorts of security issues keep you up at night.

Login Lockdown Plugin

Login Lockdown is a plugin that monitors how many times a person tries to log in during a short period of time. If they exceed some key number, LogInLock down will lock them out from logging for some period of time. This will stop those types who will try and guess your user names and passwords.

If you are stuck using a free hosted WordPress blog you should consider blog hosting options, it’s not that expsensive to host your own WordPress blog.

I hope this information has helped you to secure your WordPress blog.

www.pingable.org


Tags: ,

Simon Ward

I created pingable back in 2007. Still loving blogging about Wordpress. Read more Connect with me via my Google Plus.

Comments (128)

  • September 13, 2007 at 3:36 am |

    Thanks for the information. Had never really thought about it myself, but have implemented the suggestions. Looks like you’ve got a few more interesting posts here as well. Will check them out.

  • September 13, 2007 at 6:40 am |

    I have thought about WP Security…
    But I didn’t think of all those – lol
    I’m going to have work on those!
    Thanks for the heads up!

    P.S. – Because of your comment, I’m back!

  • September 13, 2007 at 6:45 am |

    That’s great Brian, I am happy to have you back as a reader. You wouldn’t believe what a hit my feed count took in the days following that ProBlogger article. Maybe I need to place more focus on topics that aren’t blogging…i.e. more web design stuff to ensure I am not labled as a blogger that blogs about blogging. Cheers for coming back though Brian :)

  • September 13, 2007 at 7:37 am |

    Nice post. I noticed the version string was killing me for a while. Once removed, a lot of spam actually ceased. It’s been a few months and I’m pleased with the results. Nice that you posted it as well.

  • September 13, 2007 at 7:47 am |

    Ironically Akismet thought your comment was spam :)

  • September 14, 2007 at 6:33 am |

    I have entered this article into a group writing project contest at: http://www.bluejar.com/how-to-group-writing-project/ – Check it out, there is still a few days left before the deadline, so there is plenty of time to write an article an enter.

  • September 15, 2007 at 12:57 am |

    Thanks for entering my project. Good advice you have shared here, I guess I should probably go update my WP :c). Also thanks for mentioning my group writing project, everybody has until next week on the 18th to enter.

  • September 18, 2007 at 8:32 am |

    This is a good list and thanks for the idea ;-)

  • September 19, 2007 at 9:26 am |

    Great article Simon , this reminds me to update my WP and create a backup

  • September 22, 2007 at 2:35 am |

    Thanks for the useful tips!

    One point above that i always did is “Backup Your Posts and Comments”. I export my content after I submit a new post.

    I shall try that Login Lockdown Plugin :)

  • September 22, 2007 at 2:35 am |

    Thanks for the useful tips!

    One point above that i always did is “Backup Your Posts and Comments”. I export my content after I submit a new post.

    I shall try that Login Lockdown Plugin :)

  • September 23, 2007 at 7:55 pm |

    Thanks for these tips! I use a plugin to backup and I update WP as soon as there is a new version, and I am implementing your other tips. Thanks again, this is a great addition to the writing project.

  • September 23, 2007 at 7:55 pm |

    Thanks for these tips! I use a plugin to backup and I update WP as soon as there is a new version, and I am implementing your other tips. Thanks again, this is a great addition to the writing project.

  • Oscar
    September 24, 2007 at 1:42 pm |

    Nice tips.

    Another useful thing is to create a good robots.txt file to avoid spiders indexing all directories.

  • Oscar
    September 24, 2007 at 1:42 pm |

    Nice tips.

    Another useful thing is to create a good robots.txt file to avoid spiders indexing all directories.

  • September 25, 2007 at 9:23 am |

    Good check list of security vulnerabilities. I was particularly worried about my plug-ins directory, not having considered it before.

  • February 17, 2008 at 7:55 pm |

    Interesting. There are some good ideass presented here. I need to do spend some time reading more about these topics.

  • February 19, 2008 at 6:50 am |

    Thanks for the tips, I will surely put these to use on my blog. I’ve been getting a lot of traffic lately and would hate to compromise my website because of a few simple mistakes.

  • February 19, 2008 at 6:50 am |

    Thanks for the tips, I will surely put these to use on my blog. I’ve been getting a lot of traffic lately and would hate to compromise my website because of a few simple mistakes.

  • February 29, 2008 at 8:43 am |

    I like your blog theme. I want to use it on my blog.
    Can you please tell me from where I can download these theme?

    Many thanks

    ——————————————————————————–
    Dan owner of the future gadgets blog future gadgets and inventions

  • February 29, 2008 at 3:25 pm |

    Dan, it is a custom made theme by Nathan Rice! His blog design package will cost you $600 – http://www.nathanrice.net/services/.

  • February 29, 2008 at 3:25 pm |

    Dan, it is a custom made theme by Nathan Rice! His blog design package will cost you $600 – http://www.nathanrice.net/services/.

  • March 23, 2008 at 11:31 pm |

    does anyone knows if there is any other information about this subject in other languages?

  • March 23, 2008 at 11:31 pm |

    does anyone knows if there is any other information about this subject in other languages?

  • April 3, 2008 at 8:11 pm |

    this is a great read! i’ve been doing a little research on how to make my WP blog more secured and this is certainly a big help!

  • April 5, 2008 at 4:57 pm |

    Great post. I noticed the version string was killing me for a while. Once removed, a lot of spam actually ceased. It’s been a few months and I’m pleased with the results. Nice that you posted it as well. Thanks for that.

  • April 5, 2008 at 4:57 pm |

    Great post. I noticed the version string was killing me for a while. Once removed, a lot of spam actually ceased. It’s been a few months and I’m pleased with the results. Nice that you posted it as well. Thanks for that.

  • Gaf
    April 8, 2008 at 4:54 am |

    thanks very good.

  • May 1, 2008 at 5:40 pm |

    You should use a secure password as well. I suggest changing your password every month, and the password should not be anything contained in the english dictionary. A blank index file should be located in every folder, whether it has valuable information in it or not. Also it is important that your PHP and MYSQL stay updated and secure. Check with your hosting company as many of them handle the upgrades for those. Also check your logs and look for repeated attempts. A repeated IP could mean an attacker, but they can use proxies so it will be a different IP ever time. Look for attempts on weird port numbers against your server. Also look for attempts at weird directories or commands/files. Most sites get port scanned and scanned for vulnerabilities often. But if it is something that it occuring often (multiple days) then it may be a direct attack against you. If you feel it is a direct attack targeting you soley, then contact your web host. They should be able to check out your logs and they will evaluate. If they are nice, they may give you the IPs to add to your blacklist. If they don’t do that due to policy, then they may block them on their end. If the attempts continue, then notify them and you can pursue an investigation.

    I don’t recommend blacklisting and IPs yourself unless you are 100% positive it is an attack. You may end up banning one of your frequent viewers.

    I used to be at the opposit end of the computer. I wont go into techno babble though.

    Shudogg Dot Com – Make Money Online Blogging

  • May 1, 2008 at 5:40 pm |

    You should use a secure password as well. I suggest changing your password every month, and the password should not be anything contained in the english dictionary. A blank index file should be located in every folder, whether it has valuable information in it or not. Also it is important that your PHP and MYSQL stay updated and secure. Check with your hosting company as many of them handle the upgrades for those. Also check your logs and look for repeated attempts. A repeated IP could mean an attacker, but they can use proxies so it will be a different IP ever time. Look for attempts on weird port numbers against your server. Also look for attempts at weird directories or commands/files. Most sites get port scanned and scanned for vulnerabilities often. But if it is something that it occuring often (multiple days) then it may be a direct attack against you. If you feel it is a direct attack targeting you soley, then contact your web host. They should be able to check out your logs and they will evaluate. If they are nice, they may give you the IPs to add to your blacklist. If they don’t do that due to policy, then they may block them on their end. If the attempts continue, then notify them and you can pursue an investigation.

    I don’t recommend blacklisting and IPs yourself unless you are 100% positive it is an attack. You may end up banning one of your frequent viewers.

    I used to be at the opposit end of the computer. I wont go into techno babble though.

    Shudogg Dot Com – Make Money Online Blogging

  • May 1, 2008 at 10:58 pm |

    Thanks for the in depth input – Make Money Online Blogging – I will even leave your anchor text for your effort.

  • May 7, 2008 at 8:22 am |

    I had alot of changed done to blogs. I definately figured out how to rid of all spam. Great post

  • May 7, 2008 at 8:22 am |

    I had alot of changed done to blogs. I definately figured out how to rid of all spam. Great post

  • Gary Olson
    May 31, 2008 at 8:21 am |

    Great Job Here…I enjoyed it..! Gary

  • July 13, 2008 at 12:56 am |

    Once again this is an excellent tip. Its really important to secure wordpress or upgrade to the new version.

  • July 13, 2008 at 12:56 am |

    Once again this is an excellent tip. Its really important to secure wordpress or upgrade to the new version.

  • Daniel Lew Internet Marketing
    July 23, 2008 at 10:39 pm |

    I would never of known, Very good security and backup information and something I didn’t prepare myself for, Thanks for putting this together.

  • David
    August 3, 2008 at 4:06 pm |

    I need to change my password. Im going to use more symbols and numbers.

  • David
    August 3, 2008 at 4:06 pm |

    I need to change my password. Im going to use more symbols and numbers.

  • justin
    August 7, 2008 at 1:20 am |

    Thanks for the great tips. I just went and did some of them now. I wasn’t aware of the Export feature until now. It is much easier than backing up the MySQL DB.

  • August 24, 2008 at 4:07 am |

    That really bugs me…Thanks for the great tips. good for my WP blog but i am still worried about a blogger blog. Unfortunately i hosted on blogger server, worked hard for its marketing and now when i want to take a backup of posts and comments there are no options except template backup.

  • August 24, 2008 at 4:07 am |

    That really bugs me…Thanks for the great tips. good for my WP blog but i am still worried about a blogger blog. Unfortunately i hosted on blogger server, worked hard for its marketing and now when i want to take a backup of posts and comments there are no options except template backup.

  • September 5, 2008 at 12:51 am |

    yeah, backup my posts and comments asap!

  • September 16, 2008 at 8:18 am |

    I try to keep my wordpress folder updated as much as possible. This makes it easier to make sure that my blog is protected. Unfortunately it is difficult to do this sometimes and time consuming.

  • September 16, 2008 at 8:18 am |

    I try to keep my wordpress folder updated as much as possible. This makes it easier to make sure that my blog is protected. Unfortunately it is difficult to do this sometimes and time consuming.

  • Kevin
    September 24, 2008 at 6:49 am |

    The blank index and version string are 2 great ideas anyone should do to make thier blog safer. Some great ways to protect your wordptress blog i bookmarked post.

  • September 29, 2008 at 2:55 pm |

    I must admit i am one of those lazy people that tends to keep putting off backups and updating wordpress but this article has given me a well needed kick up the backside. I have just downloaded the automatic upgrade plugin so will no longer have any excuses.

  • September 29, 2008 at 2:55 pm |

    I must admit i am one of those lazy people that tends to keep putting off backups and updating wordpress but this article has given me a well needed kick up the backside. I have just downloaded the automatic upgrade plugin so will no longer have any excuses.

  • October 18, 2008 at 11:26 am |

    Backing up using MySQL DB is much harder than using the export feature.

  • October 24, 2008 at 4:32 pm |

    it´s true, i never had thought that, but obviusly is necesary take precaution, because there is a lot of people in the internet with bad intentions

  • October 24, 2008 at 4:32 pm |

    it´s true, i never had thought that, but obviusly is necesary take precaution, because there is a lot of people in the internet with bad intentions

  • November 6, 2008 at 2:34 pm |

    I think the first thing everyone should do no matter what site they have is have back up of all thier work. I can not tell you how many times people wish they did this.

    Great post some good tips on making wordpress safer.

  • November 6, 2008 at 2:34 pm |

    I think the first thing everyone should do no matter what site they have is have back up of all thier work. I can not tell you how many times people wish they did this.

    Great post some good tips on making wordpress safer.

  • November 10, 2008 at 11:08 am |

    Just a quick note to say thanks for the link to the automatic wordpres upgrade plugin. I have used it across all my wordpress sites and its a real time saver. Would highly recommend it to everyone.

  • November 18, 2008 at 7:29 am |

    I didnt even know something like this exists. I usually have to spend entire day to upgrade all my sites, and WP has gone through last few versions in such a short time.

    Thx for the link, I will definitely have more time with using this.

  • Brian
    December 30, 2008 at 2:26 pm |

    I wish we had login lockdown feature for basic website server accounts. I have had a couple of my websites hacked. I know, I should have a stronger password, where they can’t get in.

    I also like the idea of loading a index.html file into your plugins directory. This can keep the nosey ones out.

  • Brian
    December 30, 2008 at 2:26 pm |

    I wish we had login lockdown feature for basic website server accounts. I have had a couple of my websites hacked. I know, I should have a stronger password, where they can’t get in.

    I also like the idea of loading a index.html file into your plugins directory. This can keep the nosey ones out.

  • December 30, 2008 at 9:05 am |

    I never even thought about backing up comments. That is a good point i forgot about. I also like to make sure i have images and anything else saved in case i have any problems.

  • January 2, 2009 at 3:14 pm |

    Keeping things current and backing up your data is always a good idea no matter what you’re trying to do. Good information there, thanks!

  • January 2, 2009 at 3:14 pm |

    Keeping things current and backing up your data is always a good idea no matter what you’re trying to do. Good information there, thanks!

  • January 6, 2009 at 1:38 pm |

    Great tips. I did not know you could do some of the things you said to protect your wordpress blog. I never heard of the blank index and will try it.

  • January 7, 2009 at 1:33 pm |

    My account has been hacked a few times. I have tried all of these, unfortunately it is not helping very much.

  • January 7, 2009 at 1:33 pm |

    My account has been hacked a few times. I have tried all of these, unfortunately it is not helping very much.

  • January 11, 2009 at 8:09 am |

    I just did the version string one on one site. Never thought about that one before thanks.

  • February 25, 2009 at 11:15 am |

    One more thing make sure to change password if someone ever gets into your email. They will send password to email and take over blog.

  • February 25, 2009 at 11:15 am |

    One more thing make sure to change password if someone ever gets into your email. They will send password to email and take over blog.

  • March 2, 2009 at 8:37 pm |

    I think the backup is one of the most imortant ways to keep blog safe. if you do not have backup and something happens you have to start all over again.

  • March 6, 2009 at 5:16 am |

    Helpful tips. I wasn’t much worried about security until lately. My sites were recently attacked and that made me to pay more attention to security.

  • March 6, 2009 at 5:16 am |

    Helpful tips. I wasn’t much worried about security until lately. My sites were recently attacked and that made me to pay more attention to security.

  • May 5, 2009 at 12:31 pm |

    Good post. Some great tips on keeping wordpress blog safe. Maybe do one for blogger blogs also i know thier are alot of them around too.

  • May 5, 2009 at 12:31 pm |

    Good post. Some great tips on keeping wordpress blog safe. Maybe do one for blogger blogs also i know thier are alot of them around too.

  • May 11, 2009 at 6:26 pm |

    Thanks for the great post again.

    I agree with you that frequent updated are actually big pain for every one. But as far as the security is concern it should not be take lightly. If one day you will loose your all post and data it can not be recovered it you don’t have the backup of it.

  • May 28, 2009 at 11:40 am |

    Thanks i just started making new blog and it is my first wordpress blog. I Never knew some of the tips and how to make sure it is safe. Some very good ideas i will try them myself.

  • May 28, 2009 at 11:40 am |

    Thanks i just started making new blog and it is my first wordpress blog. I Never knew some of the tips and how to make sure it is safe. Some very good ideas i will try them myself.

  • June 9, 2009 at 3:54 am |

    i just knew about putting index page in plugins directory ,
    these are some really useful tricks,
    and Login Lockdown plugin is really good for security.

  • June 12, 2009 at 11:07 am |

    I’m so bad at not backing up my blog. I really should do it. Does the lockdown thing work with all blogs? Or is it just WordPress? I presume it’s all… But I’m not brilliant with technology!

  • June 12, 2009 at 11:07 am |

    I’m so bad at not backing up my blog. I really should do it. Does the lockdown thing work with all blogs? Or is it just WordPress? I presume it’s all… But I’m not brilliant with technology!

  • June 12, 2009 at 8:08 pm |

    Good post i did not know that the blog could be taken over or have problems like this. I have to try some of your ideas i just started making my first wordpress blog and have not finished it yet.

  • June 14, 2009 at 11:52 pm |

    I actually had this happen- had my blog up and leave me. Turned out to be hard drive failure on the part of my provider (backups? hah!), so I lost a lot of work.
    That’s why I now back up religiously. And, of course, I changed providers!

  • June 14, 2009 at 11:52 pm |

    I actually had this happen- had my blog up and leave me. Turned out to be hard drive failure on the part of my provider (backups? hah!), so I lost a lot of work.
    That’s why I now back up religiously. And, of course, I changed providers!

  • AskTheCoders
    June 18, 2009 at 5:50 am |

    Hmm. I didn’t realize that security was a problem for bloggers. Uh oh. I just started blogging fairly recently, so I’m hoping it isn’t something I need to worry about.

    Exactly what sort of security problems do bloggers normally have?

  • June 29, 2009 at 10:21 am |

    thanks those are some great ideas to make a wordpress blog safe. some of them i did not knowand will make sure to use when i make a new blog with wordpress.

  • July 8, 2009 at 10:48 am |

    Some very good tips. I have both a wordpres and blogger blog. Had one problem with blogger but tech worked it out. Did not know wordpress had some problems like this i have to try the techniques you listed on it to make it safer.

  • July 8, 2009 at 10:48 am |

    Some very good tips. I have both a wordpres and blogger blog. Had one problem with blogger but tech worked it out. Did not know wordpress had some problems like this i have to try the techniques you listed on it to make it safer.

  • July 9, 2009 at 10:58 am |

    with so many hacks and viruses out there, especially in the blogosphere, this stuff becomes quite useful, so thanks.

  • July 9, 2009 at 10:58 am |

    with so many hacks and viruses out there, especially in the blogosphere, this stuff becomes quite useful, so thanks.

  • October 12, 2009 at 7:29 am |

    Great advice. This is good practice for anything done over the internet. I compare it to buying insurance. Don’t take chances and get caught without any.

  • October 12, 2009 at 7:29 am |

    Great advice. This is good practice for anything done over the internet. I compare it to buying insurance. Don’t take chances and get caught without any.

  • December 27, 2009 at 7:28 pm |

    Updating wordpress to new version when it comes out is must.
    Hiding your version info which shows in source page is a good thing which I found out a few months ago.

    But putting a bank index in plugin folder that’s a new idea for me. The point is there and I thought about this some time ago but never got around it.

    Thanks for listing them together.

  • December 27, 2009 at 7:28 pm |

    Updating wordpress to new version when it comes out is must.
    Hiding your version info which shows in source page is a good thing which I found out a few months ago.

    But putting a bank index in plugin folder that’s a new idea for me. The point is there and I thought about this some time ago but never got around it.

    Thanks for listing them together.

  • January 13, 2010 at 6:22 pm |

    Now, this is superb information every WP user SHOULD know and follow!

  • Dustin
    April 19, 2010 at 11:05 pm |

    Thanks for this great post. I had heard of a few of these including the logical ones of keeping your WP up to date and such, but hadn’t heard of dropping the version string in your Header.php file. I’ll have to go back and make sure to do that on all of my sites right away. Thanks for the tip!

  • Dustin
    April 19, 2010 at 11:05 pm |

    Thanks for this great post. I had heard of a few of these including the logical ones of keeping your WP up to date and such, but hadn’t heard of dropping the version string in your Header.php file. I’ll have to go back and make sure to do that on all of my sites right away. Thanks for the tip!

  • June 10, 2010 at 12:11 am |

    I especially like your tip on Put A Blank index.html In /plugins/ Directory…I never would’ve thought about that myself in that some of the plugins that are installed aren’t safe. You’ve opened my eyes on how to make WordPress more secure. Thank you.

  • Joey
    August 18, 2010 at 2:28 am |

    Great tips. Backing up is not just enough since they can also get corrupted easily. Its sill best that you try to doo all the suggestions to keep avarythig safe.

  • Joey
    August 18, 2010 at 2:28 am |

    Great tips. Backing up is not just enough since they can also get corrupted easily. Its sill best that you try to doo all the suggestions to keep avarythig safe.

  • March 26, 2012 at 4:06 pm |

    I always update my WordPress. One more thing I will do is don’t use the admin as username, I will create my own username and use complex password.

  • May 16, 2012 at 1:36 am |

    Apart from checking your WP security settings and backing up files, I think it is also necessary to look ever your plugins.

  • June 16, 2012 at 3:46 pm |

    To keep your wordpress secure just use free service from wpsafer.com.

    We will do other things :)

Leave a comment

Pingable Archive

Pingable Facebook

Elegant"

Powered by Max CDN

max CDN