Tag Archives: Security

Useful Security Modifications for WordPress

WordPress is pretty secure, especially when compared to our content management systems.  We’ve put together this handy infographic on WordPress security issues.  This post is an update with some tweaks and plugins that can help tighten security on your WordPress site, and (hopefully) prevent hacking.

1. Keep WordPress Updated!

This is not a hack or a plugin, just common sense.  The WordPress team is constantly working on updates that address security vulnerabilities first.  Everything else comes second.  So updating WordPress with every stable release is critical.

2. Deny Access to wp-content directories

Most of the critical files are kept in these directories, and mean people can execute harmful code by getting into these directories.  Lock them down by adding an .htaccess file within the wp-content directory.  In the file, include:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

3. Remove the WordPress version from your meta description

This will make it slightly harder for people to identify in which ways your site may be vulnerable based on the version of WordPress you are using.  Of course, since you followed tip #1, you have the latest version.

4. Change your database prefix

The default prefix is wp_ but you can choose anything during install.  This is a trickier process after install.  Change your database prefix to something only you know.  If you’ve already installed WordPress, and you most likely already have, check out this comprehensive tutorial on changing the wp_ database prefix over at WPBeginner.

5. Prevent all directory browsing

The WordPress file structure is so well known, it can be predicted and browsed, and the information found there can demonstrate certain vulnerabilities.  Add this to your .htaccess file:

# directory browsing
Options All -Indexes

6. Deny access to the wp-admin directory

You need access to this directory, but nobody else does.  Limit who can access this directory based on their IP.  If you have a dynamic IP, this is not a permanent fix.  Remember to always backup your .htaccess file before making any changes!

order deny,allow
allow from [enter your ip]
deny from all

7. Password protect the wp-admin directory

As an alternative, or complimentary step, you can password protect this directory through your hosting control panel.  If using cPanel, under the “security” category, choose “password protect directories” and follow the instructions from there.

8. Change your admin username

The default is admin.  For obvious reasons, it is more secure to set a new and secure username and password.  Choose something nobody would guess (not like mydomainadmin).  Along the same lines, choose a super-secure password, something randomly generated.

9. Prevent brute force attacks

Install the Login Security Solution WordPress plugin, compatable above version 3.3.  This plugin has a number of features that make it more difficult (but not impossible) to hack WordPress.  Most notably, the plugin will slow down the login response time if it appears someone is maliciously trying to log in.  It also adds a great deal of features related to password quality, including an option to require a new password every xx days.  Nice.

10. Move the wp-admin directory altogether

The easiest way to do this is with the Better WP Security plugin.  This plugin comes with all sorts of other security related features but it allows you to quickly change the login URL.  Why change it?  Two main reasons.  First, people can navigate to yourdomain.com/wp-login and get instant verification that you’re using WordPress.  And, because of #8, they may even have your username.  If you didn’t set up a strong password, you’ve essentially invited someone to break in.  The plugin also changes the wp-admin and other dashboard links so something with basic WordPress knowledge can’t stroll right in.

What have you done to protect your site?  Let us know in the comments or send us a message through our Facebook page.

How To Make Your WordPress Blog Safer

How horrible would it be if you woke up tomorrow and your blog was gone. All that hard work you have put into it up in smoke. Ok, so I think we can agree that it’s worth taking a few precautions to ensure our WordPress blogs are as secure as possible. Here are some tips to go about achieving this.

Keep WordPress Current

Keep your WordPress setup up to date. From time to time people find security issues in WordPress. These issues get addressed by the developers of WordPress who then release an update. If you don’t update, you may be vulnerable. WordPress can be a real pain to update, so the more lazy amongst us tend to leave it for a bit. If this sounds like you then maybe you should download WordPress Automatic Upgrade Plugin. It automates the process of backing up and upgrading WordPress.

Backup Your Posts and Comments

Create a folder on your PC and regularly create backups of your blog content. It’s easy enough to do, just go to “Manage” in your WordPress dashboard, and select “Export”, then click “Download Export File” to save a copy of all your valuable posts, comments and categories. It’s a good idea to name these export files with a date.

Drop The Version String In Your Header.php File

Quick Online Tips explains how displaying the version of your WordPress installation can leave you vulnerable. If the version is left viewable, anyone can easily figure out which version of WordPress you are using just by viewing the source file of your site, then if there is a known flaw in the version you are using you’re in trouble.

To fix this change:

<meta name="generator" content="WordPress 
<?php bloginfo('version'); ?>"
/>

To:

<meta name="generator" content=

"WordPress" />

Put A Blank index.html In /plugins/ Directory

In a default Wordpress installation, anyone can access your WordPress plugin folder to see which plugins you have installed. This is a problem if certain plugins are known to have security issues. The default path is “http://www.yourdomain.com/wp-content/plugins/"

If you type this address in your browser using your WordPress blog’s domain you will see the entire directory with all of your plugins. A method to hide this as describe by Quick Online Tips (and Originally Matt Cutts at WordCamp 2007) is to place a blank file named index.html in the root of your plugin folder. People will no longer be able to view your plugin directory.

Wp-admin Folder

Past versions of WordPress have had vulnerabilities with the wp-admin folder. So for extra tight security Reuben Yau gives a method to Protect the WordPress wp-admin folder. However if the computer you access your blog from has a dynamic IP address assigned by your ISP this won’t work. It may be worth looking into if these sorts of security issues keep you up at night.

Login Lockdown Plugin

Login Lockdown is a plugin that monitors how many times a person tries to log in during a short period of time. If they exceed some key number, LogInLock down will lock them out from logging for some period of time. This will stop those types who will try and guess your user names and passwords.

If you are stuck using a free hosted WordPress blog you should consider blog hosting options, it’s not that expsensive to host your own WordPress blog.

I hope this information has helped you to secure your WordPress blog.

www.pingable.org