Recently I was concered to know how secure my website is. I wasn’t so sure about if anything I can do to make it more secure beside updating to the last version of the Wordpress, so I researched a bit on the subject and soon found out that not only it is far from being secure but it has the potensial to become a playground for harckers. So here is the results. Below are some security tips that can easily be implemented on a WordPress blog:
Choose a good and reliable host. It is so important because you are only as secure as your host.
2- Host on a machine with Linux/Unix operating system
That is important too because as opposed to WIndows which you have access to any place unless explicitly restricted, it just does not let any unauthorised access.
3- Stay up-to-date
Everything plugin/widget, themes, and Wordpress versions should be updated. That is one of the most important too. If you stay behind, after sometime hackers learn how to find the seurity holes.
4- Remove any version info
A large number of WordPress theme include the WordPress version info in the meta tag. Hackers can easily plan attack targeting the security vulnerability for that version. This tag is in the header.php file that displays your current version of wordpress.
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
5- Change your login name
The default username is admin. Do not use it. make it more difficult for the hacker to crack your login credential by changing the login name. In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role.
Log out and log in again with the new user account. Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion.
6- Stop brute force attack
Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you can install the login lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.
7- Use a strong password
Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. And try to change it regularly. Of course, who done that !?
8- Directories should not be left open for public browsing
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. just add this line in your .htaccess file in your root:
Options All -Indexes
9-Hide your plugins folder
If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
10- Protect your wp-admin folder
Attackers can use bots for a brute force style of attack that simply guesses the admin password until they come up with the correct one and login. There are a couple of solutions:
Limit access to wp-folder by IP address: This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations. Create a file and name it .htaccess with the content below:
deny from all
allow from 888.888.888.888
change 888.888.888.888 to your ip and any other ip that you want to grant access and then put the file inside the wp-folder. note: for some reason you must give the permission to this file to be read by world. or you will have problem to access to wp-folder from your browser.
11- Nobody should be able to to search your entire site
WPdesigner advices not to use this search code in the search.php
<?php echo $_SERVER ['PHP_SELF']; ?>
Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
12- Protect your wp-config.php file
this is the best trick that I have seen. Create a separate PHP file in a non-WWW accessible location and use the WP-Config to include that file. Say for example that your web include path for your server was /home/yourname/public_html/. You can actually save a file in the /home/yourname/ area and it won’t be web accessible. Meaning that even if somebody were able to read your wp-config, they wouldn’t get anything valuable. Here are the steps: Move the original wp-config.php file to a non-WWW readable location. Normally this should be the directory one level above the “public_html” or “www”. you can also change the name to whatever you like. Then modify the “wp-config.php” file to include the file. If somebody were to somehow read the contents of my WP-Config, all they would see is this:
define ('WPLANG', '');
13- Take regular backup of your site and database
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
14- Use SSH/Shell Access instead of FTP
It is one of the best tips i found here.If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.
15-Encrypt your login
Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.
16- Do a regular security scan
Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.
17- Change the prefix of your WordPress table in the database file
here is a good guide to how to do that in 6 steps.