8 Security Tips and Guidelines for your WordPress Blog

Posted on September 21, 2007 at 2:27 pm

Here are a few Wordpress security tips I’ve learned over time. After reading a couple of horror stories about blogs being hacked, maimed and mutilated by crazy Russians or vindictive competitors, I’ve decided to it would be good idea to implement some security practices for my WordPress blog. After going through a bunch of sites and fixing things on my own blog, I thought it would be good to share these items with all of the other WordPress users out there.

Implementing these security measures is especially important for anyone who is currently making or trying to make money off their blogs. Once you blog is hacked or spammed without you knowing about it, you’ll be dropped from the search engines and it’s not easy getting back in. Remember, even with all the security measures, it’s essential to have a backup of your blog. The plugin I use is WordPress Database Backup. If you don’t have it installed, install it now! Seriously.

Tips to help protect yourself from WordPress security issues:

  1. Upgrade Wordpress - This is probably the first thing you should do! If you’re not running the most up-to-date version, you’re asking for trouble. Currently, it’s 2.2.3, but soon will be version 2.3. May as well wait till the 24th and install the newest version. There have been a few releases recently that were just security fixes (SQL Injection, etc). It may seem like a pain in the butt and sometimes it can be, but upgrading is really not that bad. I held off upgrading from version 2.0 to 2.2 for a few months because I was scared something was going to go wrong and everything deleted. Finally, I mustered the energy and went through their instructions step by step and it was fine! After you upgrade Wordpress once, it’s not all that bad!

  2. Change default passwords - Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! That password is only 6 characters and just numbers and letters. My grandmother could probably crack it after a few weeks. Make it complex and more than 10 characters if you can. Also, try not to use words, make it a nice jumble of letters, numbers, and symbols. Also while you’re at it, go ahead and log into your hosting company’s site and change your password there for your account login and any control panel logins, like cPanel, etc.

  3. Use SSH/Shell Access instead of FTP - This one is a big one! It’s not as easy to implement as the other two, but it’s probably the best tip out of all the others that I will list here. If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Just read this story! It’s actually best to disable FTP altogether if you can! Using SSH, everything is encrypted including the transfer of files, etc.

  4. Install LoginLock plugin - This is a really cool plugin that will automatically block an IP address from trying to log into your Wordpress admin area after a certain number of attempts. LoginLock will prevent bots from continuously trying different combinations to crack your account. This is very similar to how Windows works if you’re in a domain environment. The default locked out time is 1 hour.

  5. Create a blank index.html file in your /Plugins/ directory - By default, your Wordpress plugins folder is completely visible to anyone by going to http://www.domainname.com/wp-content/plugins. Go ahead and create a blank document in your favorite editor and save it as index.html and upload it to the plugins directory. Now when you try to access it, you only get a blank screen. This prevents hackers from finding out a security hole in one of your plugins.

  6. Block access to wp-admin folder using .htaccess - There is an article written Reuben that talks about how you can protect your Wordpress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog

  7. Remove the version string from your header.php file - Of course, if you’re running version 2.0 and the current release is 2.3 AND your blog explicitly states that it’s at 2.0 on every page, it’s not going to be very hard for someone to find your vulnerable blog and attack it. The line looks like this: <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

  8. Block WP- folders from the search engines - There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list:Disallow: /wp-*

Got any more tips you want to add? Drop a comment! Thanks!

Technorati Tags: , , ,

If you enjoyed this post, make sure you subscribe to my RSS feed!

» Filed Under Blogging

Related Posts

15 Responses to “8 Security Tips and Guidelines for your WordPress Blog”

  1. Jon Phillips said on : September 21st, 2007 at 2:56 pm

    Great tip. Most of the time it’s not the software that poses the biggest security threat, it’s the user. People want to make passwords that are easy to remember, but when you have blog software that is widely used as Wordpress is, it doesn’t take a 1337 H@x0r to compromise it.


  2. Siddharth said on : September 21st, 2007 at 5:01 pm

    Really nice articles thx for this


  3. Frank H M said on : November 8th, 2007 at 5:01 am

    Great tips. I will make sure to implemente these ASAP before I start blogging for real.


  4. Intecekneef said on : March 31st, 2008 at 2:20 pm

    Hi
    Good site
    came on this wonderful site
    Very all is simple and with taste.


    Pingbacks
  1. Hey Wordpress Blogger, I Can See Your Plugins! Says:

    [...] who also told me about this issue. More tips on Wordpress security are available via Online Tech Tips). A very nice implementation of this solution can be seen at [...]

    October 11th, 2007 at 11:15 am
    2. Pingbacks
  2. Great articles that should be read | My lucky number 13 Says:

    [...] 8 Security Tips and Guidelines for your WordPress Blog - Aseem Kishore [...]

    October 31st, 2007 at 5:53 pm
    3. Pingbacks
  3. 2 Kali di-Hack dalam Satu Hari | iLm@N's Blog Says:

    [...] dan laksanakan tips-tips keamanan WordPress seperti yang bisa dilihat di sini, atau googling [...]

    February 4th, 2008 at 6:50 pm
    4. Pingbacks
  4. Wordpress Security Tips and Hacks Says:

    [...] is one of the best tips i found here.If someone gets a hold of your FTP login information (which is usually not encrypted and easy to [...]

    February 17th, 2008 at 6:13 pm
    5. Pingbacks
  5. 10 Medidas de Segurança a Implementar no Seu Blog Wordpress | WordPress-PT Says:

    [...] grande dica, explicada aqui. Quem consiga aceder aos seus dados de FTP (que normalmente não estão encriptados) pode manipular [...]

    February 21st, 2008 at 9:49 am
    6. Pingbacks
  6. 10 medidas de segurança para o Wordpress Says:

    [...] grande dica, explicada aqui. Quem consiga aceder aos seus dados de FTP (que normalmente não estão encriptados) pode manipular [...]

    February 21st, 2008 at 4:20 pm
    7. Pingbacks
  7. MB TechCenter - Desarrollo web, Tutoriales, Recursos y mas.. Says:

    [...] is one of the best tips i found here.If someone gets a hold of your FTP login information (which is usually not encrypted and easy to [...]

    February 24th, 2008 at 1:29 pm
    8. Pingbacks
  8. 10 Medidas de Segurança para seu Blog Wordpress | Gulp - Desenvolvimento e diversão (youtube, orkut bloqueado, bbb7, videos, revistas gratis, camera escondida, sites bloqueados ...) Says:

    [...] grande dica, explicada aqui. Quem consiga aceder aos seus dados de FTP (que normalmente não estão encriptados) pode manipular [...]

    February 28th, 2008 at 7:34 pm
    9. Pingbacks
  9.   10 medidas de segurança para seu blog em Wordpress TeclaF1 Says:

    [...] grande dica, explicada aqui. Quem conseguir ter acesso ao seu FTP (que normalmente não estão encriptados) pode manipular [...]

    March 21st, 2008 at 6:07 pm
    10. Pingbacks
  10. Security Tips and Guidelines for Your Wordpress Blog | Says:

    [...] install the newest version. There have been a few releases recently that were just security fixes (SQL Injection, etc). It may seem like a pain in the butt and sometimes it can be, but upgrading is really not [...]

    April 18th, 2008 at 12:43 am
    11. Pingbacks
  11. BlogLabs » Blog Archive » 10 Medidas de Segurança a Implementar no Seu Blog Wordpress Says:

    [...] grande dica, explicada aqui. Quem consiga aceder aos seus dados de FTP (que normalmente não estão encriptados) pode [...]

    April 21st, 2008 at 8:31 pm
Please post your comments/suggestions!