8 Simple Steps to Securing your WordPress blog

20Sep2009 Filed under: Tech Geekness Author: Jennerosity

Inspired by the hack job that someone did on my WordPress blog, I decided to write a quick post about the things I’ve done so far, to ensure that my blog is relatively safe from future hacking attempts.

A few quick caveats about this info . . .

1. I’m not a professional blogger or computer person.

2. This information may be out of date by the time you are reading it.¹ I’ve learned timeliness is very important when it comes to certain things like security and plug-in updates and such.

Username. Ok, after you’ve gone in and setup the WordPress dashboard, you need to create another identity with administrative privileges and a unique username. Believe it or not, ‘admin’ isn’t very unique and it happens to be the first username a hacker will try when they want to hack your site. After you’ve got another user set up, go and delete the original admin account. If the idea of deleting that admin account makes you a little uneasy, there’s a simple plug-in that will allow you to just change the username of that account instead of creating a second one.
Delete the ‘install.php’ file. Otherwise someone can simply type it into the address bar and erase your blog bringing it back to a clean slate state.
Passwords. Strong ones are important mmmmkay? If you need something a little more memorable than the randomly generated gobbledy-gook that WordPress gives you when you start, then I’d suggest you check out this lifehacker article on how to choose and remember great passwords. And this goes for more than just your standard sign-in for your blog. You should also have a secure password for your FTP access when you’re transferring files around and for your host control panel.
Upgrade early & backup often. When new versions of WordPress or plug-ins become available, you really do need to upgrade as soon as possible. When upgrades come out it’s often because someone has noticed an area that could be exploited and they’ve fixed it. Also, it’s important to be backing up your actual content so if something does happen, you can restore it.
SFTP. Unless you’ve got a host that’s doing all the setup for you, make sure you are using a Secure FTP client to transfer the files across the internet. I think this may have been how my blog was compromised.
Restrict access to certain folders. Ok, so you’ve got a really tough password in order to sign in, but maybe you’re still a little paranoid. You can actually set up a password prompt to pop up before you even get to the password prompt screen.² This involves tinkering with the files on your host so you’ll need access to your Control Panel. In mine, one of the options is to select a folder and password protect it. So, for the wp-admin folder, I set up a separate password. This article about hardening WordPress also goes into some htaccess changes you can make to protect important folders.
Database table prefix. This is kind of like an advanced version of changing your username from the default ‘admin.’ Most people leave the table prefix for their WordPress table as the default ‘wp_’. If you’re setting up a new blog, try to pick something a little less obvious. If you’ve already set up your database, I believe that one of the plug-ins I mention below will actually go through and change it if you’re brave enough to let it do its thing³.
Security Plugins. There are 2 that I will recommend here. First is the WP Security Scan plugin. This plugin will do a scan of your WordPress blog and suggest ways to make it more secure. It looks for a few of the things I’ve mentioned above plus a few other things. The second is Secure Wordpress plugin. One of the things that I like about this one is that it does things like adding an index file to your plugin directory so that people can’t navigate to your plugin index and see what you have installed, which they might use to compromise your site.

Share and Enjoy:

Hopefully at least a few people read this right after I’ve posted and it’s still relevant, but for those stumbling in later, you’ve been warned. Also, a small part of my brain that I think is kinda crazy thinks that I might be able to go back and revise this post periodically to keep it up to date. That’s the crazy part of my brain, so I’m not making any promises that it’ll actually happen. If it does, look for a revision date somewhere at the top/bottom of the article. [↩]
I actually get prompted for a username and password 3 times now before I can get in to my blog [↩]
see the second part of #4 above [↩]

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

152 Responses2009-09-21+00%3A42%3A27Jennerosity to “8 Simple Steps to Securing your WordPress blog”

@kwilma2002
September 21st, 2009 at 3:32 am

Okay, it sucks that your blog got hacked, but the picture you've chosen for this post makes me giggle a lot :-)
ginabad
October 1st, 2009 at 1:59 am

Good stuff!! Sorry you had to go through a nasty hack to learn this stuff! Put most of it into effect already, will finish the rest another time. thanks!

Entries (RSS)
Comments (RSS)

Welcome!

You've landed on the blog and online home of Jennerosity. I am a writer/teacher/gamer/story enthusiast who will be geeking out a bit here. Feel free to join me in the comments or by sending me an email (there will be a form when I get around to it). Other things that I enjoy which will likely come up here from time to time are travel, history, anime, Star Trek, steampunk, and girly geeky things.

Recent Comments
Recent Articles

follow me on Twitter

Jennerosity