There is no one foolproof method for securing your WordPress installation against attacks. You simply follow a series of best practices against known attacks. Some new hack can always come along tomorrow and make you vulnerable. You do what you can and hope for the best. The following is a quick guide to some precautions. Any of the details can be easily Googled or found here wp-security-scan if what I wrote sounds like a foreign language.
The easy way out:
- First thing is to upgrade to the latest version of WordPress, 2.5 as of this writing.
- The following two plugins are of some help. Bad Behavior will repel most spambots.
- WP Security Scan will analyze your installation to see what securty loopholes you have in your system. Most of the advice that follows is covered by this plugin as well.
Common Sense:
- Never use your public email address or your WordPress Author name for any of your secure logins.
- Make separate emails for each account and track them using Roboform.
- Make your passwords long and alpha-numeric.
- Don’t use your real contact details for your domain hosting registration.
- Don’t give out your passwords for any reason.
The nitty gritty:
- Add a blank index.html to your plugin directory so it can’t be opened.
- Add a .htaccess file blocking your wp-admin directory from anyone but your home computer.
- Make your public_html directory non-writable.
Advanced stuff:
- Change the “wp_” prefix in your sql tables to something else. The WP Security Scan plugin will do that for you. Note-this is a major pain if you have a huge database of 1000’s of posts.
- Block anonymous tor access by using the latest list of exit nodes and IP block them.
Even Then: You can’t be certain there isn’t some undiscovered loophole. So make backups on a regular basis and download them. If someone does hack your account, contact your Hosting company. They will help you restore from backup. then change all your passwords that may have been compromised. Examine your homepage for any sign of hidden links that have been added to your header or footer. To do this in Firefox, go to tools/pageinfo/links and look for anything suspicious.
|
|
|
|
 |
14 users commented in " Locking Down Your Wordpress Installation "
Follow-up comment rss or Leave a Trackback **********Thanks for this article turnip. My blog was hacked and am currently hiring a guy to recover it. I’ll use your advise to prevent from the same happening in future.
I haven’t had that problem, since I don’t use wordpress…but I like the idea of Roboform. I use firefox, and it generally saves my passwords and stuff, but my husband gets overzealous in cleaning caches and histories and always zaps my passwords!
This is really useful stuff - Thanks for being so concise, Turnip.
I would also add using a password repository like Password Safe - that way you can use a different password for every account you have across the Web, and still keep track of your login info without risking multiple sites being compromised if a single password is guessed/stolen.
Metroknow, I use roboform to save my passwords. It remembers every password, has import/export functions, can print them as a list, and other features.
Oh cool - not familiar with roboform but I’ll have to check that out. Thanks for yet another useful tip….
[...] Locking Down Your Wordpress Installation - Some good tips on how to protect your wordpress blog. [...]
[...] has a great post about protecting your WordPress blog and the entire installation, so to speak. It’s a excellent addition to a post by Matt Cutts I [...]
Great tips. Thanks. Downloaded and installed Bad Behavior and Security Scan.
That is awesome - I should go do this right now.
Great article. Now I only have to find a good database backup plugin… Suggestions anyone? Mr Parkle
[...] Locking Down Your Wordpress Installation - Some good tips on how to protect your wordpress blog. [...]
I pissed off a wannabe EntreCard hacker and suddenly I feel the need to make my Wordpress powered blog more secure.
Thanks for sharing these tips.
Very helpful! Any chance you might do a chmod tutorial in the future?
If by chmod you mean setting the proper permissions, then the best tutorial is right in WP-security. It tells you what settings for each file and directory, and warns you if yours aren’t secure enough. I’ll consider a short post on it though since you asked about it. The danger with it is that issues appear, and unless you think “why did that plugin fail?”, you won’t associate something like Wordpress upgrade failing with write protecting your wp directory.
Leave A Reply