Wordpress is the most popular blogging platform all over the world. As you become popular in search engine and getting traffic, you may be inviting hackers to test your protection system against them. Hacking can be happened any moment, so you should not wait it to happen and then take action.
When I was checking my Wassup traffic details this morning, I found that 3 suspicious records trying to get access using SQL Injection. Thankfully nothing happened and they got tired trying. However, I searched online for Wordpress protection and got some tips for it. I compiled all the tips and came with the following:
Always Update
Updating Wordpress became very easy now. From Wordpress 2.7+, you can now update your blog with just a click. So don’t feel lazy upgrading your blog – as soon as they release any updated version, try to upgrade your blog. If you are using older version, you can use Wordpress Automatic Upgrade plugins and update to the latest version.
Update Your Plugins Too
As plugins are developed by third-party programmers, they may be more vulnerable than Wordpress itself. I would suggest you to check plugins profile to read the comments and stats before using any. Update your plugins regularly as well.
Protecting Your Admin Profile
Create a new user and give it full administrative privileges. Once you have done that delete your old “admin” user’s profile. As a result hacker has to crack both your user name and password.
Stop Creating Guest Account
If your blog is not Multi User blog, there is no need to allow visitors to create Guest account. Uncheck Settings > General > Membership > Anyone can register option.
Use Strong Password
Don’t use any obvious words sequence, numbers sequence, your name, town, date of birth etc as password. Try to use a combination of small letter, capital letter and numbers in your password. You can use Strong Password Generator for create your password. This website also give you easy way to remember your password.
Protect Your wp-admin Folder
You can add a .htaccess file in your wp-admin folder and block all IP addresses except the IP address you use, may be your home IP, office IP etc.
Backup Regularly
Even though most of the Hosting providers offer regular backup, still you should not rely on them. Couple of months ago, I found my website was unavailable and I contacted GoDaddy support. They informed they are resolving the problem and they took 5 days to fix. Horribly on 3rd day they informed me that all my records has be wiped out, so I may not get my database and files back. Fortunately, I had my website backup in my pc, and they fix my problem, I already transferred my website to Hostgator and kept my website running.
Use Login Lockdown Plugins
Login Lockdown Plugins records each failed login attempts and lock a particular IP for a while for a number of failed login attempts.
Delete Wordpress Version
Hackers may find out your Wordpress version and exploit its vulnerabilities. You may want to delete the Wordpress version from your website source. Go to Appearance > Editor and choose the Header.php file and delete <meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> from the source code to hide your Wordpress version.
Move the wp-config.php file
Also since version 2.6, WordPress allows you to move the wp-config.php file to a higher level. Because this system file contains by far more sensitive information than any other, and because it is difficult to access the parent file server level, it certainly makes sense to store it outside of the actual installation. WordPress automatically looks at the highest underlying index for the configuration settings file. Any attempt by users to adjust the path is thus useless.
Use Security Plugins
If you found that you are being targeted frequently, you can use security plugins to ensure more security for your blog. You can find some useful security plugins for wordpress here
{ 4 trackbacks }
{ 7 comments… read them below or add one }
Nice post with useful security tips. I think they will help me protect my blog from those “Security Testers”. I’m going to use Wordpress automatic update plugin. Will you tell me what are the features of Wassup plugin? And if deleting wordpress version doesn’t make any problem, then I’ll delete that, too.
@Aminul Islam Sajib
1. If you are already using Wordpress 2.7+ then you don’t need to install Automatic Upgrade plugins because now WordPress has it’s own upgrading mechanism. That’s simpler than Automatic Upgrade plugins.
2. Wassup records each visitor details like, IP, Keywords, Referral URLs, pages visited etc.
3. Deleting Wordpress version won’t make any problem.
Oh, OK, then I’m not going to install that plugin. I think Google Analytics [All-in-one SEO plugin] is doing enough for me. Wassup plugin is not required.
some Good Tips there hasan, speciallly about deleting admin account , thnaks
Abhimanyu
http://mwolk.com/blog/
@Abhimanyu
You are welcome … deleting Admin account drastically reduces success rate in brute force attack.
Thanks for the excellent post! I have heard about so many bloggers having their blogs hacked recently that this information is exactly what I needed to start protecting mine. Thanks for saving me the time of having to search around for this myself!
This is the best list I’ve read in a while – simple, clear and completely accurate.
I need to be reminded of some of these once in a while and this post does the job.
Thanks!