its now time to secure and protect it from outside enemies and general bad guys: hackers, spammers and all round tossers.
Without a doubt, for a self-hosted blog, WordPress is the best blog CMS that you can get. Though it comes packed with security features, being a popular and open source software, it also means that hackers have full access to the code which they can scrutinize to find any exploits they can use to hack into any WordPress-enabled site.
On the good side, one of the best things about WordPress is its plugin system that allows anyone to install any plugins or create your own plugins to extend its functionality, including improving security.
Here, I have listed some wordpress security tips and plugins that you can use to secure WordPress blog.
1. Nobody should be allowed to search your entire server.
WPdesigner advices us to NOT use this search code in the search.php
<?php echo $_SERVER ['PHP_SELF']; ?>
Nobody should be allowed to search your entire server, or? Use this one instead:
<?php bloginfo ('home'); ?>
Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
Disallow: /wp-*
2. Directories should not be left open for public browsing
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:
Options All -Indexes
3. Drop the version string in your Meta Tags
A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.
This tag is in the header.php file that displays your current version of wordpress.
<meta content="WordPress <?php bloginfo(’version’); ? />" name="generator" />
4. Stay Updated
You need to keep your on your plugin/widget, theme, and WordPress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.
5. Take regular backups of your site and Database
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
6. Use SSH/Shell Access instead of FTP
If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.
7. Stop worrying about your wp-config.php file
Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
8. Block WP- folders from the Search Engines
There is no need to have all of your filesWordPress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list
Disallow: /wp-*
9. Block access to WP-Admin folder using .htaccess
There is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog
10. Don’t Use Default Passwords
Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! You can follow the instructions given in the article “Hack Proof Password” posted by us earlier to imrove the strength of your password.
11. Change database table prefix
The default prefix used by WordPress is “wp”. You can easily change the prefix to other terms that are difficult to guess using the WP-Security-Scan. More detail on this plugin below.
12. Don’t use (or better yet, remove) the default “admin” username
When you install WordPress, it automatically generates a user with Administrator-level permissions called admin. It is strongly recommended that you do not use this username to make it harder for the hacker to guess your username and password via Brute force attacks. Even if you downgrade its permission role, it’s still a better idea just to remove this user altogether.
You can use the Change Username Plugin to change the Username of Admin Account.
Without a doubt, for a self-hosted blog, WordPress is the best blog CMS that you can get. Though it comes packed with security features, being a popular and open source software, it also means that hackers have full access to the code which they can scrutinize to find any exploits they can use to hack into any WordPress-enabled site.
On the good side, one of the best things about WordPress is its plugin system that allows anyone to install any plugins or create your own plugins to extend its functionality, including improving security.
Here, I have listed some wordpress security tips and plugins that you can use to secure WordPress blog.
1. Nobody should be allowed to search your entire server.
WPdesigner advices us to NOT use this search code in the search.php
<?php echo $_SERVER ['PHP_SELF']; ?>
Nobody should be allowed to search your entire server, or? Use this one instead:
<?php bloginfo ('home'); ?>
Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
Disallow: /wp-*
2. Directories should not be left open for public browsing
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:
Options All -Indexes
3. Drop the version string in your Meta Tags
A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.
This tag is in the header.php file that displays your current version of wordpress.
<meta content="WordPress <?php bloginfo(’version’); ? />" name="generator" />
4. Stay Updated
You need to keep your on your plugin/widget, theme, and WordPress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.
5. Take regular backups of your site and Database
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
6. Use SSH/Shell Access instead of FTP
If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.
7. Stop worrying about your wp-config.php file
Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
8. Block WP- folders from the Search Engines
There is no need to have all of your filesWordPress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list
Disallow: /wp-*
9. Block access to WP-Admin folder using .htaccess
There is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog
10. Don’t Use Default Passwords
Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! You can follow the instructions given in the article “Hack Proof Password” posted by us earlier to imrove the strength of your password.
11. Change database table prefix
The default prefix used by WordPress is “wp”. You can easily change the prefix to other terms that are difficult to guess using the WP-Security-Scan. More detail on this plugin below.
12. Don’t use (or better yet, remove) the default “admin” username
When you install WordPress, it automatically generates a user with Administrator-level permissions called admin. It is strongly recommended that you do not use this username to make it harder for the hacker to guess your username and password via Brute force attacks. Even if you downgrade its permission role, it’s still a better idea just to remove this user altogether.
You can use the Change Username Plugin to change the Username of Admin Account.
When I hear somebody sigh,
"Life is hard,"
I am always tempted to ask,
"Compared to what?"
"Life is hard,"
I am always tempted to ask,
"Compared to what?"
No comments:
Post a Comment