New Webmasters > Security > Bullet-Proof Your Wordpress Installation

Bullet-Proof Your Wordpress Installation

By corbyboy July 31, 2008 Post a comment
Keep Wordpress nice and secure

Keep Wordpress nice and secure

One of the problems with using popular, widely used software is that many people get to look over the source code. Exploits are found and quickly circulated, leaving your blog in danger of being defaced or even deleted.

Although the developers of WordPress take security very seriously, they can’t cover everything. It is up to you to make sure that your WordPress installation is as tight as possible. This article will list some good practices to make sure you remove yourself from as much danger as possible.

Don’t Neglect the Basics

Make sure you keep your WordPress installation up to date. There is no point in a security hole being fixed if you don’t update your own copy. Sadly, this is very often forgotten about. So make upgrading a priority when a new version is released. On a similar note, if you discover a vulnerability in Wordpress, report it.

Keep Your Themes and Plugins Up To Date

These too can be potential sources of danger. Ensure that you always have the most up to date version. Plugins downloaded from the official WordPress website have the ability to be upgraded in jut a few clicks. Don’t use incompatible plugins or themes as an excuse to not upgrade WordPress.

Keep Data Backed Up

If the worst does happen, having a backup of all your data will make the bad news easier to take. Not only will this protect you from hackers, but it will protect you from that three day old backup that your webhost restores after a disk crash.

The WordPress Codex has an article entitled Backing Up Your Database, will some good techniques on how to perform a backup, both manually and via the plugin.

Install Akismet

Install a spam filter to keep your comments clean and your moderation queue low. You don’t want to be wasting your time filtering out thousands of spam comments when you could be posting more content.

Of course you don’t have to use Akismet, but it is a popular abd very effective choice. It was written by the people who make WordPress and is included in the download package.

Restrict Snooping Visitors from Accessing Private Areas

Your configuration file and wp-admin folder should only be able to be accessed by recognised administrators.

Protect Your wp-admin Directory by IP Address

Create a .htaccess file in the wp-admin directory. Add the following code:

Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX

Change this to reflect your IP address and only you will be allowed access to the folder. Bear in mind that if your IP address changes, you will need to alter to .htaccess file to reflect the new IP address.

Protect Your wp-config.php File

<Files wp-config.php>
Order Deny,Allow
Deny from All
</Files>

Code Source

Don’t use the Default Table Prefixes

If a hacker is ever able to access the database tables through some sort of SQL injection vulnerability, you are in trouble if you use the default table prefixes. The hacker knows all your database table names. Using a prefix other than the default (wp_) will add an extra layer of obscurity the hacker must penetrate. There is a useful guide here.

Remove the “Admin” user Account

To make installation as quick as possible, WordPress creates a default administrator account called “admin.” To save the hassle of creating a new account, many people just use this account to post. The problem is that a hacker knows your username in the database if you use this account. Like changing the table prefixes, removing this default account adds a little bit of obscurity and may even repel a casual hacker.

Create a new administrator and remove “admin.” You will have the option of moving all the old posts to the new user.

Install the Security Scan Plugin

The Security Scan Plugin is a useful addition to anybody’s WordPress installation. It will ensure you have the latest version of WordPress, ensure that your version information is hidden, check the permissions on all the important files and folders, as well as perform many of the tasks illustrated above.

Further Reading

Hopefully this article has given you some ideas on how to improve the security on your own Wordpress installation. If you want to read on further, there is a pretty comprehensive guide on the WordPress Codex.

Share this page with others
  • Digg
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Furl
  • Reddit
  • blogmarks
  • Propeller

Most Commented Posts

Print This PostTags: ,

Discussion

No comments for “Bullet-Proof Your Wordpress Installation”

Post a comment

More Recent Articles

How to Manage Email Accounts for Multiple Websites
October 22, 2009
Why Ebay Never Ceases To Amaze
September 30, 2009
How Good Are Search Engine 404 Error Pages?
September 22, 2009
Make Money All Over The World With Geographic Targeting
September 9, 2009
Finally! A Web Server Backup Solution You Can Actually Use
June 20, 2009
Webmaster Essentials: Why Backing Up Is Important
June 15, 2009
Do We Still Care About Bandwidth And Server Load?
April 12, 2009
The Power Of Ranking For Spelling Errors
April 3, 2009
How About An Ironic Screenshot?
March 31, 2009
Server Redirects – Using The Correct Status Code
March 24, 2009