Don’t Get Hacked: 6 Ways to Secure Your WordPress Blog

Webmasters often overlook security when it comes to their WordPress blogs. After all, WordPress is an excellent piece of software and most blogs are not hacked. However, before you get too comfortable in vulnerable bliss, we suggest that you take the following steps to make your website more secure.

1. Prevent Unauthorized Access to Your wp-admin Directory

Probably the most important way to prevent attacks is to limit access the the WordPress admin directory. This can be done in one of two ways:

Option 1: Limit access by IP Address

Create an .htaccess file in your wp-admin directory. Next, determine your IP adderss. (You can figure this out by visiting WhatIsMyIPAddress.com.) Next, put the following code in the .htaccess file.

<Limit GET POST PUT>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Limit>

To allow multiple IP addresses, simply add a new allow line for each allowed IP address.

Option 2: Password Protect the wp-admin Directory

If you have a dynamic IP address or plan to work on your website from multiple locations, limiting access by IP address is probably not the way to go. As an alternative, you can password protect the admin directory.

To create password-protection for this directory, you will need two files: an .htaccess file and a .htpasswd file. And for best results, the .htpasswd file should be placed in a directory not accessible via the web. Additionally, your password should be encrypted. To facilitate the creation of these files, we suggest using the .htaccess file generator and .htpasswd files generator from htaccesstools.com.

2. Change the Admin Username

By default, all WordPress installs have an an administrator with the admin username. Instead, create a new administrator account and delete the default account.

3. Hide Your Directory Structure

It is also good practice to hide your directory structure. By default, many WordPress installations enable any visitors to snoop and see all files in folders lacking an index file. And while this might not seem dangerous, it really is. By enabling visitors to see what files are in each directory, they can better plot their attack.

To fix this problem, you can do one of two things:

Option 1: Use An Index File

For each directory that you want to protect, simply add an index file. A simple index.html file will suffice.

Option 2: Use An .htaccess File

The preferred way of hiding the directory structure is to use the following code in an .htaccess file.

Options -indexes

4. Keep Your WordPress Install, Plugins & Themes Up-To-Date

With every new release, there have been notable security fixes which are disclosed to the WordPress community. If you don't upgrade, hackers will be able to easily exploit your websites from known vulnerabilities. This goes for plugins and themes as well. If you cannot upgrade an old plugin, consider installing a similar plugin. And if you are looking for an update theme, check out the WordPress theme database or various other theme resources.

5. Delete Any Unnecessary Plugins

More often than not, disabled plugins are left in the plugin directory. Unfortunately, this can be a security risk. So, be sure to remove any disabled or unnecessary plugins.

6. Change the WordPress Database Table Prefix

By default, the database tables that hold WordPress data have the prefix wp_. This means that if a hacker attacks your website, they will be more easily able to access all tables because they will know the table names. To prevent this from happening, you should choose a unique table prefix.

For a new installation, simply edit the wp-config.php file as shown below:

$table_prefix = 'youruniqueprefix_';

If you would like to update an already existing WordPress installation, you will need to update the wp-config.php file as shown above in addition to renaming all WordPress database tables. This can be done via PHPMyAdmin or some similar web interface that inables you to update your databases.

7. Make Sure That Your Computer Is Secure

Sometimes the threat does not come directly from the internet. If your system has been compromised, hackers can gain access to your WordPress installation and your personal information through your own computer. To prevent this from happening, regularly run anti-virus software and be wary when visiting new URLs.

If you do discover that your system has been infected with malware or a virus, remove the threat immediately. And then, be sure to change all of your passwords right away! After all, if your system has been compromised, hackers can do a lot more damage than just getting into your website.

A few more security fixes…

Some other ways to secure your blog include:

  1. hiding your WordPress version.
  2. using security plugins such as Secure WordPress.
  3. creating a long and complicated FTP username and password to prevent direct file access.
  4. restricting access to your wp-config.php file in the event that your server's PHP install is broken.

 

If you have any additional suggestions for blog security, feel free to share.

Tags: , , ,

12 Responses to “Don’t Get Hacked: 6 Ways to Secure Your WordPress Blog”

  • Miguel | Simply Blog December 16, 2008 at 11:48 am

    Shirley

    I heard rough stories about sites being hacked. Not fun, but I find that if people keep updated they shouldn’t run into many issues. However, the areas mentioned in this post are helpful. I’m never heard of the plugin Secure wordpress? Thanks I’m checking it out now. I’ll stumble, review and bookmark. Extremely useful. :)

    -Mig

    • Velvet Blues December 16, 2008 at 2:16 pm

      Yeh, I have personally rescued two people from hacked WP installs, both of which could have been prevented by opting for an upgrade or by hiding the version number….

      Thanks for visiting. :-)

  • Jackie December 17, 2008 at 8:01 pm

    I got hacked, and it wasn’t fun. Perhaps I should have known about these security measures.

  • Pam December 17, 2008 at 9:01 pm

    Great tips. Thanks.

  • Sire December 23, 2008 at 1:43 am

    Shirley, I am impressed. I always keep my wordpress up to date, love version 2.7, but you have brought up some interesting points that I will take under advisement to further safe guard my blogs from hackers.

    • Velvet Blues December 23, 2008 at 7:22 am

      Yes, 2.7 is pretty great. Thanks for stopping by.

      And yes, hackers are always one step ahead, so its good to take all possible precautions, even when the blog software is up to date.

  • John Wesley January 19, 2010 at 5:05 pm

    Thank you so much for the great guide! Helps a lot to me since I’ve been using wordpress for such a long time now.. :)

  • John Media @ server hosting June 9, 2010 at 8:17 am

    This is a great guide on securing my WP blog. This is really helpful and this would likely reduce the possibilities of my website to be hacked. Thanks I appreciate the read

  • Tushar February 17, 2012 at 7:02 am

    Recently my wp-config.php file is edited by hacker and they insert some code in it which resulted in my site is being redirected to other site. I fixed it now but how can i avoid it in future?

    • Velvet Blues February 27, 2012 at 1:48 am

      Make sure that your wp-config file has the appropriate file permissions AND change your FTP username and passwords as they may have been compromised. Hackers can also get in via bad code, so make sure that all of your plugins are trustworthy. And finally, keep your WP installation up-to-date.

  • john bil June 20, 2012 at 5:37 am

    Great Blog.Thank you so much the great guide I am sure there are some basic steps which every blog owners should be aware of, for example, do not use the “admin” username, and do use a strong password.

  • JTPratt Media August 15, 2012 at 4:05 pm

    We used to use Secure WordPress, but it only does so much. We switched to Better WP security about a year ago, because it has about 2 dozen features that secure wordpress doesn’t (and it’s more frequently updated).

Trackbacks

Trackback URL:

Leave a Reply

Want us to work on your project?

Contact us today for a quote. Click here to submit details regarding your project.

If you are making a general inquiry, send an email to info@velvetblues.com

Go Daddy Deal of the Week: Cheap .COM Domains! Offer expires soon!