Web Design and Development
Webmasters often overlook security when it comes to their WordPress blogs. After all, WordPress is an excellent piece of software and most blogs are not hacked. However, before you get too comfortable in vulnerable bliss, we suggest that you take the following steps to make your website more secure.
Probably the most important way to prevent attacks is to limit access the the WordPress admin directory. This can be done in one of two ways:
Option 1: Limit access by IP Address
Create an .htaccess file in your wp-admin directory. Next, determine your IP adderss. (You can figure this out by visiting WhatIsMyIPAddress.com.) Next, put the following code in the .htaccess file.
<Limit GET POST PUT>
deny from all
allow from xxx.xxx.xxx.xxx
To allow multiple IP addresses, simply add a new allow line for each allowed IP address.
Option 2: Password Protect the wp-admin Directory
If you have a dynamic IP address or plan to work on your website from multiple locations, limiting access by IP address is probably not the way to go. As an alternative, you can password protect the admin directory.
To create password-protection for this directory, you will need two files: an .htaccess file and a .htpasswd file. And for best results, the .htpasswd file should be placed in a directory not accessible via the web. Additionally, your password should be encrypted. To facilitate the creation of these files, we suggest using the .htaccess file generator and .htpasswd files generator from htaccesstools.com.
By default, all WordPress installs have an an administrator with the admin username. Instead, create a new administrator account and delete the default account.
It is also good practice to hide your directory structure. By default, many WordPress installations enable any visitors to snoop and see all files in folders lacking an index file. And while this might not seem dangerous, it really is. By enabling visitors to see what files are in each directory, they can better plot their attack.
To fix this problem, you can do one of two things:
Option 1: Use An Index File
For each directory that you want to protect, simply add an index file. A simple index.html file will suffice.
Option 2: Use An .htaccess File
The preferred way of hiding the directory structure is to use the following code in an .htaccess file.
With every new release, there have been notable security fixes which are disclosed to the WordPress community. If you don't upgrade, hackers will be able to easily exploit your websites from known vulnerabilities. This goes for plugins and themes as well. If you cannot upgrade an old plugin, consider installing a similar plugin. And if you are looking for an update theme, check out the WordPress theme database or various other theme resources.
More often than not, disabled plugins are left in the plugin directory. Unfortunately, this can be a security risk. So, be sure to remove any disabled or unnecessary plugins.
By default, the database tables that hold WordPress data have the prefix wp_. This means that if a hacker attacks your website, they will be more easily able to access all tables because they will know the table names. To prevent this from happening, you should choose a unique table prefix.
For a new installation, simply edit the wp-config.php file as shown below:
$table_prefix = 'youruniqueprefix_';
If you would like to update an already existing WordPress installation, you will need to update the wp-config.php file as shown above in addition to renaming all WordPress database tables. This can be done via PHPMyAdmin or some similar web interface that inables you to update your databases.
Sometimes the threat does not come directly from the internet. If your system has been compromised, hackers can gain access to your WordPress installation and your personal information through your own computer. To prevent this from happening, regularly run anti-virus software and be wary when visiting new URLs.
If you do discover that your system has been infected with malware or a virus, remove the threat immediately. And then, be sure to change all of your passwords right away! After all, if your system has been compromised, hackers can do a lot more damage than just getting into your website.
Some other ways to secure your blog include:
If you have any additional suggestions for blog security, feel free to share.Tags: open source, security, software, WordPress