Web Design and Development
Don’t Get Hacked: 6 Ways to Secure Your WordPress Blog
Webmasters often overlook security when it comes to their WordPress blogs. After all, WordPress is an excellent piece of software and most blogs are not hacked. However, before you get too comfortable in vulnerable bliss, we suggest that you take the following steps to make your website more secure.
1. Prevent Unauthorized Access to Your wp-admin Directory
Probably the most important way to prevent attacks is to limit access the the WordPress admin directory. This can be done in one of two ways:
Option 1: Limit access by IP Address
Create an .htaccess file in your wp-admin directory. Next, determine your IP adderss. (You can figure this out by visiting WhatIsMyIPAddress.com.) Next, put the following code in the .htaccess file.
<Limit GET POST PUT>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Limit>
To allow multiple IP addresses, simply add a new allow line for each allowed IP address.
Option 2: Password Protect the wp-admin Directory
If you have a dynamic IP address or plan to work on your website from multiple locations, limiting access by IP address is probably not the way to go. As an alternative, you can password protect the admin directory.
To create password-protection for this directory, you will need two files: an .htaccess file and a .htpasswd file. And for best results, the .htpasswd file should be placed in a directory not accessible via the web. Additionally, your password should be encrypted. To facilitate the creation of these files, we suggest using the .htaccess file generator and .htpasswd files generator from htaccesstools.com.
2. Change the Admin Username
By default, all WordPress installs have an an administrator with the admin username. Instead, create a new administrator account and delete the default account.
3. Hide Your Directory Structure
It is also good practice to hide your directory structure. By default, many WordPress installations enable any visitors to snoop and see all files in folders lacking an index file. And while this might not seem dangerous, it really is. By enabling visitors to see what files are in each directory, they can better plot their attack.
To fix this problem, you can do one of two things:
Option 1: Use An Index File
For each directory that you want to protect, simply add an index file. A simple index.html file will suffice.
Option 2: Use An .htaccess File
The preferred way of hiding the directory structure is to use the following code in an .htaccess file.
Options -indexes
4. Keep Your WordPress Install and Plugins Up-To-Date
With every new release, there have been notable security fixes which are disclosed to the WordPress community. If you don’t upgrade, hackers will be able to easily exploit your websites from known vulnerabilities.
5. Delete Any Unnecessary Plugins
More often than not, disabled plugins are left in the plugin directory. Unfortunately, this can be a security risk. So, be sure to remove any disabled or unnecessary plugins.
6. Change the WordPress Database Table Prefix
By default, the database tables that hold WordPress data have the prefix wp_. This means that if a hacker attacks your website, they will be more easily able to access all tables because they will know the table names. To prevent this from happening, you should choose a unique table prefix.
For a new installation, simply edit the wp-config.php file as shown below:
$table_prefix = 'youruniqueprefix_';
If you would like to update an already existing WordPress installation, you will need to update the wp-config.php file as shown above in addition to renaming all WordPress database tables. This can be done via PHPMyAdmin or some similar web interface that inables you to update your databases.
A few more security fixes…
Some other ways to secure your blog include:
- hiding your WordPress version.
- using security plugins such as Secure WordPress.
- creating a long and complicated FTP username and password to prevent direct file access.
- restricting access to your wp-config.php file in the event that your server’s PHP install is broken.
If you have any additional suggestions for blog security, feel free to share.
Tags: open source, security, software, WordPress6 Responses to “Don’t Get Hacked: 6 Ways to Secure Your WordPress Blog”
Trackbacks
Trackback URL for this entry:
http://www.velvetblues.com/web-development-blog/dont-get-hacked-6-ways-to-secure-your-wordpress-blog/trackback/
Leave a Reply
- Categories
- CMS Plugins (12)
- Code Samples (24)
- Domain Names (13)
- Industry News (57)
- Internet Marketing (48)
- Miscellaneous (85)
- Professional Web Development (12)
- Search Engine Optimization (66)
- Tutorials (51)
- Web Browsers (17)
- Web Hosting (24)
- Website Improvement Tips (64)
- Website Performance (18)
- WordPress Themes (1)
- Subscribe by Email or RSS
- Want to be notified of new entries? Just enter your email address below. Our feed is delivered by FeedBurner.
- Recommended Hosting Company
- We've worked with dozens of hosts. Yet, we prefer HostGator.
Click here
- Top Commentators
- Cory Mink (Yawning Yeti) (1)
Want us to work on your project?
Contact us today for a quote. Click here to submit details regarding your project.
If you are making a general inquiry, send an email to info@velvetblues.com
Twitter | RSS Feed
Shirley
I heard rough stories about sites being hacked. Not fun, but I find that if people keep updated they shouldn’t run into many issues. However, the areas mentioned in this post are helpful. I’m never heard of the plugin Secure wordpress? Thanks I’m checking it out now. I’ll stumble, review and bookmark. Extremely useful.
-Mig
Yeh, I have personally rescued two people from hacked WP installs, both of which could have been prevented by opting for an upgrade or by hiding the version number….
Thanks for visiting Miguel.
I got hacked, and it wasn’t fun. Perhaps I should have known about these security measures.
Great tips. Thanks.
Shirley, I am impressed. I always keep my wordpress up to date, love version 2.7, but you have brought up some interesting points that I will take under advisement to further safe guard my blogs from hackers.
@Sire, Yes, 2.7 is pretty great. Thanks for stopping by.
And yes, hackers are always one step ahead, so its good to take all possible precautions, even when the blog software is up to date.