5 WordPress Security Essentials
By Lee Robertson • Jan 9th, 2008 • Category: WordPress
Report Typo
Blogging can be a lot of fun and there is nothing more thrilling than having people appreciate your hard work by leaving comments and passing the word around about how great your blog is. Unfortunately along with all of your great fans there are also just as many bad guys out there that would love to deface and hack your beautiful creation. Here are five basic security tips that you can easily implement on your WordPress blog to try and keep the bad guys out.
- Use a Strong Password - Choosing a good strong password is one of the first and easiest defenses against being hacked. Choosing your partners first name is probably not the most secure password. While there are many differing opinions out there on what makes a secure password here are some things to keep in mind. Passwords that are longer than 8 characters and contain a combination of upper and lowercase letters, numbers, and symbols creates a stronger password. I often don’t use special characters but will make passwords at least 10 characters long. If you want to check your password strength check out the Microsoft Password Checker for a rating of how strong your password is.
- Protect the WordPress Admin Folder - Stopping the bad guys from getting into the WordPress admin folder in the first place is an excellent place to start to secure your blog. There are many different ways to increase the security of your WordPress admin folder including:
- Using the WordPress Plugin - htaccess password protection for wp-admin. Nothing like adding an extra layer of protection by using some Basic HTTP Authentication on the wp-admin folder.
- Using the Login LockDown - WordPress Security Plugin to ban ip addresses from accessing the wp-admin login if they have had 3 failed login attempts within 5 minutes.
- Deny access to the WordPress admin folder by ip address. You can read more about this method over on Reuben Yau’s post Protecting the Wordpress wp-admin folder.
- Deny Access to Other Folders - Many web hosts by default allow people to browse a folder if there is no default index.html file. This can be a security concern for folders like your WordPress plugins folder. You can prevent people from snooping in these folders by adding blank index.html files or setting up an htaccess file to prevent browsing of folders without indexes. You can read more on All Tips and Tricks.
- Remove the WordPress Version - Many hackers are looking for vulnerable WordPress installs. You can slow them down by removing the WordPress version that is included in most themes by default. If you don’t want to dig around in the code of your theme you can install Blog Security’s bs-wp-noversion plugin: Removes WordPress Version to remove the WordPress version for you.
- Update WordPress - Perhaps one of the easiest security essential to keeping your WordPress blog secure is to keep an eye on your WordPress dashboard for announcements of new releases of WordPress and to update your install as soon as you can. The same also goes for the plugins you run. WordPress 2.3 and up notify you when plugins have been updated. Take the time to update your plugins regularly to keep security concerns down to a minimum.
A very valuable page to read is the Hardening WordPress over at WordPress.org. By doing some very simple things you can make it more difficult for the bad guys to ruin your day by defacing or hacking your blog. A few minutes spent on these items can save you hours if your blog gets hacked. If the bad guys do happen to get in, restoring your blog is much easier if you have a recent backup of your website.
Subscribe to Epiblogger via RSS
Secondly, do you have any idea, once a blog has been hacked and many of its posts are now redirected to another URL, what can be done to solve this problem? I’m in this situation and I just deleted the blog and used .htaccess to make a 301 redirect to a provisory page. But I’m losing the SERPs ranking I’ve been working hard on. Thanks.
Thanks for stopping by! Sorry to hear about your blog. My first thought would be to wipe the blog and database and reinstall and restore the posts etc from a backup. Before you do that though you really need to find out how they got in. You also should change user names and passwords for the account and database. How are they redirecting to another URL? Did they inject something into the posts?
So often it is the simple things that get forgotten about and missed. I have seen WordPress blogs using older versions after a security release where the owner just does not want to upgrade. Sure enough their blog is compromised and then they have a lot of other problems to deal with.
[...] 5 WordPress Security Essentials post from January 9 was submitted to StumbleUpon and has been sending Epiblogger a steady stream of [...]
Thanks for stopping by. You are correct WordPress I believe just uses an MD5 hash of the password and stores it in the database. If someone can gain access to the database they could decode the password. To help prevent someone from gaining access to the database you can use htaccess to protect the wp-config file which contains the username and password for the database connection or move it off the web root.
[...] Fonti: Daily Blog Tips | Epiblogger [...]
[...] before you update your WordPress site to make a backup and of course don’t forget to use some basic security to keep your blog [...]
[...] WordPress - WordPress Codex Three tips to protect your WordPress installation - Matt Cutts 5 WordPress Security Essentials - Lee Robertson How to Protect Your WordPress Site - Anita Campbell Protecting Your WordPress Blog [...]
[...] Daily Blog Tips | Epiblogger Trucco & Consiglio del giorno: Disabilitare la richiesta di riavvio di WindowsIl consiglio di [...]
[...] 5 WordPress Security Essentials - Epiblogger (tags: security) [...]
[...] http://www.epiblogger.net/5-wordpress-security-essentials/ [...]
[...] Security - Review your security. 5 WordPress Security Essentials. [...]