Saturday, November 29, 2008

Top Ten Wordpress Security Tips

Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.

1. Upgrade Wordpress - In general, keeping your Wordpress installation up to date is a great way to avoid known problems. Do note that the lastest version, especially in the case of major upgrades, may cause more problems then it resolves.

2. WordPress Version - The tag in your header.php that displays your current version of wordpress. Since everyone knows your wordpress version this way, your blog is prone to hackers if you have not upgraded to the new version.

3. WordPress Username - Every hacker knows Wordpress has a user “admin” with god-like administration privileges. Slow the hackers down by removing the “admin” user. Create a Wordpress user with admin privileges using the administration interface. Log out of Wordpress and log back in with the new user. Delete the admin user. The new admin user should be different than your normal post author.

4. WordPress Password - Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! That password is only 6 characters and just numbers and letters. Make it complex and more than 10 characters if you can. Also, try not to use words, make it a nice jumble of letters, numbers, and symbols.

5. Prevent Directory Listing - In many Wordpress installations it is possible to view a list of installed plugins by navigating to the /wp-content/plugins/ directory. This is not a good idea as known plugin vulnerabilities can than be easily exploited. Add an empty default index file, such as index.html, to the directory. You can also protect it using an .htaccess file assuming you're using Apache.

6. Protect Your WP-Admin Folder - You can protect your Wordpress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog.

7. Protect From Search Engines - There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list:Disallow: /wp-*

8. Install Login Lockdown WordPress Plugin - This plugin records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.

9. Install WordPress Database Backup Plugin - You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.

10. Install Wordpress Security Scan Plugin - The WP Security Scan plugin attempts to both to audit your blog security and to implement many of the suggestions mentioned above.

1 comment:

  1. Please add to install Wordrpess with a differente then the Default "wp_" table prefix. This can protect against pro-forma, automated attack-tests.

    ReplyDelete