Simple Guide to WordPress Security

Filed under: Feature

WordPress is an open source (read free) CMS that is easy to use & maintain and is now the choice of many. Because everybody is jumping onto the WP bandwagon it makes the platform an ideal candidate for hack attacks and stealing information. The problem is compounded because of lack of awareness on the part of many DIY’ers who take the plunge without even realizing the security risks associated with setting up a WP site.

There are a large number of posts that list out fairly detailed and excellent information on securing WordPress, but, these tend to overwhelm most of the users because of the technicalities involved.

Fortunately, we have a simple and straightforward guide that makes it fairly easy to secure your WordPress installation and most of it can be achieved within 15 minutes.

The guide is divided into two parts:

  • Auditing you security – (Bare essentials required to secure WordPress)
  • Start Fortification - (Suggested steps to bolster WordPress security)

1. Auditing Your Security

Once you setup a new WordPress install, do not proceed with even an iota of work until you have run through and secured the following security audit bullets:

Following the above steps will provide a certain minimum level of security and protection to you WordPress setup.

2. Start Fortifying

Once you are through the basic auditing, you may proceed through the following steps to start securing your WordPress site.

1) Encrypt your login

Whenever you try to login to your website, your password is sent unencrypted. This is a big security threat when operating on a public network. We suggest that you encrypt your login with the Chap Secure Login plugin.

2) Protect your wp-admin folder

The wp-admin folder for WordPress contains critical information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.

3) Remove WordPress version info

If you are using a WordPress versions prior to 2.6, then, a potential threat that is often overlooked is that a large number of WordPress themes include the WordPress version info in the meta tag. Crackers can easily get hold of this information and it helps them plan specific attack targeting the security vulnerability of a particular version.

To remove the WordPress version info, log in to your WordPress dashboard.

Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

Delete it and press Update File.

In WP2.6 and above you can simply install the WP-Security Scan plugin as specified in the auditing guide above.

4) Hide your plugins folder

If you navigate to http://yourwebsite.com/wp-content/plugins, you will be able to see a list of all the plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.

Open your text editor. Save the blank document as index.html.

Using an ftp program, upload the index.html to the /wp-content/plugins folder.

5) Change your login name

It is common knowledge that the default WordPress username is admin. You can make it more difficult for a cracker to crack your login credentials by changing your login name.

In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion.

6) Upgrade to the latest version of WordPress and plugins

The single biggest exploitable entry point on any WordPress install is going to be outdated versions of WordPress, themes and plugins.

The Update Notifier Plugin helps solve this problem by checking the official repository on a regular schedule and sending you an email when it’s time to upgrade.

The latest version is WP 2.9.2 (as of this post). You can download it here.

9) Backup! Backup! Backup!

No matter how secure your site/blog is, common sense asks you to prep for the worst-case scenario. Install the wp-database-backup plugin and schedule it to backup your database daily.

10) Define user privileges

If there is more than one author for your blog, you might want to install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.

11) Use Captcha whenever possible

Captcha solution for the comments and login also build contact forms with Contact Form 7 or CFORMS II. This keeps bots from spamming and trying to crack your login.

Tags: , , , , , , , , , , , , , , , , , , ,

14 Responses to Simple Guide to WordPress Security

  1. John Antaya 05/05/2010 at 7:24 am

    Thanks for the security info using WordPress Blogs. I’ve never used blogs at least not yet but am looking forward to them in the near future.

  2. Pingback: Simple Guide to WordPress Security | WordPressPlanet.com

  3. Vikram Rathore 05/05/2010 at 11:24 am

    John, we are glad that you found the post useful.

  4. Pingback: Inserting Images Into Wordpress – WordpressVideos.TV | Host Rage

  5. Pingback: This reminds me of Chip Bennett - WordPress Tavern Forum

  6. Pingback: News Updates for 2010-05-05

  7. TomPier 07/05/2010 at 2:52 am

    great post as usual!

  8. Gary 07/05/2010 at 5:49 am

    This is great stuff, but what worries me is that all those plugins, helpful though they may be, will completely bog down load time. I did an experiment where I deactivated all the plugins on my site and ran a speed test on it. It loaded in less than 3 seconds. When I then turned on just the plugins I needed, load time varied but topped out at 15 seconds, which is longer than anyone will wait. You’ll lose visitors if things load that slowly. Any advice on this? Thanks for the great information!

  9. Vikram Rathore 07/05/2010 at 6:16 am

    Thanks Gary.

    You are correct in saying that the plugins do affect the loading time. However, all plugins do not have a major impact on loading time. You need to single out the plugin that is causing the slowdown.

    I would suggest that you disable all the plugins and then follow the following steps:

    - Use 2 different browsers to open the admin panel and the blog front-end.
    - Browse the site/blog – It should load with no problems at all.
    - One by one reactivate the plug-ins and browse the front end while clearing the browser cache.
    - Keep adding the plug-ins in one-by-one until the addition of a plugin or two will show show a considerable increase in loading time.
    - Thus you should be able to identify the culprit.

    Let us know whether you are able to solve your problem or not.

  10. Gary 07/05/2010 at 6:30 am

    I pretty much tried that. I can’t turn off any of the plugins I’m running now (such as Contact Forms7 and Google sitemap, etc., and especially Mingle), so I’m looking for other ways to speed things up, including switching hosting services. If you got any other tips on speeding up load times, I’d love to hear them.

  11. Vikram Rathore 07/05/2010 at 8:29 pm
  12. Gary 08/05/2010 at 4:03 am

    Thanks, Vikram, I’m going to try these out this weekend!

  13. Vikram Rathore 08/05/2010 at 7:48 pm

    Keep us posted on the results. Best Wishes.

  14. Pingback: Bookmarks for June 4th from 08:14 to 09:14 « Peng’s Blog

Leave a Reply

Archives