How to improve wordpress blog security

How to improve wordpress blog security

How to improve wordpress blog security

Couple of weeks back, my blog faced a hack attempt. To an extent, the hackers were successful, but I was prepared. Have you ever thought about what you would do if your most valuable blog gets hacked and deleted? Imagine it happens right now as you are reading this; Are you ready to face it?

Apart from being a web developer / Blogger, I work as an information security auditor for a MNC. As it has always been part of my daily work, I was always curious about the security controls that are enforced on a WordPress blog and what all could be its vulnerabilities.

Often when you talk about Security, there are few inter-related factors that you should analyze before deciding on how to secure your blog.

1. Analyze the Risks, Threats and Vulnerabilities.
2. Make sure you have a good backup and disaster recovery plan
3. Have a solid plan on how you are going to remediate the vulnerabilities.
4.  Make sure you keep a tab on the activities on your WordPress blog.

The reason i would want all my readers to give security the prime importance is mainly because, i have worked with many clients who have neglected this and lost all their efforts overnight by simply not knowing that they blog is hacked and deleted. Today we would discuss the basic risk factors that you should consider and remediate if you are using a WordPress blog.

Always have your blog software updated to the latest version.
Developers of huge Opensource CMS systems are always in the hunt of the latest threats that are becoming popular on the internet and promptly release patches to fix them, so its very critical that you should not ignore the “update your version” message on your blog.

Avoid using the default administrator account
Its very important that you avoid using the “admin” username and nickname for your WordPress blog. It would like sending an invitation to hack your blog  to potential hackers. If the hacker can guess the username, then the brute forcing of your password becomes half the effort. In your WordPress account, create a new admin user with a unique username and password, further login to that account and delete the admin account. WordPress would automatically ask you to transfer your posts to another user.

Use admin login lockout plugins
It would be a wise idea to install a admin logging lockout WordPress plugin, that would lockout on a number of wrong login attempts, this would help you eliminate repeated password guessing attacks. If you have money avoid a shared server. This would not apply to all the bloggers, IF you are starting off with blogging or do not have enough traffic; you might not want to burn out much money on a VPS or a dedicated server. If your website has above average traffic and you are earning from your blog, then it would be a good idea to invest on a VPS or a dedicated server.

Hosting on a shared server has a possible threat that if your co-hosted website not securely developed, the hacker could gain access to the root of the server and harm all the websites hosted on the website.

Most Important: Have regular Primary and secondary backups.
This is the most important action item that i would like to stress on. How ever secure is your WordPress blog, there should be a backup plan and disaster recovery. I would advice you to have 2 backups on different dates atleast weekly. This will ensure that even if you are hacked, you would never hate your self for not having a backup.

The official backup documentation for WordPress could be found here:

  • Few free backup options can also be found here.
  • Manual Cpanel backup procedure could be found here.

Note: most of the top web hosting companies would by default have a weekly backup that you can request for anytime to be restored. Personally i never want to depend only on my host and don’t want to take a chance. I usually do a local back up on my system and i trust two good WordPress plugins that could backup and also restore your blog.

1. Backup Buddy
2. WP Twin

The 1st one is a WordPress plugin that would automate the backup process and also transfer or restoring of blog is also easy, this would be a great option for average sized blogs. The second option is the option that i use for all my huge blogs and wpTwin does it well for me.

Avoid stuffing your blog with Plugins
This is is a serious issue that i have found with many of my amateur blogging clients. Without knowing what really a plugin does, how strongly it has been coded; often bloggers install a lot of plugins. Please understand that these plugins are the most common entry gates for most of the hackers. A weakly coded plugin could make your blog vulnerable. Make sure you use the minimum required plugins and keep your blog neat.

Be careful while selecting a theme.

Another deadly mistake that could easily get your blog hacked. Believe me, if you respect and care for your blog and its content, only use well developed theme. You get thousands of stunning themes for free download, but have you ever wondered why most of the themes free are? Even you get to download cracked and nulled premium themes for download! Boy, nothing comes free! Its mostly a trap, these nulled scripts either have liked backs, ping to other websites or mine data from your blogs making your blog a dirty one.

IF you have a very limited budget, i would suggest you to skip one movie or a coffee and spend 39 USD to purchase unlimited license for 70 + well developed elegant themes. If you have a higher budget, Thesis theme is a good option and you could also try woothemes, Themeforest for more themes.

Find my detailed review of the best premium themes here

Hide Your WordPress Version

If your WordPress version is hidden it will not reveal much information about your WordPress vulnerabilities that are available for the version. First of all you want to disable the “generator” meta tag. By adding the  following code to the functions.php file of your theme:

function hide_wp_vers()
{
return ”;
}
add_filter(‘the_generator’,’hide_wp_vers’);

Also make sure you delete the read me file that comes with a WordPress install.

Disable Folder Browsing

To disable folder browsing a simple .htaccess hack can get it done. If folder browsing is active, it would give the hackers complete information about the themes that are installed, the plugins that are used by your WordPress theme and also the folder structure. You could learn more about htaccess changes to be done on my article here

Hope this article on how to make your wordpress blog more secure has helped you! i would love to hear from you all.s

8 Comments

  1. neel February 8, 2011
    • Joshu February 8, 2011
  2. Bob moore February 24, 2011
  3. PHP programming March 7, 2011
    • Joshu March 9, 2011
  4. jay@gametweeps March 21, 2011
  5. Website Designer Tor March 23, 2011
  6. funwidmasti June 10, 2011