Following on from my recently article about WordPress security plugins there are a number of ways you can shore up your security by using a few choice snippets and hacks.
Please do ensure you backup before making any changes to your files, the .htaccess if broken can cause your blog to stop working completely!
Tips
The WordPress default is “admin” which basically leaves the hacker just needing to workout your password, don’t make it easy for them!
By keeping your WP install up to date you ensure all the last patches and fixes are installed thus any known exploits will not work on your blog. It takes 2 minutes, just get it done.
Sounds simple but many people leave in the readme.html files in the root folder, delete this as the readme.html file has the version number of your WordPress install within.
You can delete the wp-admin/install.php file as its not needed once WordPress is installed, having it just laying around can leave your blog vulnerable to attack.
I know some of these tips are obvious to some, but many people still use “password” as their password, think of something strong, a mixture of upper and lower case letters with a few numbers should do the trick.
Hacks
Your wp-config.php file contains your blogs database details and other pieces of info about your blog a potential hacker would like to see, so inside your .htaccess file add:
<Files wp-config.php> order allow,deny deny from all </Files>
The folders wp- folders contain various pieces of information about your blog, which you don’t want people to see and certainly don’t want bots indexing your file structure to the world, so to prevent this add this to your robots.txt file:
Disallow: /wp-
I covered this once before in a previous article, but it is worth mentioning again. This is slightly different than the snippet I posted in my previous article, I have since discovered the version number appears in the RSS feed too, add this to your functions.php file:
function no_generator() { return ''; }
add_filter( 'the_generator', 'no_generator' );
You can also create a new .htaccess file for your wp-admin folder and allow access from your static IP address only:
# my ip address only order deny,allow allow from MY IP ADDRESS (replace with your IP address) deny from all
Note: if you have a dynamic IP this can be a nuisance as you would have to manually alter this via FTP each time you need to access your wp-admin.
Certain types of servers allow directory browsing by default, for security reasons you don’t want anybody to be able to nose around your directories and their structures, so to combat this add the following into your .htaccess file:
# disable directory browsing Options All –Indexes
Securing your site is important regardless of your choice of CMS, many of these tips are obvious but important to take note of and perhaps implement within your WordPress install.
a very useful tutorial. thanks
Good hacks but for example if i Only Allow Admin Access From My IP Address that means I can not access the dashboard when I’m not at the place I configured the IP. I could configure many IPs but it will always restrain my actions.
On the other hand blocking all wp- folders will not allow uploaded photos to show on search engines.
Sorry I was mainly referring to wp-includes and wp-admin, and you could also block the folders inside wp-content excluding uploads.
The IP address isn’t really a good option for many users, but for people who access their blog from the same machine with a static IP it works a charm
that you! very helpful!
Useful tips but I would add one:
use as many plugins as you really need, remove any unused, many plugins may contain potential bugs
Impressive article on wordpress Thanks!
hey this is awesome!! thank you sooooo much!!
One more thing to consider – if your host supports SSL, go get a cheap certificate and use that when authenticating.
Trackbacks