Following on from my recently article about WordPress security plugins there are a number of ways you can shore up your security by using a few choice snippets and hacks.
Please do ensure you backup before making any changes to your files, the .htaccess if broken can cause your blog to stop working completely!
Tips
Login Name
The WordPress default is “admin” which basically leaves the hacker just needing to workout your password, don’t make it easy for them!
Keep Your Install Up To Date
By keeping your WP install up to date you ensure all the last patches and fixes are installed thus any known exploits will not work on your blog. It takes 2 minutes, just get it done.
Delete Files
Sounds simple but many people leave in the readme.html files in the root folder, delete this as the readme.html file has the version number of your WordPress install within.
Delete Install File
You can delete the wp-admin/install.php file as its not needed once WordPress is installed, having it just laying around can leave your blog vulnerable to attack.
Use A Strong Password
I know some of these tips are obvious to some, but many people still use “password” as their password, think of something strong, a mixture of upper and lower case letters with a few numbers should do the trick.
Hacks
Protect Your wp-config.php File
Your wp-config.php file contains your blogs database details and other pieces of info about your blog a potential hacker would like to see, so inside your .htaccess file add:
<Files wp-config.php> order allow,deny deny from all </Files>
Block wp- Folders From Everyone
The folders wp- folders contain various pieces of information about your blog, which you don’t want people to see and certainly don’t want bots indexing your file structure to the world, so to prevent this add this to your robots.txt file:
Disallow: /wp-
Remove The WordPress Version
I covered this once before in a previous article, but it is worth mentioning again. This is slightly different than the snippet I posted in my previous article, I have since discovered the version number appears in the RSS feed too, add this to your functions.php file:
function no_generator() { return ''; } add_filter( 'the_generator', 'no_generator' );
Only Allow Admin Access From Your IP Address
You can also create a new .htaccess file for your wp-admin folder and allow access from your static IP address only:
# my ip address only order deny,allow allow from MY IP ADDRESS (replace with your IP address) deny from all
Note: if you have a dynamic IP this can be a nuisance as you would have to manually alter this via FTP each time you need to access your wp-admin.
Disable Directory Browsing
Certain types of servers allow directory browsing by default, for security reasons you don’t want anybody to be able to nose around your directories and their structures, so to combat this add the following into your .htaccess file:
# disable directory browsing Options All –Indexes
Conclusion
Securing your site is important regardless of your choice of CMS, many of these tips are obvious but important to take note of and perhaps implement within your WordPress install.