Guest post by Alex Denning, a Twitter fan who recently launched his new blog, Nometech.com, where he blogs about WordPress, blogging and web design.
1. WP Security Scan
This very easy to use plugin will sort out some of the basic security issues with WordPress – it’ll change your database’s name and alert you to flaws in your installation’s security, amongst other features.
2. Protect your plugins
Plugins are an easy way for a hacker to get access to your blog if they’ve got flaws in them. An easy way for hackers to find out which plugins you’re using is to go to /wp-content/plugins/, and they’ll find all the plugins that you’re using. The solution? Put a blank index.html file in the wp-content/plugins/ folder.
3. Update WordPress
This is super-easy to do, but a surprising number of people don’t do it: update WordPress. If you’re super-security-conscious then don’t upgrade to the next big release immediately (ie 2.8), wait for the bug fixes to come in (ie wait for 2.8.1).
4. Pick a good password
Common sense. Use a good password. Don’t use the same password that you use on every site, create something that is easily memorable, with a mix of UPPER and lower case and some numbers in there too. Change your password regularly too.
5. Change the admin user name
By default, the WordPress user name is admin. [Lots]% of people don’t change it. Why should you change it? If a hacker has your username, he’s halfway there to getting into your site, he just has to guess your password. If the hacker has to guess your username as well, then that’s twice as much work to do. It’s super easy to migrate posts from one user to another, just create your new user and then delete the admin user. You’ll be given the option to migrate posts to another user.
6. Protect your WP-Config.php file
Your WP-Config.php contains your database name, database username and database password. It’s something to protect.
Just add the following code to your .htaccess file:
# protect wpconfig.php order allow,deny from all
Source - Nometech.com
7. Hide your WordPress version
First off, go into your header.php file and remove the meta data (something like <meta name=”generator” etc). Trouble is, WordPress adds in the meta data automatically! How do you remove it? Paste this code into your functions.php file.
<?php remove_action('wp_header', 'wp_generator'); ?>Source – ProBlogDesign
8. Limit the number of times user can enter their password (wrongly)
The Login LockDown plugin will lock out users if they enter their password wrong too many times. You can choose how many times users can enter their password and also how long they’re locked out for via a neat options page.
Source – WP Plugin Directory
9. Limit WP-Admin access by IP
This isn’t something that I do personally, as I blog on a fair number of different computers, but if you’re just on the one, with a fixed IP, then this is a great hack for you: you can restrict access to the wp-admin directory with a spluginimple .htaccess hack:
order deny, allow allow from a.b.c.d. #your static ip deny from all
Source – Nometech
10. Login via SSL
If your host has an SSL certificate then you can use this great little plugin to login via SSL. The Admin SSL plugin “secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL.”
Source – WP Plugin Directory, via MakeUseOf.com
And finally
It is very easy to get bogged down in plugins, but bear this in mind: a strong password that is changed regularly, and a couple of .htaccess hacks (this post might help) will keep the casual hacker out.
If you’ve enjoyed this post then please do take a look at Nometech.com, my new blog, and perhaps even subscribe to the RSS feed. If you’re on Twitter too then new followers are always welcome!
My name is Jean-Baptiste Jung and I'm the man behind Cats Who Code. I started to use the Internet back in 1998 and started to create websites three years laters in 2001.
87 Comments
To be very true, I had all those flaws but my plugins directory was not visible because my host has some kind of security and it showed me some error page rather than that ftp style page showing all files. Thanks for sharing all those tips because they are mandatory.
Thank you for a post. I will definitely be utilizing some of these tips. This is especially good for those who are using a multi-user install. You definitely don’t want a multi-user site getting hacked.
Excellent security tips for WP blogs. While I am in the process of upgrading the theme, I should certainly take a look at improvising on security.
Just tweeted this post
These tips are indeed very useful. Thanks i will definitely use those mentioned above.
it is very true and thanks for the post.
Good, commense sense list – especially on the passwords. People are dangerously lazy with keeping a good password.
it’s very interesting… i wil try it..thank you very much for this post
OMG, I never considered the security holes on wordpress before. I thought it was secure. Putting an index file in a directory to prevent a list being seen on the screen is an old trick, but I never thought of using it for WP. I started reading this post and went to my site do it immediately. I then came back and saw the tip about protecting your wpconfig.php – that’s a new one me. ( I did that too).
Thanks, you may have saved me a lot of time!
Wow. So someone can access a specific file that contains the login and password? I was about to go to bed but now I’ll need to check this out.
Great stuff as usual, thanks!
Well, I got my site’s dbase hacked down last week, it won’t show anything except the two number: “56″..
One of my friend told me that i should change the database and backup my old content.. Now it is live again..
Great post man! This was very helpful, thank you very much.
I’ll try it…
Just wanted to come back a say thanks for the tips. I spent the other night fixing a couple flaws in my security across all my blogs.
This is a very helpful post.
I already experienced domain defacement in my previous blogs
And I agree that a strong password is very important.
We can include in our passwords not only numbers and letter but also hypens like @#$?*!!, to ensure security.
The ninth tip wouldn’t be advisable for those who have dynamic IP address. My current ISP provided me with a dynamic one, and there are times when my IP change. Nonetheless, this checklist is very useful to secure Wordpress blogs.
Great tips, I am going to implement these on my blogs, some of them got hacked recently and google started showing malware warning. Not only I lost a couple of day’s income, they also lost ranking and followers in these days. Had to remove the iframe code from index.php, files in wp-content, wp-includes and theme pages.
I am sure just removing the version code will prevent hacking bots that work on a particular version. I would add 11th way to this, keep looking for new versions and update wordpress version when a new version is available (it’s easy nowadays).
I think that it is very interesting tips.
I want to produce a website while referring to it.
I thank for a splendid entry.
thanks this tips are indeed very useful and i will definitely used in the mentioned above.
Why must we remove a WordPress version from metas?
I really can not understand it.
@psd to html: You should remove the version because most hacks are targeted towards a particular version of wordpress. Many people also remove such info from their webserver and OS for the same reason.
Thanks for this info. I have just downloaded WP Security Scan, I hope that helps secure my site more.
I already had most of the other checks in place.
Glad to read this info. I will apply these tips to secure my wordpress blog. Thanks for sharing this post!
Have you tried doing it? I says that any code “that isn’t permitted”, that doesn’t necessarily mean no code at all. I’ve been able to add HTML to the text widget just fine.
nice post, that is a good plugin, and with that and a good password you should be good until you get huge and attract a lot of attention. i think that if that happens then you can afford to upgrade but this should get you started and be fine for quite a while. good post.
thanks for the information,i will apply these tips
Good article,
is there a way to change the wp-admin folder name?
if not, would you recommend adding a htpasswd file in the wp-admin folder too?
hmm….It adds my knowledge about WP, because I am a newbie in WP…hehe…thanks for the nice info…
Wordpress security issue is something that everyone should look after at the first place. There are so many hackers and vulnerabilities that can make you life very hard if you are not prepared for them. Thanks for sharing this great wordpress security tips.
nice tips. thanks
Didn’t know about #2 (plugins folder). What has happened to v2.8, thought it was due start of April – just went and checked again after reading your post but still no sign.
Thanks for the advice here. We have been having a lot of problems with hackers getting into our blogs. I am going to pass the information on to our web master. This is very helpful!
I want to have it so when I post on my blog at Wordpress, it will automatically post the same blog on my MySpace page. I know there is a way to do this with forums and bulletin boards – posting on WordPress and having it show up in the forums.
great post, but what about security against spam? plugins such as WP-SpamFree, Akismet and SpamTask should be mentioned, shouldn’t it?
I mean, spammers are some kind of hackers I believe. 
Wow I had no idea Wordpress was so unsafe – I’m definately going to implement these tips. Thank you very much for this!
A good password is very important. And changing it often is a good traing for your own memory too.
I’ve installed and used the Security plugin, it works very easily and well.
Hi,
Thanks for sharing this great tips.
I never think about this area. I have not more information about blogging but after read your blog I think that we should all secure our blog.
A really nice tip you have here Sir! Also, you can add removing those footprints created by WP themes.
Thank you. This worked perfectly. =]
Excellent security tips for wp bloggers…
Thanks,
Sandeep
really useful information. Many of the described methods of protection are not known.
NIce tip, my brain is ever expanding with useful knowledge from this blog.
I am new to Wordpress and I am glad I’ve come across this blog. Although these are not full proof but it will minimize problems later. Thanks for posting these tips.
Thanks i will definitely use those mentioned above. These tips are indeed very useful.
Great article. I just bookmarked it. Thank you so much for sharing it.
It seems I still have a lot to learn in Wordpress. Thanks for sharing.
With this post I have learnt a lot on wordpress.I am going to use the above methods. Very helpful. Few of the plugins are really nice.
Thank you for the informations! Especially the tip nr. 6 is great, to protect wp-config.php.
Thanks
Great tips…thank you so much!
I’d add “don’t login from strange computers”. If you’re blog’s making some money buy a laptop and don’t use any other computer. You never know if there are any keyloggers on someone else’s computer.
How To Secure a Wordpress Blog Please help me guys?
You offer some very important tips, because with how easy most hosts make it to set up a wordpress site, a lot of new bloggers don’t even think about security.
Regarding #2, protect your plugins, can’t you also add Options -Indexes to your .htaccess file, to stop people from being able to view the contents of a directory?
Great post, I like it this site and thanks on Information
Nice plugin of WP Security Scan. Thanks for share good tips for secure wordpress blog. Good work.
It took me a couple sessions but I completed plugin my holes. Thanks again for sharing these risks!
Nice list there.. Very little people bother to come up with this actually..
Good news for new bloggers like us. Now we know what mistakes to avoid. Most people would have hardly thought of these.
Thank you for sharing these tips. I need this to protect several of my wp blogs.
Thanks for the tips, very helpful.
Good list. I picked up a couple plugins I had not yet considered. Thanks.
Nice to see that some one posted simple but extraordinary Article regarding to Secure Word Press blog. I specially liked the points 6 – Protect your WP-Config.php file and 7. Hide your Word Press version. I just applied these two points to my Blog.
Thanks for sharing
Good tips. I’ll download wp security plugin for my wordpress blog. Are this types of plugins available of blogspot?
Thanks a lot for sharing this.
I’ll go right now and update all my wordpress blogs and install the security plugins as well as protect all the plugin directories.
I wish I discovered your post before one of my blogs got hacked, three weeks ago.
Just dugg, tweeted and posted it on del.icio.us and I gonna share it on the forum I’m actively involved because I saw a lot of posts where wp blogs got hacked.
Daniel
Thanks for the list. It’s amazing to me that blog owners have to go through all of this trouble to prevent worthless people from getting into our sites… Can you tell I’ve been hacked recently?
Thank you for this 10 items. I just starting to learn Wordpress and this information is very helpful and important.
THANKS FOR THE MUCH NEEDED TIPS TO insure efficiency with Wordpress!
Ten brilliant tips fo blog securing. I suggest number tip number 10 is the best one
Thanks for this information. I never even thought of some of these security flaws, like people looking at my plugins and finding out info about my site from the plugins I use.
very good Tips.. I will try, Thanks..
I think there are some errors in your tips.
6. Protect your WP-Config.php file
should be
order deny,allow
deny from all
9. Limit WP-Admin access by IP
should be
order deny, allow
deny from all
allow from a.b.c.d. #your static ip
These are some good tips. There are also security products for wordpress but if you dont feel like spending money these tips will do. I think that keeping ones blog updated, I mean the version of wordpress updated is very important.
d 6th point.. for .htaccess file.. when i made the change, my site went down. exactly how do i put it?
I use the same technique as Wheelchair Guide.
If you are already editing .htaccess, then a lot of vwork placing blank index.html files in every folder for which you wish to block browsing, is saved.
One line of code is all you need!
Also, don’t forget to protect .htaccess itself as well as the config file. Here are the three bits I’ve mentioned (these can be copied and pasted verbatim):
# protect the htaccess file
order allow,deny
deny from all
# protect wpconfig.php
order allow,deny
deny from all
# disable directory browsing
Options All -Indexes
Oops. Forgot the code tag:
# protect the htaccess fileorder allow,deny
deny from all
# protect wpconfig.php
order allow,deny
deny from all
# disable directory browsing
Options All -Indexes
These tips are indeed very useful. Thanks i will definitely use those mentioned above.
This is definitely useful tips for wordpress users. I will learn these tips first so I can apply it correctly. Thanks Alex.
Thanks i will definitely use those mentioned above.
Heads up. Your wordpress version is till showing. Nice list of tips. I’ll create my own top 5 secure wordpress tips and link back at this post.
Man if you have no idea about what you’re “writing” – please do not write.
1 What a f***:
# protect wpconfig.php
order allow,deny from all
this will denny acces to ALL files not wpconfig.php
2. order deny, allow
allow from a.b.c.d. #your static ip
deny from all
so where is backslash before dots??
Hey Alex, these tips are simply amazing! You’ve done a great job in putting such an extensive list all together. I am sure I am gonna try out most of them. Thesesafety tricks would definitely prove effective while safeguarding wprdpress powered sites. Thanks a bunch!
Wow,
What a nice post,i just found this post story from my technorati profile news feeds section! I was searching for this since past 3 months and i am glad to see it here. Thanking you much
Kathe
Hi Alex, I’m late to the party but can you please include the attribute to my original image as per the terms for usage of the image: http://www.flickr.com/photos/subcircle/500995147/
Thank you very much for these useful tips…
Very informative post.Thanks for all the tips for secure the word press blog.
thank you for you advice, I just use these tips in my blog.
This is excellent advice. I am currently using Login Lockdown, and Have the file permissions set to the correct levels on my server. I am also using the blank index.html file in my plugins directory to hide that stuff.
I am not however using the Wordpress version hiding fuctionality. I have plug-ins that won’t work if the Wordpress version is removed from it, and they are plug-ins I desperately need. I am not so sure hiding the version will help much though, as many of those automated bots will simply try the hack regardless of what version your running, if it don’t work they move on. This is akin to the major ports scans you see from bots on the net anymore.
Nonetheless, I didn’t know about the Wordpress Security Scan so I will have to check that out.
thanks for the good information
23 Trackbacks
[...] ytterligare tips om att öka säkerheten på din Wordpressblogg bör du läsa artikeln 10 Easy Ways to Secure your WordPress Blog Spara / dela med [...]
10 Easy Ways to Secure your WordPress Blog…
Securing your blog is important. With WordPress so popular these days, it’s becoming a bigger and bigger target for hackers. In this post we’ll look at ten easy ways to secure your WordPress blog….
[...] 10 Easy Ways to Secure your WordPress Blog Securing your blog is important. With WordPress so popular these days, it’s becoming a bigger and bigger target for hackers. In this post we’ll look at ten easy ways to secure your WordPress blog. (tags: wordpress security) [...]
[...] ПоÑтовой: Ñ…Ð¾Ñ€Ð¾ÑˆÐ°Ñ Ð¿Ð¾Ð´Ð±Ð¾Ñ€ÐºÐ° из 10 шагов по улучшению безопаÑноÑти вашего блога; 27 плагинов Ð´Ð»Ñ Ñ‚Ð°Ðº популÑрного ÑÐµÐ¹Ñ‡Ð°Ñ Ð² [...]
[...] Read it here! [...]
[...] via 10 Easy Ways to Secure your WordPress Blog. [...]
[...] click here to read full article [...]
[...] 10 Easy Ways to Secure your WordPress Blog: Alles mehr oder weniger Appelle an den gesunden Menschenverstand. Aber es schadet ja nichts, sie noch einmal aufzuschreiben. [...]
[...] 10 Easy Ways to Secure your WordPress Blog [...]
[...] Thank to catswhocode [...]
[...] Via: Cats Who Code [...]
[...] Source: catswhocode [...]
[...] 10 Easy Ways to Secure your WordPress Blog [...]
[...] 2. 10 Easy Ways to Secure your WordPress Blog [...]
[...] Nguồn: catswhocode.com [...]
[...] catswhocode.com Tags: Secure, Wordpress This entry was posted on Wednesday, August 19th, 2009 at 13:57 [...]
[...] “10 Ways to Secure Your WordPress Blog“ “Securing your blog is important. With WordPress so popular these days, it’s [...]
[...] Source: catswhocode.com [...]
[...] melalui SSL. Untuk menerapkan login melalui SSL ini kita perlu menggunakan plugin SSL secure admin catshowcode.com @ 10 TIPS Agar Blog Wordpress [...]
[...] Thank to catswhocode [...]
[...] melalui SSL. Untuk menerapkan login melalui SSL ini kita perlu menggunakan plugin SSL secure admin catshowcode.com @ 10 TIPS Agar Blog Wordpress [...]
[...] 1. Catswhocode> – gives You 10 ways to secure Your WP blog ! 2. Wordpress.org>  - the WP´s own recommendations 3. Enzine article> – another good interesting article with 7 steps to secure Your WP [...]
[...] 10 easy ways to secure your wordpress blog [...]