1 – Dump your database with WP-database backup
Here’s the first advice I would give to anyone: Make backups, and made it often. Of course, you can go through the phpMyAdmin on your host, or dump your database by using the command line if you have a ssh access to your server, but this plugin will really simplify the task: you’ll just have to login to your Wordpress admin panel, and click on a few links.
A note, WP-Database Backup offers to daily e-mail you a backup of your database . A must have for every blogger!
2 – Scan your Wordpress install to find security holes
We now have a very good plugin to dump our dear database on a daily basis. The next step is to scan our Wordpress installation in order to verify that no security hole is present. For doing so, we’ll use the excellent plugin called WP Security Scan , that will allow us to identify vulnerabilities on our blog and will tell us how to fix these problems.
This excellent plugin also offers to rename tables prefixes, test your password strenght, delete the admin account and verify that your blog directories have the good rights (chmod).
3 – Protect your blog from brute force
Brute force consist to try the maximum possible combinations of letters/numbers/etc in order to find a password. There is even a Python script used to try to discover the password of a blog running Wordpress.
It’s obvious that if your password is the name of your blog or something like “secret”, brute force can easily find your password. The first thing to do is to use a very strong password, with tiny, capital letters, numbers and special characters. You can also rely on the generator password included in WP Security Scan.
Even if having a strong password is a very good thing, adding an Apache login form to the wp-admin directory is another way to provide an efficient protection for your blog. The Ask Apache plugin allows you, among other things, to protect your wp-admin directory by an authentication server level ( htpasswd ).
Note also that the plugin allows you to disable hotlinking, or direct access to your wp-content and wp-includes directories.
4 – Beware of plugins
Some plugins can contain security vulnerabilities. For this reason, it is necessary to hide the contents of the / wp-content/plugins directory . You just have to create an empty file named index.html and upload it to the wp-content/plugins directory.
Since the time that this kind of disappointment is known, I must admit that I’m surprised that Wordpress does not always hide the contents of this directory by default.
5 – Hide the Wordpress version
If a security hole exists in a particular version of WP, a possible hacker will only have to display your blog source code in its browser and see if the version you used corresponds to the vulnerable one: By leaving the meta version , you’re indicating that you are potentially vulnerable. Simply delete the line in the header.php of your theme.
Similarly, there is also a plugin which allow you to lie about the Wordpress version you’re using.
My name is Jean-Baptiste Jung and I'm the man behind Cats Who Code. I started to use the Internet back in 1998 and started to create websites three years laters in 2001.
32 Comments
Good advice, especially on the plugins directory one. That never occurred to me and, sure enough, browsing to that folder on my blog left the whole thing visible for the world to see. Fixed that little hole now.
This is great stuff, I have a question you said upload an empty index.hmtl to protect from plug-in sec issues, you mean an empty text file named index.html? Can you elaborate on that a bit?
And, also the hide the word-press version, what do you actually delete from the header.php?
Sorry new to the whole blog and code thing here,
Thanks,
JR
Chris Swenson has a great Greasemonkey script to secure logins, as well — it’s at http://www.caswenson.com/?p=56.
I wrote a Greasemonkey script to help with the password problem as well:
http://www.caswenson.com/?p=56
@All: Thanks for your contribution and the Greasemonkey script!
@JR: Yeah, an empty text file named index.html is all good. When someone will try to go to yourblog.com/wp-content/plugins, he’ll only see a blank page, not a directory listing of all plugins.
To hide the Wordpress version, you can delete the meta in the header.php file. I heard new Wordpress versions doesn’t allow that hack anymore, so you should read this post for more explanations.
The Ask Apache plugin looks good, and thanks for pointing out the way anyone can look at my plugins directory.
I’ve found two other ways of protecting it.
1. Inside the “wp-content” file is an index.php file. You can just copy this into “wp-content/plugins”
2. You can prevent people from looking inside your plugins directory by creating a file in there called “.htaccess” and adding the following line:
Options -Indexes
This is the more “correct” way of doing this, since it then tells the web browser “You’re not allowed in here”.
http://bmw.ws.utk.edu/htaccess/examples/ has more interesting things your .htaccess file can do.
@James: Thanks for your contributions, both are great!
These are good tips! I had all of them set up already, except for the plugin’s directory lockout. @James, your .htaccess file worked perfectly!
For defeating brute force attempts, I’ve installed Login Lockdown. It blocks out an IP address block for one hour after three missed attempts in five minutes. Seems like it would take a while to brute force it under those limitations. What do you guys think?
http://wordpress.org/extend/plugins/login-lockdown/
I didn’t know Lockdown, and it seems to be a pretty good solution. The only problemwith AskApache is that iPhone seems to cannot remember the password, so you have to re-type it again and again when you want to see a new page in the wp-admin directory.
So thanks a lot matthew, it will check out Lockdown!
Thanks for the tips. I’ll sleep a little easier at night after this one.
Excellent list of plugins! I’ve had issues in the pass with SQL injection hacks and since then take securing my sites very seriously. Thanks for sharing.
The WordPress Tweaks plugin can take care of #4 and #5.
@Gio: You’re welcome
@John: Thanks for the info!
Oh,that’s great,thanks, but i really don’t want to install so many plugins,i think it will slow down the speed of my bolg.
I don’t really know if plugins can slow down blogs, I probably depends how they’re coded. We have more than 10 active plugins here at CatsWhoCode but I never felt that the blog slowed.
Wordpress adds meta generator code (version info) in its core.It is not just that themes add them.You need to modify the wordpress core to hide the version info.
Yeah, I heard about that recently. I think Kyle from Hack Wordpress gave a solution to solve this problem without modifying WP core. Thanks for the info!
Ah, thanks for a nice grouping of plugins to safeguard our blogs.
This is a great top 5… especially liked the tip about hiding the plug-in directory!
Awesome advice, I’m going to start implementing these on my blog immediately.
Jeremy Reeves
http://www.controlbeatingcopy.com
On another blog I have been reading the similar post and shocked to know that someone can create an account with username admin and then admin can do everything which your blog which an administrator could. I am wondering why wordpress has these security hole. In these days my one blog is under spam attack and couple ten spam users are created. I am very confused how to stop that.
Wow, I never paid so much attention to security issues, I just got struck about it a few days ago and I thought I should research and work on it.Thats how I landed up here. Thanks for bringing out the possibilities.
You can use wordpress stealth login like this tutorial http://xtremenitro.org/2008/12/29/stealth-login-secure-your-wordpress-login.html
Great article. And really good advice. Securing my WordPress blog was something I had to take loads of time and consideration. This article will be really helpful to ma friends who are just started blogging. Thanks for the information
Great. I had security trouble with my earlier blog. And unfortunately I didn’t come across this article then Sigh! Anyway, really useful information. After the attack on my earlier blog I went through several security articles. But this is the most simplest and effective article so far. Awesome work. This would be extremely useful for new bloggers. Keep up the good work. Cheers
Neat. I’ve always been crappy when it came to securing my blog. But I worked on few of your tips and now it’s really secure. Just thought to drop by and say thank you. glad I came across this article. your blog has helped me so much. Cheers
NICE, really good advice. Simple but extremely effective. I was having a lot of trouble with security so was checking for solutions, thats when I came across this article. Made a huge impact, Thanks.
Interesting and informative write-up. Really good stuff here. Securing your blog is one of the most important aspects needed to be covered and most of the time neglected by bloggers. They are concerned more on the themes and designs more than security. Which I believe is a really bad practice. Anyway this is a really good article. Keep it up. Love your blog.
Well, those are some of best security measure which we can take to save a wordpress blog and we can’t survive without them anymore. It is not about to just have wordpress blogs but to care about them and how to save them. I like one plugin which takes backup and send it to your specified email on daily bases. I think that is the best security measure which is essential. On the other hand, I have completely disabled registration on my all blogs, I think there is no need to enable that as nobody is going to write the content other than comments.
Your article was very helpful to me. I recently encountered some security threats to my wordpress blog and was so confused as to how it was happening. I will take your advice and address all measures contained in this blog.
I started my blog recently and found this information extremely useful though most of the things are really simple. All of them were really effective.
That security plugin is really cool and I am wondering that why I missed it so far. One of my blogs was hacked last week and I am really worried to fix all security holes.
15 Trackbacks
[...] una lista de 5 tips y plugins que te permitirán proteger tu blog. Nunca está demás a la hora de protegerte de esos [...]
[...] you can make your website a little safer from getting into harm’s way. Cats Who Code has five plug-ins and tips you can use to protect your Wordpress install. Some of the tips are common sense advice that can apply to [...]
[...] 5 plugins and tips to secure your Wordpress blog WP Security Scan WordPress Plugin [...]
[...] you can make your website a little safer from getting into harm’s way. Cats Who Code has five plug-ins and tips you can use to protect your Wordpress install. Some of the tips are common sense advice that can apply to [...]
5 plugins and tips to secure your Wordpress blog…
[...]Webmasters and bloggers often have a huge fear of being hacked, and the more a website is popular, the more it is exposed to various hacking attempts. Here are 5 tips and plugins that will allow you to secure your Wordpress install, because preven…
[...] 資料來æºï¼šJas9 Taipei相關網站:catswhocode [...]
[...] you can make your website a little safer from getting into harm’s way. Cats Who Code has five plug-ins and tips you can use to protect your Wordpress install. Some of the tips are common sense advice that can apply to [...]
[...] you can make your website a little safer from getting into harm’s way. Cats Who Code has five plug-ins and tips you can use to protect your Wordpress install. Some of the tips are common sense advice that can apply to [...]
5 plugins and tips to secure your Wordpress blog…
5 plugins and tips to secure your Wordpress blog…
[...] a hat tip cats who code and aaron wall for pointing out a few of these plugins. Related [...]
[...] Kaynak [...]
[...] 5 Plugins to Secure Your WordPress Blog – Our friend Jean of Cats Who Code who published a great list of WordPress plugins that help you secure your WordPress installation. [...]
[...] na podstawie wpisu 5 plugins and tips to secure your Wordpress blog, przygotowany przez ekipę WordPress Polska Tagi: Bezpieczeństwo, WordPress  Brak [...]
[...] 5 плъгина за повишаване на ÑигурноÑтта на блога ви, както и интереÑна възможноÑÑ‚ за Ñдобиване [...]
[...] a hat tip cats who code and aaron wall for pointing out a few of these plugins. Related [...]