5 plugins and tips to secure your Wordpress blog
Posted by jbj on Jul 25, 2008 in Blogging • 33 commentsWebmasters and bloggers often have a huge fear of being hacked, and the more a website is popular, the more it is exposed to various hacking attempts. Here are 5 tips and plugins that will allow you to secure your Wordpress install, because prevention is always better than cure!
1 - Dump your database with WP-database backup
Here’s the first advice I would give to anyone: Make backups, and made it often. Of course, you can go through the phpMyAdmin on your host, or dump your database by using the command line if you have a ssh access to your server, but this plugin will really simplify the task: you’ll just have to login to your Wordpress admin panel, and click on a few links.
A note, WP-Database Backup offers to daily e-mail you a backup of your database . A must have for every blogger!
2 - Scan your Wordpress install to find security holes
We now have a very good plugin to dump our dear database on a daily basis. The next step is to scan our Wordpress installation in order to verify that no security hole is present. For doing so, we’ll use the excellent plugin called WP Security Scan , that will allow us to identify vulnerabilities on our blog and will tell us how to fix these problems.
This excellent plugin also offers to rename tables prefixes, test your password strenght, delete the admin account and verify that your blog directories have the good rights (chmod).
3 - Protect your blog from brute force
Brute force consist to try the maximum possible combinations of letters/numbers/etc in order to find a password. There is even a Python script used to try to discover the password of a blog running Wordpress.
It’s obvious that if your password is the name of your blog or something like “secret”, brute force can easily find your password. The first thing to do is to use a very strong password, with tiny, capital letters, numbers and special characters. You can also rely on the generator password included in WP Security Scan.
Even if having a strong password is a very good thing, adding an Apache login form to the wp-admin directory is another way to provide an efficient protection for your blog. The Ask Apache plugin allows you, among other things, to protect your wp-admin directory by an authentication server level ( htpasswd ).
Note also that the plugin allows you to disable hotlinking, or direct access to your wp-content and wp-includes directories.
4 - Beware of plugins
Some plugins can contain security vulnerabilities. For this reason, it is necessary to hide the contents of the / wp-content/plugins directory . You just have to create an empty file named index.html and upload it to the wp-content/plugins directory.
Since the time that this kind of disappointment is known, I must admit that I’m surprised that Wordpress does not always hide the contents of this directory by default.
5 - Hide the Wordpress version
If a security hole exists in a particular version of WP, a possible hacker will only have to display your blog source code in its browser and see if the version you used corresponds to the vulnerable one: By leaving the meta version , you’re indicating that you are potentially vulnerable. Simply delete the line in the header.php of your theme.
Similarly, there is also a plugin which allow you to lie about the Wordpress version you’re using.
Good advice, especially on the plugins directory one. That never occurred to me and, sure enough, browsing to that folder on my blog left the whole thing visible for the world to see. Fixed that little hole now.
This is great stuff, I have a question you said upload an empty index.hmtl to protect from plug-in sec issues, you mean an empty text file named index.html? Can you elaborate on that a bit?
And, also the hide the word-press version, what do you actually delete from the header.php?
Sorry new to the whole blog and code thing here,
Thanks,
JR
Chris Swenson has a great Greasemonkey script to secure logins, as well — it’s at http://www.caswenson.com/?p=56.
I wrote a Greasemonkey script to help with the password problem as well:
http://www.caswenson.com/?p=56
@All: Thanks for your contribution and the Greasemonkey script!
@JR: Yeah, an empty text file named index.html is all good. When someone will try to go to yourblog.com/wp-content/plugins, he’ll only see a blank page, not a directory listing of all plugins.
To hide the Wordpress version, you can delete the meta in the header.php file. I heard new Wordpress versions doesn’t allow that hack anymore, so you should read this post for more explanations.
The Ask Apache plugin looks good, and thanks for pointing out the way anyone can look at my plugins directory.
I’ve found two other ways of protecting it.
1. Inside the “wp-content” file is an index.php file. You can just copy this into “wp-content/plugins”
2. You can prevent people from looking inside your plugins directory by creating a file in there called “.htaccess” and adding the following line:
Options -Indexes
This is the more “correct” way of doing this, since it then tells the web browser “You’re not allowed in here”.
http://bmw.ws.utk.edu/htaccess/examples/ has more interesting things your .htaccess file can do.
@James: Thanks for your contributions, both are great!
These are good tips! I had all of them set up already, except for the plugin’s directory lockout. @James, your .htaccess file worked perfectly!
For defeating brute force attempts, I’ve installed Login Lockdown. It blocks out an IP address block for one hour after three missed attempts in five minutes. Seems like it would take a while to brute force it under those limitations. What do you guys think?
http://wordpress.org/extend/plugins/login-lockdown/
I didn’t know Lockdown, and it seems to be a pretty good solution. The only problemwith AskApache is that iPhone seems to cannot remember the password, so you have to re-type it again and again when you want to see a new page in the wp-admin directory.
So thanks a lot matthew, it will check out Lockdown!
Thanks for the tips. I’ll sleep a little easier at night after this one.
Excellent list of plugins! I’ve had issues in the pass with SQL injection hacks and since then take securing my sites very seriously. Thanks for sharing.
The WordPress Tweaks plugin can take care of #4 and #5.
@Gio: You’re welcome
@John: Thanks for the info!
Oh,that’s great,thanks, but i really don’t want to install so many plugins,i think it will slow down the speed of my bolg.
I don’t really know if plugins can slow down blogs, I probably depends how they’re coded. We have more than 10 active plugins here at CatsWhoCode but I never felt that the blog slowed.
Wordpress adds meta generator code (version info) in its core.It is not just that themes add them.You need to modify the wordpress core to hide the version info.
Yeah, I heard about that recently. I think Kyle from Hack Wordpress gave a solution to solve this problem without modifying WP core. Thanks for the info!
Ah, thanks for a nice grouping of plugins to safeguard our blogs.