Securing Your WordPress Blog

I previously wrote an article on creating a WordPress blog. This article focuses on keeping your WordPress website safe. Crackers want to break into your website in order to spam your readers or install spyware onto their computers. Search engines might delete your hacked website from their indices, thus rendering your invisible to the world. You need to protect your readers and your hard-earned search engine page rank.

There is no way to guarantee that your WordPress blog will never be successfully breached. However, by following these steps, you can lower your chances of being victimized, and to reduce the downtime and loss of data in the off-chance you get hacked.

  1. Use The Most Current WordPress Version. The good people at WordPress constantly audit their code for bugs and security issues. Even point version updates, such as from 2.8.2 to 2.8.3, may include fixes to security vulnerabilities. When there is a new version, you should search to see if others had difficulties with the update. If not, then backup your website and upgrade.

  2. Backup Often. A WordPress blog contains dozens of hours of work on your part. All that work is contained on a few megabytes of hard drive space. It would be foolhardy not to backup your work. Use the WP-DB-Backup tool to backup the WordPress SQL databases that hold your posts, pages, and comments. Also, backup the entire contents of your website using tools provided by your host. If you use cPanel, log in at www.yourdomain.com/securecontrolpanel, and use the Backup tool located on the control panel.

    Keep a copy of the backups on your hard drive, and email a copy to yourself to keep a copy online. The chances of getting hacked, suffering a hard drive loss, and Gmail (or Yahoo Mail) being hacked at the same time is very small. (Or you'll have more important things to worry about—like fallout from the nuclear war.)

  3. Use Long Passwords. KeePass Password Safe is an open-source tool that manages passwords. Its password generator creates long passwords that fit criteria you set, such as length and characters. Set long logins and passwords on your web host and WordPress website to prevent brute force attacks. Ask your host for the longest password it accepts, and make a password of that length.

    Here are some KeyPass hints. KeePass 2 includes the very useful option of synchronizing password databases. Do not use the option for "High ANSI" characters such as "รก". Many websites do not handle these characters, and you will be locked out. The password database KeePass creates is encrypted. Keep a copy on your email, your USB key, and your hard drive. You do NOT want to lose that file or let it get into the open. Use a relatively complicated password to protect that file, because losing it would have dire consequences.

  4. Disable FTP Accounts. Disable all the FTP accounts your website will allow you to disable, including anonymous FTP accounts. FTP sends your passwords without encryption, leaving it vulnerable to crackers. Use cPanel to access your website.

  5. Akismet Your Spam Away. The Akismet plugin for WordPress will sequester spam comments for you to review. You should install it, not because it will necessarily make your website safe, but because a pageful of Viagra and porn comments makes your website look hacked.

  6. Secure WordPress. A handy plugin called Secure WordPress will do little things to protect your WordPress, such a remove the version of WordPress you're using, and preventing others from looking into the contents of your /plugins folder.

  7. WordPress Security Scan. The WordPress WordPress Security Scan plugin looks at your settings to make sure that they are secure. The most important feature that it includes is the ability to change the prefix of your WordPress SQL database. Many new vulnerabilities are SQL-injection attacks, which generally assume that your WordPress database is prefixed with the standard "wp_". You can throw an attacker off by changing that to something else, like "pjk2_". Backup your databases and files first. Then click Security > Database, enter a new database prefix, then click Start Renaming.

  8. Set Your Permissions Properly. Limit the group of people who can edit your files to the bare minimum. After you install the WordPress Security Scan plugin, click on Security > Scanner to see if your permissions are up to snuff. If you have to change something, log into cPanel, and fire up the File Manager. Select the file or directory whose permissions you have to change, then click Change Permissions on the toolbar on the top. Repeat as necessary until the WP-Security Scan shows all the permissions are properly set.

  9. Delete Admin Account. A cracker needs your login and your password to break into your website. Having an administrator account with the login "admin" makes the cracker's job that much easier. Use KeePass to generate tough logins for WordPress.

  10. Secure Your Login Page. The Login Lockdown plugin limits the number of login attempts a user can make in a certain period of time before being locked out for another set period of time. For instance, you can set it so that you can make five unsuccessful attempts in five minutes before being locked out for an hour. This prevents crackers from using brute force attacks to keep trying logins until its get the right one.

  11. WordPress Firewall. The WordPress Firewall plugin prevents access patterns that tend to be attacks. The only caveat with this plugin is that it stops the WP-DB-Backup tool from working. If you install the WordPress Firewall, you will need to white-list your IP address before running the WP-DB-Backup tool.

  12. Visit Your Website. This might sound dumb, but you should surf your own website often. This might reveal a hack that you did not realize. It has the benefit of helping you figure out the aspects of your website that needs improvement in terms of load time, navigation, and graphics.
The foregoing should be enough to strengthen your WordPress website against many attacks. Using the latest WordPress version, for instance, would protect you against the most common WordPress virus going around. Changing the prefix of your WordPress SQL database would defend you against most of the known attacks. However, you should always stay vigilant. Backup your database and files frequently. I do it after every new page or post, and both before and after any change such as an upgrade or installing a plugin. Good luck, and stay safe!

Comments

  1. This is a well thought out, comprehensive and helpful post. Thank you!

    Misty
    m.d. wilks
    a 'sezzer

    ReplyDelete
  2. Thanks for the great info! Way to take time and put this guide together. Best summary I've found yet - very inclusive.

    ReplyDelete

Post a Comment

Popular posts from this blog