Home / Blogging / Securing Your WordPress Blog From Hackers

Securing Your WordPress Blog From Hackers

hacker2WordPress is one of the most popular blog systems out there. It is also a popular target of hackers who like to run their scripts to deface websites or even steal your database of content.

This guide shows you some quick and simple steps that you should take to protect your WordPress installation from potential hacking and exploitation.

Update Everything

You should always keep your version of WordPress and Plugins up to date as these upgrades usually fix any loopholes or bugs that can be exploited. As of 2.7 upwards you can automatically update your plugins from the plugin manager as well as automatically upgrade WordPress to the latest version.

Use Smarter Passwords

One of the most obvious ways to protect your WordPress blog or any software application on your website is to use good passwords that are difficult to guess. When you install WordPress it actually has the ability to provide you with a very strong password. However, if you do want to set your own use a combination of uppercase, lowercase, numbers and symbols. Try not to use common words or dictionary words or phrases that are related to your website or industry. This is particularity important for the admin account. Don’t make a hackers job easy for them by using your birthday for example (don’t laugh, many people still do that.)

Password Protect the Admin Area

Most hosting control panels allow you to password protect a folder on your website with an HTTP popup to enter a username and password. This can be a great way to prevent even the most basic of attacks to your admin area. This double layer of password protection may seem a tad inconvenient but the extra protection is worth it.

Restricting IP Access to Admin

This can be used instead of the above tip or as well as, especially if you are the only admin of your blog. First, you need to make sure that your IP address is static and you are not on dial up where your IP address can change every time you connect. If you are on a static IP you can simply add the following to your wp-admin/.htaccess file and change the xxx.xxx.xxx.xxx to your ip:

Order deny,allow
Allow from xxx.xxx.xxx.xxx
Deny from all

Block Many Attacks Using .htaccess

Joomla, the popular CMS system actually has a great set of rules built into their .htaccess to block out some common attack types before they even get to the files. However, you need to have mod_rewrite enabled (check with your host if you are not sure) which most linux based hosts provide. Just add the following to your .htaccess file at the sites root level: RewriteEngine On

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

Security Plugins

One of the best security plugins for WordPress is WP Security Scan, which is available from the WordPress plugin directory. This system actively scans your system and makes recommendations on how to improve many aspects of your blogs security. One of the best things it can do is hide the version information and the WordPress metatags which many automated hack-bots and scriptkiddies look for in order to mass deface websites.

SSL Encryption Security

You can invest as little as $12 to get an SSL certificate for your website or even free with some Shared SSL certificates that may be provided by your host. This allows you to secure and encrypt all of your communications with your blog as well as cookies using the plugin Admin-SSL. Ideally, you should have an SSL for each blog you own.

Hiding Your Plugins From Prying Eyes

One aspect of WordPress security that is often overlooked is hiding plugin information. We need to hide any information that can let attackers know what plugins we are using as well as their versions, etc. If there are any known vulnerabilities announced for a plugin you can be sure that some scriptkiddie (I cannot call these people hackers) will come up with a way to mass exploit this loophole. The easiest way to block this is by adding the following to your .htaccess file: Options All –Indexes Or simply add a blank index.html file to each plugin folder.

Changing System Defaults

The aim here is to hide any footprint information that a hacker can use to decide how to attempt to hack your site or even find your site as a potential target. WP Security Scan hides some of the information and you can go further by changing the admin account name. To do that you need to go to your MySQL manager (usually phpMyAdmin but check with your host) and enter the following command:
Update <prefix>_users set user_login=”<newadminname>” where user_login=”admin”

Swap the <prefix> with the prefix of your wordpress (usually “wp” by default but you can change that on install) and <newadminname> with your chosen admin name. Do not use your own name here. You can also change the actually prefix of the database tables. WP Security Scan can actually try to do this automatically for you or you can dump your database to a text file, edit the prefixes and the config file to do this.

Backup Your Blog Regularly

You should keep regular backups of your database (daily if possible) and your blog files. You can usually do this from your hosting control panel of get a script that does this that works from Cron (linux scheduling system) that can do this automatically for you. You should keep these backups secure and keep a copy of your files in a safe place.

Protection At the Server Level –Advanced Protection Techniques

If you are on a shared host you may not be able to apply any of the most “server wide” security systems and tweaks. However, if you own a dedicated server and have lots of blogs as some high-end internet marketers and affiliate marketers do then you should look at the following areas of security:

Upgrade Apache – If you can, run the latest versions of apache and compile with the log forensic, Mod SuPHP, mod_security and mod_dosevasive

– A server hardening tool with firewall

– A popular firewall and Brute Force Detection system. There is also a cPanel version called CSF which is very powerful and my preference for cpanel hosts.

Use PHP5 with Suhosin – Protect yourself and cover your butt with any possible PHP vulnerabilities. The more protection you have, the better. Suhosin is a hardened patch for PHP that gives you a great deal more protection above the base PHP install.

Keep PHP Updated – Also, make sure you PHP installation is updated to the latest versions. If you are on a cPanel host or similar upgrading PHP is fairly simple.

Related Content You May Like...

About Sean Donahoe

Sean is one of the most recognized industry leaders in business and marketing. As a popular speaker, author, consultant he has helped over 50,000 students world wide find success in their businesses and has consulted with Fortune 500 companies and businesses of every size grow and thrive...

Leave a Reply

Scroll To Top