Wordpress is the most popular blogging platform on the internet to date. With Wordpress being an open source blogging solution it’s very common for not so nice people to find vulnerabilities in Wordpress. They’ll use these to hack into Wordpress blogs to steal information, insert spam links and lots of other horrible things. There are a few things you can do to add an extra layer of security to your Wordpress blog and protect yourself. These don’t make Wordpress 100% secure and you’ll still need to stay up to date with updates. However, you’ll be glad to know that you’ve taken extra steps to protect your Wordpress blog.
Proper Table Prefixes
One of the most common issues is MySQL injections into your database. This can be used to add users or edit posts and pages. The default prefix for Wordpress is wp_ and sadly most people just use this default setting. A hacker will have a much harder time injecting bad stuff into your database if he doesn’t know your table names. Change them to something random like z7367_ or GoBob1_ it really doesn’t matter what you choose as long as it’s not wp_. If you already have Wordpress installed you can use this plugin to change your table prefix.
Change the Admin Username
Some methods used to break into Wordpress blogs use a brute force password attack. This is where it keeps trying to login with different passwords. Obviously since the default username is Admin a hacker will already have your username. However, we are going to slip them up by changing this to something else and putting a limit on logging attempts. Below are the steps to change the admin username to something else.
1. Using your hosts MySQL administration tool find your Wordpress database and select it for manually editing.
2. Once inside you’ll want to locate the table wp_users and then browser this entry.
3. Find the admin entry and click the edit button.
4. You’ll find a column for user_login; just change admin to something else.
5. Save your changes and test your new admin username.
That was simple enough, now we are going to install a plugin that will limit the amount of login failures. If an IP address tries to login incorrectly after X amount of times they’ll be banned for a specific amount of time. You can download the Login Lockdown Plugin on the Wordpress website.
Protecting Backend Files
We’ll now want to protect some of our backend files. This will prevent any attempts to view or edit these files remotely. The main folders we want to protect are wp-content and wp-includes. This will be done via your .htaccess file. In each .htaccess file in the folders wp-content and wp-includes you’ll want to add the below code.
Order Allow,Deny Deny
from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
Some of your plugins might need to access other specific file types; if this is the case just add that file type in the above code after |js with |filetypehere.
Logging into the Dashboard with HTTPS
This next step is going to force the use of https secure connection when accessing the admin dashboard. This will prevent hackers who are sniffing packets to locate usernames and passwords. This method requires that HTTPS is operating on your web hosting account. To test it simply enter your website’s domain name in a browser using https instead of http. If it doesn’t work you’ll need to consult with your web hosting provider to enable it or install it. If it does work you simply need to install this plug-in and follow it’s instructions to properly forward the https requests.
Remove Wordpress Install Version
For some strange reason the templates made for Wordpress will show which version it is via the web page’s source code. This is an easy way for attackers to identify which version you’re running and try to find exploits or vulnerabilities for it. This is simple to do, just go into the /wp-content/themes/your-them-in-use and locate the below code in your header.php file and remove it.
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /><!– leave this for stats –>
Overall Summary
In the end a determined hacker has many other methods to access your blog and can even hack into your web hosting provider itself. There isn’t much you can do about that beyond making sure you have a reputable web hosting provider; avoid those super cheap deals as those costs are made up from lack of onboard technical experience. Just make sure to always keep your Wordpress up to date and follow the above steps to keep it as secure as possible.
Great post! I love me some free web hosting!Henreyhttp://www.forum.hostmela.com
Love the blog post!Sarahhttp://www.zarpie.com/