Categories
How To Guides WordPress

WordPress Security Tips – Safeguard Your Blog

Useful WordPress security tips to make sure your blog isn’t an easy target for a hacker.

I recently came a cropper to a hacker on a WordPress Blog I was setting up – luckily I’d backed everything up, but what if I hadn’t? Well, I’d have likely lost everything.

Now the hacking was partly my own fault for not putting the right measures in place. This got me wondering about how many other webmasters fail to implement basic security measures that could save them a lot of trouble in the future.

So without further ado lets look at my top WordPress security tips. I’ll also point you in the direction of a few WordPress Security plugins that I’ve discovered that do a great job of adding that second line of defence.

Don’t Use Admin as a Username

Let’s start simple – the default username in WordPress is “admin” – don’t use this! It’s the first username that all hackers will try, and allows them to a launch a brute force attack, which simply means a bot that tries multiple attempts at guessing your password.

This is probably one of the most common types of hacks out there and it still works. As a second line of defence I’d install a handy plugin called Login Lockdown, basically it records IP addresses of all failed login attempts, if a lot are cropping up in a short time frame it bans all IP addresses from that range. It also goes without saying use a strong password.

Change the WordPress Table Prefix

This involves changing another WordPress default that makes it harder for a hacker to attack your blog via a SQL injection. The table prefixes are defaulted to wp_ – they are easy to change in your wp-config.php file prior to installation.

However, if you have a site that’s already installed and you’re trying to secure that – I recommend using the WP Security Scan Plugin to do so. Remember to take a backup before you change anything – it’s good practice! The WP security scan has a number of cool features (such as removing the WordPress version in the source code) so it’s definitely worth installing.

Technology Bloggers WebsiteDefenderDon’t forget to use secret keys

I have a friend who works for a hosting company – and he revealed it’s amazing how many people forget to use secret keys. Now if you’ve installed WordPress via Fantastico or some other quick install tool that your hosting company provides they should automatically include these.

The hashing salt keys make your password even more secure. To make sure you’re using them – visit https://api.wordpress.org/secret-key/1.1 to generate your keys, and then put them in your wp-config.php file – you’ll spot them easily.

Secure your wp-admin folder

I missed this out when installing my blog and it’s another security tip that many webmasters fail to implement. The wp-admin folder is very important and if a hacker gets into that then they’re going to cause some serious damage.

This involves using a .htaccess file to prevent access. You have two options here – you can prevent access by only allowing certain IP addresses (which isn’t ideal if you have a dynamic IP or work form multiple locations or on the move) or you can use a .htpassword file.

To use the IP address method simply create an .htaccess file and paste in the code below (switching the xxx for your IP address) then upload it to your wp-admin folder:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx

You can add multiple lines of IP addresses if you want. If your site has multiple writers posting – like Technology Bloggers or accepts guest posts then it’s unlikely this method is viable.

If that’s the case use the .htpassword method – there’s a useful tutorial here: htaccess Files and WordPress Security.

Keep WordPress up to date

This seems obvious but a lot of people forget to upgrade their WordPress. Maybe through fear of breaking something or perhaps just laziness.

The majority of WordPress upgrades are made to increase security and patch up known vulnerabilities. So backup your install and upgrade to the latest version when they’re available.

Keep regular backups

Sometimes no matter how many security measures you have in place, a hacker it still able to get through, maybe through a plugin that contains an exploit.

In this case, you have to take regular backups as the last line of defence. Perhaps through the use of a plugin, or via your host. You can schedule them to run on a daily basis and then be emailed to you.

Having to restore a backup is probably a worse case scenario, but believe me, it’s far easier than having to re-setup your entire blog and redo blog posts from Googles cached pages.

What are your favourite WordPress security methods? Are there some great plugins that I’ve missed? Please let me know in the comments section below.

0 replies on “WordPress Security Tips – Safeguard Your Blog”

These tips are crucial to keeping your site safe. I have never been attacked but it has been tried and iw as able to see who and where it was coming from. Not only did they try and hack my blog they tried my twitter and facebook.

Glad you managed to prevent it. Usually with a decent host they will send you the log files so you can see where and who accessed it. I think if you follow those tips above then you’re definitely more secure than just a standard WordPress install.

Wooops, thanks for sharing that. Vulnerabilities are something really very scary.

You are right about commercial plugin, they are far better and secure. Same goes to the wordpress theme. Those premium one with good framework really turns out to be more secure.

Recently someone tried to hack my blog with a script attack but failed. We can do whatever best we can but hackers always try new techniques to hack. All the suggestions given in your article are very helpful and I am implementing the same on my blog too. Thanks! 🙂

The final advice is the best as hackers now can do eveything and in fact you need to have a regular backup. It will save you in case of hacking. As for the other protection for sure they should be done, but again hackers are getting to sly.

It is every webmaster’s responsibility to diligently take care of the site’s security. There should be no excuse for a website being hacked, as we all know that hacking is extremely prevalent nowadays. These are some very useful suggestions. Thanks for sharing them.

I’ve always been a big believer in backing up, and I agree that updating WordPress is a good idea because of security improvements. I don’t use admin as a username either, but I think that’s pretty obvious.

I didn’t know about changing the WordPress table prefix or securing the wp-admin folder. I’ll look into doing these.

I use a couple of security plugins:

1.Limit Login Attempts – stops hackers breaking your password. It limits the number of password attempts, and e-mails you details of any failed attempts.

2. WordPress Firewall – stops hackers accessing restricted areas via normal pages. It blocks any abnormal navigation attempts.

Nice post. Great tips you have covered. for your WordPress blog or site safety, you need to consider other factors such as limit WordPress admin access by IP, Encrypt your web browsing session, Keep WordPress visitor registration turned off etc.

Some interesting tips there 🙂

Thanks for the comment, welcome to the community!
Christopher – Admin Team

It always amazes me that after reading comments on a post like this, you can click through to some of the sites and still find plenty of holes in people’s WordPress sites.

One of the most basic and common problems that all users should check (It’s always nice to get free themes and plugins but here’s a clue for the guilty)…….

.htaccess

Options All -Indexes

Make sure it’s there. If it isn’t, anyone can stroll right through the door and download anything found in there – you don’t need to be a hacker, that’s just real basic stuff 🙂

Oh and if you upload plugins etc. via your WordPress admin remember to delete the zip files afterwards – wp-content/uploads is where you’ll usually find them and they serve no purpose other than taking up space.

Thanks Christopher – it’s something the vast majority of WP users simply don’t do and they unwittingly share things they have often paid good money for.

Good for the sharks, not so great for them – downloads cost bandwidth which is another good reason to lock your doors and windows.

Leave a Reply

Your email address will not be published. Required fields are marked *