10 steps to secure your WordPress software

Tuesday, June 30th, 2009 | In Wordpress | Tags: ,

WordPress is the free open source publishing application and content management system. Many people use WordPress as their blogging platform to deliver messages, information and news. WordPress also has a templating system, widgets and a rich plug-in architecture, which allow users and developers to extend its functionality beyond the features that come from its base installation.

Although WordPress has made everyone to build their own blogs easily, many security issues have been discovered in the software, especially for those outdated versions of the software. I had an experience with the security issue once my weblog had been hacked few months ago, while I was using the most early version of WordPress. After this lesson, I have been more careful on every aspect of the security issues and always keep my weblog upgraded with the plug-ins that I really trust.

Besides upgrade your WordPress software to the most latest version, there are some more simple security measures that any WordPressers can implement to enhance security and prevent the blogs being compromised. Hope these methods can improve the security of your weblog and greatly reduce the vulnerability of your weblogs.

1. Keep your WordPress software and its plug-ins upgraded to the latest version.
Keep your WordPress software up to date
The best security precaution is to have the software have less/ no security treat. So the best practice is to upgrade your WordPress software, update your trusted WordPress plug-ins every time a new version is released/ New version always has been enhanced security than the early version.

2. Never reveal your wp-admin directory and contents at any circumstance.
Many bloggers have good practice via .htaccess file to apply password protection to the wp-admin directory. When you password protect your wp-admin directory, any attempt to directly load a page from that directory will cause a “401 Unauthorized” error page. Useful article can be found at thesitewizard.com or .htaccess generator helps at htaccesstools.

3. Use login lockdown plugin.
login lockdown plugin
Login LockDown can records the IP address and timestamps of every unsuccessful login attempted. If more than a certain number of unsuccessful login attempted and detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password attack to your WordPress weblogs.

4. Do not allow guest user registrations.
Do not registrations
If you do not have a membership weblog, then the registration for public should be turned off by click on the Settings and unchecked the “Anyone can register” option.

5. Backup regularly.
Backup regularly
Regular backups for your contents and database are important. In case anything happened, you can use the backup to recover your weblog files and database. WordPress Database Backup might able to help you backup your database automatically and send the backup file to your email address.

6. Extend the wp-config.php file.
Extend the file wp-config.php
The configuration file wp-config.php contains all the settings and access data for the database. All the security related values need to be protected in this file. The following keys value should be changed and always keep secretly from others.
I) Security keys: Since the WordPress version 2.7, there are four kinds of security keys, which must be set up properly. It saves you from having to come up the strings yourself by generating the lines of security keys automatically. These keys are essential for the safety of your blog installation.
II) Table_prefix: Other than the default “wp_”, you can change it to your own like prefix, because the more unique of the prefix, the less likely an intrusion can hack into the MySql database tables. This value needs only change before the WordPress installation.
III) If the server has SSL encryption available, it is recommended to encrypt the administration are. You can simply add the following command to the wp-config.php like define(‘FORCE_SSL_ADMIN’, true);.
IV) A comprehensive list of values for the settings, the greater safety and hack-free for your WordPress software. More tips on wp-config.php can be found in the WordPress Codex.

7. Move the wp-config.php file.
Move the wp-config.php file
For the version 2.6 and above, WordPress allows you to move the wp-config.php file to a higher level. Users can store this file outside of the actual installation and WordPress will automatically looks at the highest underlying index for this configuration settings file. It prevent anyone to adjust the path for this configuration file path beside the admin.

8. Protect you wp-config.php via .htaccess file.
Guests and members are not allowed to access wp-config.php file if they not have the privilege. Any other access to the wp-config.php file are restricted via the control at the .htaccess file. For example the code to protect your wp-config.php at .htaccess like
<files wp-config.php>
Order deny, allow
deny from all

9. Do not use the default admin account.
Do not use the default admin
The admin username and the default ID of “1” is initialed are automatically created when the WordPress has been installed. It will be the good practice by not using the default admin account because this is the easy target for hackers to attempt the hacking based on the default account. Since WordPress is not allow users to delete the default user account admin, so change the default admin account, user can access to the database, wp_users table and edit the username “admin” to another username that are unique and not easy to be guessed.

Another way to change the default user is to create a new administrator user, the log out the system and re-login with the new create login account. Then proceed to delete the default admin account.

10. Hide your errors message on the login page.
Hide your errors message
WordPress will show the error, every time the login fail. These meaningful messages are sufficient for the hacker to guess your username. It is just the matter of time for them to try until they gain access to your WordPress system. A simple method to prevent this problem by adding a filter code to your wp-login.php after the closing brackets of the “login_header” function. The code goes like below and you may enter the message you wish to show for the unsuccessful login attempted.
add_filter('login_errors', create_function('$hide_login_errors', "return 'Error Message Hiding Now!"));
Happy and enjoy your comfortable and security enhanced blogging today.


3 Comments to “10 steps to secure your WordPress software”

  1. Comment 1
    Posts about Wordpress Widgets as of June 30, 2009 Wordpress Theme | Free Quality Wordpress Themes @ List-Your-Blog.com Says:

    […] … modules and 2 sidebar modules); 7 custom Woo widgets; and 12 great colour schemes to suit 10 steps to secure your WordPress software – limcorp.net 06/30/2009 WordPress is the free open source publishing application and content […]

  2. Comment 2
    National lottery syndicate Says:

    May I say that you have quite an appealing style of writing! :) Where’s the subscribe button? :)

  3. Comment 3
    KatieUK26 Says:

    Various fields of our life utilize lots of time and efforts, thence why should we waste valuable time for term papers accomplishing? This would be easier to use a essay writing service to order the essay papers at, I guess.

Leave a Reply

Turing Number



Little plugin, Just for fun

Some Simple Flash Games


E-mail This Post