Valen Designs

Content is probably your single most important assets on the web. So maybe you should consider keeping it protected. If you are like the many others out there using Wordpress to manage your precious content, than you probably should do a few things to help make it more secure from the admin side. Image you were hacked and lost everything, how devastating would that be? Take some simple measure now that will save you tons of heartache in the future.

We can all agree that having a secure web site is very important but what people forget is that you need to actually do a little work to make it that way. Yes, Wordpress does a good job of doing a lot of the heavy lifting for us, but there are always ways to improve. This post is dedicated to the simple but affective solutions for enhancing your sites security and lowering your chances of being hacked. Mind you if someone is determined to get in there isn’t a whole hell of a lot you can do to stop them, but there is a lot you can do to deter them hopefully just long enough to move on.

Always use the most recent version of Wordpress

Make sure you update your version of Wordpress when an update becomes available. The main reason for this is because some people are not like the rest of us morally obligated humans. They spend a great deal of their time finding our sites vulnerabilities so they can insert malicious code or even take it over. When Wordpress comes out with an update it is usually to fix these holes and make your site more secure. I know the process of doing this can be a bit laborious and for some just not an option. For that reason you should visit Techie Buzz to download their Wordpress Automatic Upgrade Plugin which automates the process and makes backing up and upgrading your Wordpress super simple.

Change the default Username & Password

You should never use the default username or password that is given to you when you set up Wordpress. First, sign into the administrative section of Wordpress and reset your password to something at least 10 alphanumeric characters long. Also, be sure that is not a real word but a combination of two or more and a number or acronym. Make them work for it, right? You can also check out an article on blogherald called Protect Your Blog With a Solid Password that is of some use. Second, sign into the PHPMyAdmin through your web servers account center and change your username from “admin” to something much harder to guess. If you leave the username as “admin” you have basically made a hackers job that much easier because half the work is done.

Login Lockdown Plugin

Login LockDown is a useful plugin that monitors the login attempts to your site. Basically, it checks how many times in a short period the same IP range has tried accessing your administrative files. If, in that period of time, they exceed the number of attempts allowed, Login LockDown will essentially lock them out and no more access privileges for the period of time you previously set. This is good for deterring brute force attacks on your username and password.

Protect your Wordpress wp-admin folder

A simple but powerful plugin that adds a 2nd layer of security to your site by requiring a username and password to gain access to anything in the /wp-admin/ folder, is AskApache Password Protect. It’s really easy to use, all you need to do is create a second username and password and bam, you got some more protection. It works by writing a new .htaccess file for that folder, and encrypts your new password. It’s super simple to use and highly recommended.

Backup Your Posts/Pages and Comments

This is to make certain that your able to revert to an earlier clean version in the face of disaster. I could suggest a plugin or two but am not going to because I don’t trust them. I think you should always do a full manual database backup as often as you feel necessary and use the export feature in newer versions of Wordpress to do a basic backup between full database backups. Always save your files in a couple of location in case one gets corrupted so you don’t loose your mind later.

Loose the Wordpress version string.

Displaying which Wordpress version you are running can leave you vulnerable to attacks. Hackers usually run attacks based on specific versions because there are know issues they can exploit. If you are proudly showing the your version it could actually bite you in the ass. Make it harder and keep them guessing is always my motto.

Below you will find two perfectly good ways to manually change your version or make it disappear altogether. However, I wrote a Remove-My-Version plugin for Wordpress a couple days ago where you don’t have to change any of your files directly, for all you lazy folks. This works by either making the meta generator completely go away or by replacing the wp-version with a random alphanumeric set of characters. So it will work for everyone, even if you haven’t upgraded yet, which you should!

Old way, below version 2.4
Open header.php and find the line that looks like the text below and change it or delete it all together.

Change:

To:

New way, version 2.4 & above
The Wordpress version generator was moved into the core and standardized, since so many themes did it differently. You can remove it by adding this to your theme’s functions.php:

Make a blank index.html for the /plugins/ directory

If you view http://www.yourdomain.com/wp-content/plugins/ in your browser you will see a directory list. This is problematic because someone could potentially look at your plugins and see if you are using one with known security vulnerabilities and exploit them. Just make a blank index.html and put it in the /plugins/ folder and this is all fixed. Pretty cut and dry.

Block search engines from crawling your wp- folders

There is no reason you need to have all of your Wordpress files indexed, so it’s probably just a good idea to block them so when people search they don’t see those files. You can block search engines from crawling your wp- folders by blocking access via robots.txt file. Simply add this line:
Disallow: /wp-*

Lock It Down

Well, I hope you found this informative and useful and I want to also mention that there are more ways to secure your site and this is by no means an exhaustive list, but more of a jumping off point. happy securing folks.

---