10 Steps to Secure Your Wordpress Website

Why should every blogger be concerned about security of their WordPress blog, whether the blog is big or small? Before starting with the security advice, it is good to have an understanding of how does Wordpress work

WARNING**:** Before tinkering with your WordPress codes, it is wise to make a backup of your blog.

Failing to update Wordpress

When was the last time you updated WordPress?

For some bloggers, the fear of updating is the beginning of wisdom especially when they consider the serious Caveat from WordPress that you should complete a backup of your WordPress site before updating.

I used to feel that way. In time, though, I learned better before I could come to serious harm.

Why is it critical to update WordPress as soon as you get an update notification?

Well, the update notification was not sent to just your dashboard alone. As soon as the bad guys get the notification, they get busy looking for automated ways of exploiting the bugs listed in the change logs.

If you are slow in updating to the latest version of WordPress, you may be recommending your blog for a ‘hacktival’.

I know a lot of you may be jittery over running an update for fear that it may mess up your theme or there may be some incompatibility with some fancy plugins you are using. Instead of getting paralysed with that fear, don’t you think it would be better if you rather review your theme and plugins strategy?

If you are using a theme or plugin that is not updated frequently, then you are wise if you reconsider its continued usage on your site. What is unwise is not updating WordPress because of fears that it may mess up your installed plugins.

You cannot sacrifice your whole blog to protect a few plugins.

Here are some tools to scan your wordpress site for vulnerabilities:

10 Steps to Secure Your WordPress Website



Setting Your Password to Something Easy To Remember

Most users start with their blogging just after a short tutorial on Wordpress. It is that easy.

It may sound like a joke, but it’s been shown that ‘password’ and ‘123456’ are the top two most common passwords for WordPress out there!

Using one of them?

If for any reason your password is a word that can be found in a dictionary or a sequence of numbers, do yourself a favor and change it.

The tool at Strong Password Generator does a good job. Just make sure to store your new password in a secure place. You don’t want to end up with a password so strong you lose access to your account, now, do you?

If I were to give a prize for WordPress security mistakes, this one should get it!

Advertising Your WordPress Version to the World

By default, WordPress sites publish the version of WordPress they are running, inadvertently making it easier for people to determine if you are running an outdated non-patched version of WordPress.

This information tips would be hackers on the exploits they should use based on the version of WordPress you are broadcasting.

To completely remove the version number from WordPress header, add this line to your functions.php file in the WordPress themes folder.

After removing WordPress version information from your header, there is one more task you need to do.

Go to your WordPress installation directory and delete the readme.html file as it also contains your WordPress version information.

Ignoring login activity on your WordPress server

How many failed login attempts do you get on your blog per day?

If you do not know the answer to that question, you are playing with fire.

To motivate you: Copy Blogger receives between 50,000-180,000 unauthorized login attempts every single day. Sure, your numbers may not be as large as that, but you get the picture.

I recommend you install the plugin Limit Login Attempts that will make it much more difficult for brute force techniques to work on your blog.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

Allowing Readers to Browse Your WordPress Directories

When a user types in a directory on your blog in the address bar, what happens?

If the directory opens up, then you are in trouble.

The last thing you want is for every Peeping Tom to be able to nose through directories and see the content of directories that are missing an index file.

Open the .htaccess file in your WordPress root directory and add the following line at the top.

Options All –Indexes

What this does is provide a blank index page for any directory that does not have an index.

That puts a brick wall before directory snoopers.

On my blog, attempting to browse directories will land you in a  page with a single text “0” :).

Allowing Your Plugins and Themes in their Default Location

With WordPress 2.6 and later, you can place the wp-content folder anywhere on your web server.

If you decide to move the wp-content folder to another location, change the relevant path in the wp-config.php file:

define(‘WP_CONTENT_DIR’, ‘http://www.probloggertips.com/resources/wp-content’);

That should keep most would be hackers moving around in circles.

Not Backing Up Your WordPress Site

Of course, no site on the internet is fully protected. Even Godaddy and Mastercard websites have been compromised at one time or the other.

If a hacker compromises your website and you do not have a recent backup of your site, it would be a real headache to restore your site to its original state. Trust me, that is not a position you ever want to find yourself in.

I use Backup Buddy, which it is a paid service.

10 Steps to Secure Your WordPress Website

If you want free options, WordPress lists backup plugins here. Whatever you do, it is important that you have a backup schedule set up for your blog.

Failing to Delete Unused Themes and Plugins

Plugins are excellent gateways for hackers as they contain vulnerabilities that hackers and malicious code are known to exploit.

That means the more plugins you use, the more exposed you are to hacking attacks.

If it is not absolutely necessary, do not use a plugin. When a plugin or theme is no longer in use, be quick to deactivate and delete them.

Yes, even deactivated plugins and themes can be used as back-doors to gain entry into your site.

So look through your themes and plugin directories. Can you find any inactive plugin or theme?

Completely delete them!

Allowing your wp-config.php File in Its Default Location

Your wp-config.php file contains your database connection info as well as other sensitive data meant for your eyes only. From WordPress 2.6 you can easily move this file from root folder location.

To implement this tip, move your wp-config.php file to up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

With this done, only persons with FTP or SSH access will be able to access your config file.

Thinking No One Would Want To Hack Your Small Blog

One of the commonest WordPress security mistakes out there is the assumption that since your blog is a small one, no one in their right mind would want to hack it.

Have you nursed those thoughts before?

Most hacking attempts are automated, without any personal or malicious motive involved. What that means is that, it is all about the money.

You may be thinking, what do I have on my site that a hacker would dedicate resources to crack?

If you have nothing else, you have server resources.

Possible ways sites can be exploited:

  1. Insertion of spam links in your content to boost SEO for other sites
  2. Malware infections of your visitors computers, e.g. to steal their financial information
  3. Redirecting your traffic to other sites.

Well, I told You So!

If there is one thing I don’t want, it is to have to tell you: “Well, I told you so”.

Having advanced information on what can make your blog vulnerable gives you responsibility to take action and protect it.

It is better that you do all you can to protect your blog now you can, instead of only crying in the blogosphere after your blog has been compromised and defaced.

A word, they say, is enough for the wise.

Have I missed a tip here? What other security steps have you taken to fortify your blog?