5 WordPress Security Essentials

Security - photo found at http://www.sxc.hu/photo/907473Blogging can be a lot of fun and there is nothing more thrilling than having people appreciate your hard work by leaving comments and passing the word around about how great your blog is. Unfortunately along with all of your great fans there are also just as many bad guys out there that would love to deface and hack your beautiful creation. Here are five basic security tips that you can easily implement on your WordPress blog to try and keep the bad guys out.

  1. Use a Strong Password – Choosing a good strong password is one of the first and easiest defenses against being hacked. Choosing your partners first name is probably not the most secure password. While there are many differing opinions out there on what makes a secure password here are some things to keep in mind. Passwords that are longer than 8 characters and contain a combination of upper and lowercase letters, numbers, and symbols creates a stronger password. I often don’t use special characters but will make passwords at least 10 characters long. If you need to create a strong password and don’t already use a password manager check out this great tool from LastPass to generate a strong your password.
  2. Protect the WordPress Admin Folder – Stopping the bad guys from getting into the WordPress admin folder in the first place is an excellent place to start to secure your blog. There are many different ways to increase the security of your WordPress admin folder including:
  3. Deny Access to Other Folders – Many web hosts by default allow people to browse a folder if there is no default index.html file. This can be a security concern for folders like your WordPress plugins folder. You can prevent people from snooping in these folders by adding blank index.html files or setting up an htaccess file to prevent browsing of folders without indexes. You can read more on All Tips and Tricks.
  4. Remove the WordPress Version – Many hackers are looking for vulnerable WordPress installs. You can slow them down by removing the WordPress version that is included in most themes by default. If you don’t want to dig around in the code of your theme you can install Blog Security’s bs-wp-noversion plugin: Removes WordPress Version to remove the WordPress version for you.
  5. Update WordPress – Perhaps one of the easiest security essential to keeping your WordPress blog secure is to keep an eye on your WordPress dashboard for announcements of new releases of WordPress and to update your install as soon as you can. The same also goes for the plugins you run. WordPress 2.3 and up notify you when plugins have been updated. Take the time to update your plugins regularly to keep security concerns down to a minimum.

A very valuable page to read is the Hardening WordPress over at WordPress.org. By doing some very simple things you can make it more difficult for the bad guys to ruin your day by defacing or hacking your blog. A few minutes spent on these items can save you hours if your blog gets hacked. If the bad guys do happen to get in, restoring your blog is much easier if you have a recent backup of your website.

24 Responses to 5 WordPress Security Essentials

  1. Many thanks for mentioning my post.

    Secondly, do you have any idea, once a blog has been hacked and many of its posts are now redirected to another URL, what can be done to solve this problem? I’m in this situation and I just deleted the blog and used .htaccess to make a 301 redirect to a provisory page. But I’m losing the SERPs ranking I’ve been working hard on. Thanks.

  2. Lee, thanks for the answer. I don’t know how they got in, and it happened just before I left for the Christmas vacation, so I had no time to investigate more. I just wiped the site off the server. I’ll try to do as you say. I suppose it has something to do with the database, because the few static pages I had were all OK. Probably there was some envious competitor (that was my business website, which started to rank well for some specific terms).

  3. These are some easy and simple tips that should really help keep individuals’ blogs safe. I’ll be sure to implement a few, and I’m sure others will, too! Thanks!

  4. Thanks for the tips! There are good reasons for hardening your Wordpress install. Wordpress stores passwords in the database as hash made from the password. A common Unix practice is to add random seed to the hash but Wordpress does not do this. Should the password hash be revealed it could even be revealed by googling the hash!

  5. Very good tips. Another security trick is to change WP-admin folder name. The wordpress version must always be removed because old versions of wp have a lot of security problems.

  6. I personally think the last advice – to keep your CMS updated at all times to the latest version, is the most important one. I used to use Joomla in my previous projects and every time I didn’t catch up with the update after security released my site had been hacked, no matter how strong passwords I used. Always update Wordpress after a security release.
    .-= Ed Norton´s last blog ..Norton Internet Security 2010 =-.