How To Secure Your WordPress Blog

Getting a website hacked is occurring more often nowadays. You just have to read the news to know who these high profile hackers are. Hackers like Anonymous and Lulz have dominated the headlines recently hacking high profiled websites such as government websites like the CIA. Then there are those low profile hackers who hack ordinary websites. If you own WordPress sites for quite a while, chances are, you had experienced being hacked. If not then you are one of the lucky ones. Although the only fool-proof way from getting hacked is to disconnect your computer or server from a network, there are other ways in order to make your website more secure than it is now.

Here are 11 ways that you can use to secure your WordPress blog.

1 – Encrypt your login

Your password is sent unencrypted whenever you login. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffers. So it is always good to have your password encrypted as you login. A plugin that does this task is the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.

2 – Use a strong password

Even though your password is being encrypted as you login, if you use common or easy to guess password then you are not in a better position. Ensure you use a strong password that is difficult for others to guess. A strong password is usually characterize by making use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.

3 – Change your login name

The default username is admin is widely known to hackers so it is essential to change the login name. In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box besides the admin user and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the drop down bar. This will transfer all the posts to your new user account. Press Confirm Deletion.

4 – Define user privilege

If there is more than one author for your blog, be sure to define what the capabilities or role for each user group will be. This will give you the ability to control what users can and cannot do in the blog. It’s bad practice to assign all of them the administrator role as this gives them a lot of power and control over your website.

5 – Upgrade to the latest version of WordPress and plugins

The WordPress team are continually improving the security of WordPress itself as they also fall victim to hackers. Having the latest version of WordPress always contains bugs fixes for any security vulnerabilities.

6 – Backup your WordPress database

This is perhaps the most important pointer of all. When hackers take your site down, at least you can have the security of restoring its last known working version. Ask you web hosting provider if they backup you site. Otherwise there are plugins that can do the backup for you.

7 – Remove WordPress version info

The more information that you give to hackers the better they can prepare for a hack attack. Some WordPress sites/themes include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability for that version. To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like:

<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” />

Delete it and press Update File. In WP2.6 and above, WordPress automatically includes the version in the Wp_head section. To fix this, you can simply install the WP-Security Scan plugin.

8 – Protect your wp-admin folder

Your wp-admin folder contains all the important website information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.


9 – Hide your plugins folder

If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. Be sure to hide this page by uploading an empty index.html to the plugin directory. Open your text editor. Save the blank document as index.html. Using a ftp program, upload the index.html to the wp-content/plugins folder.

10 – Perform a regular security scan

Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

11 – Stop brute force attack

Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you can install the login lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.

This article has been prepared by http://htmlpress.net, which is a WordPress website tutorial for all levels. We provide step-by-step tutorials on how you can create and maintain your own website for FREE!