• X

    7 Essential WordPress Security Tips

    By in WordPress

    Bluehost hosting

    WordPress being popular but security vulnerable platform, it’s important for us to keep our WordPress blog secure. Here I’m sharing some essential WordPress security tips, which will help you to keep your blog safe and secure.

    When I was 21, I hacked our university’s web-portal to get the semester final questions draft by entering into teachers area. I needed the questions of ‘network security’ course, so I attempted to login as sazzad (the respective teacher) and I succeeded in a few attempts to get his password as it was his girlfriend’s name without any space. icon smile 7 Essential Wordpress Security Tips

    wordpress security tips 7 Essential Wordpress Security TipsReading my story of hacking, as a webmaster, you might be strained about your website security. For any website, a security strategy is a must. And as wordpress is the most popular open source software for blogging, it is a primary target of many malicious attacks.

    Luckily, by the strength of being open source software, wordpress has many protective plugins, functions and techniques to save you. When used in an aggregate, these tools can defend you from vicious activity, hacks, spam and other threats. Let us have a look to few of these techniques today.

    Useful WordPress Security tips:

    Always upgrade:

    Always upgrade your wordpress version, theme and plugin to the latest version. The upgrade may fix any security bug from the previous version, so it is wise to be upgraded.

    Hide your wordpress version number:

    For some reason, if you cannot upgrade to the latest wordpress version, do not let hackers know your current version. As the bugs of previous releases are known to all through wordpress.org, it will easier for them to attack your website. You can hide your wordpress version number by following below instructions:

    • If you are using an older theme, remove the following line from your theme’s header.php filephp bloginfo('version'); ?>" />
    • If you are using a newer theme, just add the following in your theme’s functions.php file
      <?php remove_action('wp_head', 'wp_generator'); ?>

    Be careful about plugins:

    Be careful about installing plugins. Weak plugins may have buggy codes through which some other codes or sql queries can be injected or some other harmful activities can be done to damage your site or its ranking.

    Check plugin’s ratings and popularity before installing it. And to be sure, read reviews or ask your blogger friends about the plugin you are going to use.

    While upgrading plugins to latest version, make sure you upgrade wordpress plugin in correct way.

    Secure administrator account:

    Prior to wordpress version 3.0, the default wordpress installation used to come with an administration account ‘admin’ as username. As the hackers know it, they will always try this.

    Make sure, your administrator account username is not something easily guessable like ‘admin’, ‘yoursitename’ or ‘yourname’. If you already did so or you had installed a wordpress version older than 3.0, you need to change it.

    Check here how to change wordpress default username security using PhpMyAdmin.

    Disable directory browsing:

    directory browsing 520x146 7 Essential Wordpress Security TipsEnabling directory browsing in your site is comparable to keeping your door always open, so that the thief can see your wealth inside house and can do a plan to steal. icon smile 7 Essential Wordpress Security Tips I hope you understand the importance of keeping your door closed.

    directory browsing protecti 7 Essential Wordpress Security TipsA simple trick to disable directory browsing is to upload a blank index.html or index.php file in each directory and sub directory except the root. Also make sure this WordPress hack to find the plugin used in your website does not apply to your website.

    Monitor any hacking attempts using wassup:

    Wassup is a wordpress plugin that records details data of each user. Using this plugin you can monitor any malicious activities like code/sql injections.

    Plugin Url: http://wordpress.org/extend/plugins/wassup/

    If you are able to detect any such attempts, note their ip and block them.

    Read: Block visitors from specific ip address using .htaccess method

    Prevention is better than cure:

    Last but not the least, never forget the following to do on a regular basis

    • Keep your workstation virus free, and keep anti-virus softwares updated
    • Keep backups (database and files) always. If you can afford consider using vaultpress. Read: vaultpress premium wordpress backup services from automatic
    • Use strong passwords and change on a regular basis. Do not save passwords to ftp clients or in browser histories.
    • If possible, use premium themes

    These are some basic techniques to keep your wordpress sites secure. I will come-up with more security tips in the future. Make sure you subscribed to ShoutmeLoud rss feed to get updates.

    Do you have more WordPress security tips to share? Do let us know one tip, which you follow to keep your wordpress site secure?

    This is a guest post by Ron. If you like to write for Shoutmeloud, do read our Guest posting guidelines.


     Share

    Get Free Blogging updates in your Email

    Article by

    Mahbub has written 1 articles.

    If you like This post, you can follow ShoutMeLoud on Twitter. Subscribe to ShoutMeLoud feed via RSS or EMAIL to receive instant updates.

    { 18 comments… read them below or add one }

    Haresh

    Thanks for the tips, esp the username ‘admin’ part. Before I read the post, I didn’t know how to change the default username.

    Reply

    Samir@University Eight

    Wow! The security tips are really helpful. Though I am still using Blogger for most of my blogs, these would be very helpful when I switchover soon. While most of us ignore the security of WP blogs assuming there are enough precautionary measures integrated by the developers of WP, that’s not always the case. I know personally of an instance where an Egyptian hacker totally cleaned out a web host’s datacenter! Thanks for the nice list!

    Reply

    Ron

    Good luck with your switching blogging platform Samir.

    Yes, security things should never be ignored.

    Reply

    Amjath

    Placing blank index.html files is not a good idea. You need to place it in all sub folders or else it will list the directories. Denying directory listing using the .htacess is better.

    Reply

    Ron

    yes, I agree that .htaccess is better if one knows how to do that using .htaccess.

    But if someone does not feel confident enough to edit the .htaccess file, he can apply the simple trick of placing an index.php/index.html file.

    By default Wordpress comes with blank index.php file in 3 main directories (wp-content, wp-includes and wp-admin). You need to put it in sub-directories and you can do it easily any ftp software.

    Reply

    aatif

    Thanks for your share , i was anaware of hidding version of wordpress point. i will check that .

    Reply

    Ron

    You can check it from ‘view source’ of your wordpress blog.

    At home page source, look for a ‘meta’ with ‘generator’ as ‘name’ and ‘Wordpress ‘ as ‘content’.

    Then remove it as the way i mentioned in the post.

    Reply

    aatif

    i am using new theme , there is no function.php . and i cant remove bloginfo(‘version’); ?>” /> becuase this is not there . what should i do ?

    Reply

    Ron

    Hi aatif, its functions.php (you missed a ‘s’). There must be a functions.php in each theme, that’s a compulsory file to build a wordpress theme.

    I just checked your site from link attached to your name here. In that site, you’re using swift theme. There is a functions.php file in your theme. Open this file from wp-admin panel (or using ftp) for edit and at the second last line (just above php end tag ?>) add the mentioned code from the article and save the file. You’re done!

    If you still need help, let me know. I will be happy to help! Good luck. :)

    Ruhani Rabin

    First of all, thanks for the writer to point these security tips .. besides that, I would prefer .htaccess based protection scheme rather than index.php.
    Also I think you can change wp username in one click with wp-optimize (Shameless me) LOL!

    BTW Mahbub, where you stay in Dhaka? ;)

    Reply

    Ron

    Hi Rabin, Thanks for your comment. yes, I agree about .htaccess, please see comment no 12 regarding this.

    Thanks for mentioning about wp-optimize too and glad to know that you are the plugin author. I will check it.

    I live at Chittagong. if you ever visit, don’t forget to take me as your travel guide :)

    Reply

    Murlu

    Thumbs up for placing such a high amount of value on prevention. As I learned through Network Security classes – it’s so much easier just to make sure your safe than to play damage control afterward.

    Reply

    Ron

    Thanks Murlu.

    What you learned at your class is absolutely correct.

    Reply

    Sakib

    I’m freak workpress developer, I thought I’ll get something new information. Most of the information we know and the version (hidden) doesn’t matter and when hacker will take the attempts, they might already be concerned about it. Thanks Ron.

    Reply

    Karan Lugani

    Safety is the first and foremost thing. What we have done in years can be removed in just 5 minutes by the hacker. Thanks for the tips.

    Reply

    Amol Mhetre

    Hey Thanks Mate !! Now I can able to secure my wordpress blog with easier way ….

    Reply

    Prakash Prakash

    Hi I check your info on internet it shows you are using WP version 3.8.1.

    and I also checked labnol.org but it says no data available for WP version. It means your Version is not hide or you are using something else.
    once I changed my Version how, Can I check that ?

    Please share your view.

    Reply

    mayank

    Harsh you have given a good tutorial but it doesn’t help me as my site got hacked turkish hackers they delete all data and everything the thing left was index file which was promoting there govt. so its better to take backup daily.

    Reply

    Leave a Comment

    Previous post:

    Next post:

    `