ShoutMeLoud – Shouters Who Inspire

Superlinks
≡ Menu
≡ Menu

7 Essential WordPress Security Tips

CW
7 Essential WordPress Security Tips

WordPress being popular but security vulnerable platform, it’s important for us to keep our WordPress blog secure. Here I’m sharing some essential WordPress security tips, which will help you to keep your blog safe and secure.

When I was 21, I hacked our university’s web-portal to get the semester final questions draft by entering into teachers area. I needed the questions of ‘network security’ course, so I attempted to login as sazzad (the respective teacher) and I succeeded in a few attempts to get his password as it was his girlfriend’s name without any space. :)

wordpress security tips Reading my story of hacking, as a webmaster, you might be strained about your website security. For any website, a security strategy is a must. And as wordpress is the most popular open source software for blogging, it is a primary target of many malicious attacks.

Luckily, by the strength of being open source software, wordpress has many protective plugins, functions and techniques to save you. When used in an aggregate, these tools can defend you from vicious activity, hacks, spam and other threats. Let us have a look to few of these techniques today.

Useful WordPress Security tips:

Always upgrade:

Always upgrade your wordpress version, theme and plugin to the latest version. The upgrade may fix any security bug from the previous version, so it is wise to be upgraded.

Hide your wordpress version number:

For some reason, if you cannot upgrade to the latest wordpress version, do not let hackers know your current version. As the bugs of previous releases are known to all through wordpress.org, it will easier for them to attack your website. You can hide your wordpress version number by following below instructions:

  • If you are using an older theme, remove the following line from your theme’s header.php filephp bloginfo('version'); ?>" />
  • If you are using a newer theme, just add the following in your theme’s functions.php file
    <?php remove_action('wp_head', 'wp_generator'); ?>

Be careful about plugins:

Be careful about installing plugins. Weak plugins may have buggy codes through which some other codes or sql queries can be injected or some other harmful activities can be done to damage your site or its ranking.

Check plugin’s ratings and popularity before installing it. And to be sure, read reviews or ask your blogger friends about the plugin you are going to use.

While upgrading plugins to latest version, make sure you upgrade wordpress plugin in correct way.

Secure administrator account:

Prior to wordpress version 3.0, the default wordpress installation used to come with an administration account ‘admin’ as username. As the hackers know it, they will always try this.

Make sure, your administrator account username is not something easily guessable like ‘admin’, ‘yoursitename’ or ‘yourname’. If you already did so or you had installed a wordpress version older than 3.0, you need to change it.

Check here how to change wordpress default username security using PhpMyAdmin.

Disable directory browsing:

directory browsing 520x146 Enabling directory browsing in your site is comparable to keeping your door always open, so that the thief can see your wealth inside house and can do a plan to steal. :) I hope you understand the importance of keeping your door closed.

directory browsing protecti A simple trick to disable directory browsing is to upload a blank index.html or index.php file in each directory and sub directory except the root. Also make sure this WordPress hack to find the plugin used in your website does not apply to your website.

Monitor any hacking attempts using wassup:

Wassup is a wordpress plugin that records details data of each user. Using this plugin you can monitor any malicious activities like code/sql injections.

Plugin Url: http://wordpress.org/extend/plugins/wassup/

If you are able to detect any such attempts, note their ip and block them.

Read: Block visitors from specific ip address using .htaccess method

Prevention is better than cure:

Last but not the least, never forget the following to do on a regular basis

  • Keep your workstation virus free, and keep anti-virus softwares updated
  • Keep backups (database and files) always. If you can afford consider using vaultpress. Read: vaultpress premium wordpress backup services from automatic
  • Use strong passwords and change on a regular basis. Do not save passwords to ftp clients or in browser histories.
  • If possible, use premium themes

These are some basic techniques to keep your wordpress sites secure. I will come-up with more security tips in the future. Make sure you subscribed to ShoutmeLoud rss feed to get updates.

Do you have more WordPress security tips to share? Do let us know one tip, which you follow to keep your wordpress site secure?

This is a guest post by Ron. If you like to write for Shoutmeloud, do read our Guest posting guidelines.

  • Author Bio

  • Latest Post

Article by Ron

Mahbub has written 1 articles.

If you like This post, you can follow ShoutMeLoud on Twitter. Subscribe to ShoutMeLoud feed via RSS or EMAIL to receive instant updates.


    { 18 comments… add one }

    • mayank

      Harsh you have given a good tutorial but it doesn’t help me as my site got hacked turkish hackers they delete all data and everything the thing left was index file which was promoting there govt. so its better to take backup daily.

      Reply
    • Prakash Prakash

      Hi I check your info on internet it shows you are using WP version 3.8.1.

      and I also checked labnol.org but it says no data available for WP version. It means your Version is not hide or you are using something else.
      once I changed my Version how, Can I check that ?

      Please share your view.

      Reply
    • Amol Mhetre

      Hey Thanks Mate !! Now I can able to secure my wordpress blog with easier way ….

      Reply
    • Karan Lugani

      Safety is the first and foremost thing. What we have done in years can be removed in just 5 minutes by the hacker. Thanks for the tips.

      Reply
    • Sakib

      I’m freak workpress developer, I thought I’ll get something new information. Most of the information we know and the version (hidden) doesn’t matter and when hacker will take the attempts, they might already be concerned about it. Thanks Ron.

      Reply
    • Murlu

      Thumbs up for placing such a high amount of value on prevention. As I learned through Network Security classes – it’s so much easier just to make sure your safe than to play damage control afterward.

      Reply
      • Ron

        Thanks Murlu.

        What you learned at your class is absolutely correct.

        Reply
    • Ruhani Rabin

      First of all, thanks for the writer to point these security tips .. besides that, I would prefer .htaccess based protection scheme rather than index.php.
      Also I think you can change wp username in one click with wp-optimize (Shameless me) LOL!

      BTW Mahbub, where you stay in Dhaka? ;)

      Reply
      • Ron

        Hi Rabin, Thanks for your comment. yes, I agree about .htaccess, please see comment no 12 regarding this.

        Thanks for mentioning about wp-optimize too and glad to know that you are the plugin author. I will check it.

        I live at Chittagong. if you ever visit, don’t forget to take me as your travel guide :)

        Reply
    • aatif

      Thanks for your share , i was anaware of hidding version of wordpress point. i will check that .

      Reply
      • Ron

        You can check it from ‘view source’ of your wordpress blog.

        At home page source, look for a ‘meta’ with ‘generator’ as ‘name’ and ‘Wordpress ‘ as ‘content’.

        Then remove it as the way i mentioned in the post.

        Reply
        • aatif

          i am using new theme , there is no function.php . and i cant remove bloginfo(‘version’); ?>” /> becuase this is not there . what should i do ?

          Reply
          • Ron

            Hi aatif, its functions.php (you missed a ‘s’). There must be a functions.php in each theme, that’s a compulsory file to build a wordpress theme.

            I just checked your site from link attached to your name here. In that site, you’re using swift theme. There is a functions.php file in your theme. Open this file from wp-admin panel (or using ftp) for edit and at the second last line (just above php end tag ?>) add the mentioned code from the article and save the file. You’re done!

            If you still need help, let me know. I will be happy to help! Good luck. :)

            Reply
    • Amjath

      Placing blank index.html files is not a good idea. You need to place it in all sub folders or else it will list the directories. Denying directory listing using the .htacess is better.

      Reply
      • Ron

        yes, I agree that .htaccess is better if one knows how to do that using .htaccess.

        But if someone does not feel confident enough to edit the .htaccess file, he can apply the simple trick of placing an index.php/index.html file.

        By default Wordpress comes with blank index.php file in 3 main directories (wp-content, wp-includes and wp-admin). You need to put it in sub-directories and you can do it easily any ftp software.

        Reply
    • Samir@University Eight

      Wow! The security tips are really helpful. Though I am still using Blogger for most of my blogs, these would be very helpful when I switchover soon. While most of us ignore the security of WP blogs assuming there are enough precautionary measures integrated by the developers of WP, that’s not always the case. I know personally of an instance where an Egyptian hacker totally cleaned out a web host’s datacenter! Thanks for the nice list!

      Reply
      • Ron

        Good luck with your switching blogging platform Samir.

        Yes, security things should never be ignored.

        Reply
    • Haresh

      Thanks for the tips, esp the username ‘admin’ part. Before I read the post, I didn’t know how to change the default username.

      Reply

    Leave a Comment