by Abdul Karim
I never thought it would actually happen to me, I always thought that getting your blog hijacked was something that happens to "other people", but when it happened to me I was devastated. I foolishly installed a "free" WordPress theme from an untrusted site. And weeks later I had links appearing all over my sidebar, and every time I removed them from my blog, they reappeared days later. I don’t know what was worse, the fact that my blog was now linking to bad neighbourhood sites or the fact that I knew there was a backdoor entry in my WordPress and I didn’t have a clue how to remove it.
Almost a year on, and a year wiser, I’ve learnt quite a few things about WordPress security and I’m going to share with you the tips that helped me to lock down my WordPress blog.
I’ll be asking you to perform a few tweaks to your blog, so as always back up both your database and your files in order to have some way of restoring your blog if things go pear shaped.
Tip 1: Stay updated
This one comes straight out of chapter "obvious", but as exploits and vulnerabilities are discovered, WordPress is fast to implement changes to patch them up. Having an out of date WordPress running on your blog means that you’re one of the remaining sites that are still open to the exploit. Check your back end administration panel for notifications of potential updates, and make sure to run them on all of your sites. You may need to have a test blog running with the same plugins and themes installed in order to run a "guinea pig test" to make sure they’re all compatible, before you actually run the updates on your live sites.
Tip 2: Make Regular Backups
No matter what security measures you have in place, you need to have good reliable backups just in case something goes wrong. I really like the WP-Db-Backup plugin as it automatically creates a backup of my database and sends it to me via email. You can set the frequency of time it takes to create the backup, I would advise you to make weekly or daily backups depending on how often the blog is updated. The WordPress files can be backed up manually via FTP by connecting to your web server, I make monthly backups of the files as they aren’t updated much.
It’s good practice to backup your files on an offsite server, I tend to use online backup services to upload all my music, documents and work related files using online backup, it’s a great way for mobile bloggers who work off laptops to safely backup their files in a safe location.
Tip 3: Lock down your WP-admin
Many users down realise this, but the wp-admin isn’t as secure as it should be, in most cases it’s open for brute force password hackers to repeatedly attack the login page with a hash file and attempt to gain access to your login. Thankfully there are great steps you can take to prevent that
- Firstly use a non-default login name, but default "admin" is set as the login name, change it to a nickname which isn’t known to anyone else, you can do this through another admin account or by editing the wp-users table using phpmyadmin. Remember to backup your database before doing so.
- Install the login-lockdown plugin for WordPress, it does a great job of deterring brute force hackers, it will lock down the login page after a set of repeated attempts from any given IP.
- Use a server based password protection for added security, Google search "htpasswd creator" to create you htpasswd and htaccess files.
Tip 4: Lock down your WP-includes folder
Not many users are aware of this but the /wp-includes folder is viewable to the public if your server has enabled directory listing, the problem is the WP-includes can leave footprints of plugins and WordPress versions which may have security loopholes and can be exploited. To fix this:
- Create a blank index.html file and upload it onto /wp-includes
- Or simply add "Options -Indexes" on a new line in your root .htaccess file, if you don’t have one create one. This command turns off directory listing for the that particular folder and all subfolders, if you upload it onto the root, it will prevent directory listing for the entire website
Tip 5: Stay away from themes and plugins outside of wordpress.org
Simply put, Always download your plugins and themes through your WordPress admin pages, they’re verified and tested by the WordPress team. Many WordPress themes acquired from outside have encrypted elements in them, some can be just hyperlinks to other sites, however many are shady enough to leave backdoor entries into your blog allowing them access onto your blog.
Themes and plugins outside of wordpress.org should only be acquired if they are reliable, do plenty of research before downloading, read up reviews, and even if there are many positive reviews check for authenticity and authority for these reviews.
Tip 6: Perform scans before installing unfamiliar plugins and themes.
I highly recommend the Wp-Security-Scan plugin, it scans your WordPress installation for security vulnerabilities, and also scans themes and plugins to detect any irregular activity, such as encrypted elements and potential backdoor threats, when installing a new plugin, add it, but before activating run the Wp-Security-Scan to get the all clear before activating.
From my past experience of getting breached, I found Wp-mal-watch an excellent plugin, it scans your WordPress blog every night to look for traces of any security threats, such as suspicious files appearing on your web host, or unauthorised changes to your WordPress blog.
So there you have it, 6 great tips that you can execute in less than 30 minutes which will drastically increase the level of security of your WordPress blog. I hope you’ve enjoyed this post, and feel free to tweet it and post it on your frequently visited forums to help out other WordPress bloggers.
Karim, author of online backup services, provides reviews, news and helpful advice relating to online backup and cloud computing services. Use the online backup reviews page to locate the best service suitable for you.