Saturday, January 30, 2010

20+ Ways to Harden and Secure Your WordPress Blog

by Michael Sheehan on January 30, 2010

in Fix It, General, how to, Open Source, Security, Software

htd_wordpress_jailRecently, some high-profile blogs that are running WordPress have been hacked or hijacked by malicious users (e.g., TechCrunch). The worst thing is having to try to recover from such an event, you not only have to repair your site, but also your reputation. So, spending a little bit of time trying to prevent or at least make it a bit more difficult for a hacker to take over your WordPress blog is time worth investing.

I have had my fair share of my blogs (both work and personal) getting attacked (denial of service attack, hidden iFrames in my code, SQL injections and my server repeatedly being hit with brute force SSH login attempts from overseas). I have learned a lot from over 5 years of blogging, however I am by far no expert in the security field. But, what I can do is provide a growing list of tricks and tips as well as plugs that you can use to make your WordPress blog a bit more secure. This is not an exhaustive list nor have I personally implemented everything that is on here. I simply wanted to provide a list of items that you can do that may make your blog a bit more difficult to crack. Some security is better than no security, in my opinion. If a bot or hacker spends too much time trying to get in, they will hopefully move on to find something different and easier.

A Word of Warning: Do note, having many plugins running will degrade the performance of your WordPress blog. Some of the plugins run only on demand while others are present and running all of the time, so your mileage may vary. Also, some of these plugins might not work well together. Lastly, a few of the items below require you to have SSH access to your WordPress environment or server. You may have restrictions in place by your hosting provider as well.

The List of WordPress Blog Security Measures

  1. Do Regular Backups – back up not only your database regularly but also be sure to take a full copy of your entire WordPress directory. A great WP Database backup plugin is “WP-DBManager“. What I do is run a DB backup and then do a complete file backup since the DB backup is within your WP directory and will be copied when you download.
  2. Scan Your Files for Oddities – I wrote a post on how you can scan a local copy of your WordPress files to find code injections or iFrame. There are also some plugins that can help with that like “WordPress Exploit Scanner” or “AntiVirus“.
  3. Change Your Password – make it something difficult to figure out. Don’t use numbers in place of letters because everybody does that. Use special characters.
  4. Rename Your Admin User – there are a couple of ways to do this. You can do some MySQL commands to do it or you can use a plugin to do it for you. Either go into a MySQL manager like phpMyAdmin and rename the user “admin” to something else, or run a command like:
    update tableprefix_users set user_login='newuser' where user_login='admin';

    [click to continue…]

{ 9 comments }