How To Secure Your WordPress Blog
Add comments
How would you feel if I was telling you that your home is currently door closed but not locked ? To ease your mind, I bet you would make sure it does not happen again. Locking the door is a measure so simple and quick to do that not doing it just does not make much sense.
Blogs are just the same!
Here are a few basic things that you can implement to secure your blog and ease your mind :
Use A Strong Password
That’s the equivalent of the key for your home. A strong password should be having at least 8 characters and a random combination of letters, numbers and symbols. You can have it generated for you using a strong password generator (found easily on the web) or you can create your own. Just make sure you don’t forget it.
Use A Robots File
This is a plain text file that defines search engine access rules to the resources of your blog. You want to have one of those to prevent search engine bots (spiders) from indexing some sensitive part of your website. Among others, this file can avoid duplication of content issues and prevent your blog from being penalized.
Simply create an empty text file called robots.txt and place it at the root of your web server (/www). Now edit this file and define its content. The syntax is quite simple :
User-Agent defines a section of rules for one search engine spider (ex: Googlebot) or for all (*).
Disallow precises the pages that should not be indexed by the spider.
Allow indicates the pages that should be indexed by the spider.
Here is the robots.txt file that I use :
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /trackback
Disallow: /feed
Disallow: /comments
Disallow: */trackback
Disallow: */feed
Disallow: */comments
Allow: /wp-content/uploads
I explicitly allow the content of my uploads to be indexed. This directory contains images and it can lead to extra traffic.
Use The Latest Version Of WordPress
With each new version of WordPress comes a list of new features, improvements and bug corrections. You want to make sure you are using the latest version of WordPress to benefit from fixes correcting possible security issues from previous versions.
Keep The WordPress Version Hidden
The default installation of WordPress shows the version you use on your blog pages (hidden to the readers but viewable when looking at the source code). It is advised to hide it : a hacker would love to have this information to research specific known flaws of the particular version you use.
To remove the version information :
- Edit the file Header located in your WordPress administration area under Presentation -> Theme Editor.
- From the code, remove the line :
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>”/>.
Hide Your Plugins And Resouces
All the plugins installed in your blog are located in the /plugins/ directory of your website. By default, nothing is done to prevent anybody from spying on you and getting the list of all the plugins that you are using. This again could lead to the usage of hacking methods if some of your plugins are known to bring security issues.
To prevent your list of plugins from being easily available, just upload an empty index.html file in the directory /wp-content/plugins/. A request to the URL http://www.yourSite.com/wp-content/plugins/ will show a nice blank page.
You could do the same for other resources of your website. For example, for the list of all your images located in /wp-content/uploads/.
Update Your Plugins
With WordPress 2.3, it is now possible to know if your are using the latest version available of your plugins. Make sure you update each of them regularly.
Block Admin Folders
For additionnal security, a file can be created to control the IP addresses accessing your administration area. This file called .htaccess should be uploaded in the wp-admin folder. I direct you to Lorelle’s post about .htaccess for more details (attention, in the case of Lorelle the .htaccess file is done to ban from the entire website).
Backup Your WordPress Database
Because you never know what could happen and because you certainly don’t want to lose all the content of your blog, I advise you to backup regularly. Use the following plugins to help you.
WordPress Plugins For A Blog More Secure
WordPress Database Backup
This plugin allows you to backup your wordpress database whenever you choose. The backup can be scheduled to run on a daily basis automatically. It can be then saved on your web server or emailed to you.
Akismet
While checking your comments, I consider Akismet to be a plugin helping with security. Each time a comment is entered on your blog, Akismet web service is called to check its validity. This plugin comes with the default WordPress installation.
Instant Upgrade
Whenever a new version of wordpress is available, this plugin makes the process of upgrading very easy, simply by pushing the button. You will have to make sure that the WordPress files located on your server are writable.
WordPress Version Check
Simply tells you when a new version of WordPress is available.
WordPress Scanner
This plugin scans your WordPress setup, warns you about security issues and sometimes recommends actions.
Admin SSL
This plugin adds security to your login and admin pages through SSL.
Login Logger
The plugin will log information concerning logins to your WordPress.
Conclusion
Hopefully you enjoyed reading this article as much as I enjoyed researching and writing it for you.
I did not implement all the points and plugins described above but that’s a good starting list to consider for securing your WordPress blog. Make sure to backup your WordPress database before any implementation of the above.
I am interested in knowing how you deal with security for your blog. Have you ever had security issues? What did you do about it? How do you make your blog more secure?
Please feel free to comment hereafter for any complementary information.
About this post:
This post is submitted to the Internet Marketers United Group Writing Project.
|
If you like what you read, please consider subscribing to my RSS feed. |
Posted in You May Also Enjoy:
content rss
October 15th, 2007 at 4:13 pm
[…] How To Secure Your WordPress Blog by Fab at FabNetRevenue.com […]
October 16th, 2007 at 5:26 pm
[…] How To Secure Your WordPress Blog nice overview with 2.3 tips (tags: wordpress security hackers spam) […]
October 17th, 2007 at 9:34 am
Guess which participant will give you the best return for your comment effort.
Table of Link Values of participants
Just a quick survey of how many links on each participants article page.
It will eventually be an article but I thought you would like to see the table. I was amazed!
October 17th, 2007 at 11:27 am
[…] How To Secure Your WordPress Blog by Fab at FabNetRevenue.com […]
October 17th, 2007 at 11:45 pm
Thanks for the info, I know I’ll be able to use it sometime. Unfortunately, I am not so educated in the website field. I know plenty about how to heal bodies. Just starting a blog on how to do self healing, so I can use the education. I just hope I can figure out the whole wordpress thing. Thanks to you and Court for doing this project. Heading over to your ‘How to create a regular website with wordpress’ article to see if I can figure out how to sell an ebook with WP. I look forward to learning more.
October 18th, 2007 at 7:52 am
Hi Kalidasa,
Welcome. If you have any topics you would like to see on this blog about WordPress don’t hesitate to mention… I am fairly new to WordPress, but I am trying to learn all the little bits of it and want to write more How To.
Have a great day.
Fab
October 20th, 2007 at 12:13 pm
[…] Wordpress以其简单易用而又有强大的扩展性成为了世界上最为流行的blog软件,但如同其他cms系统一样,wp也有许多的安全问题,比如Google中搜索wordpress漏洞有103,000项向结果。今天正好看了一篇如何保护你Wordpress博客(How To Secure Your WordPress Blog)的文章,介绍了几条保障你wp blog安全的做法,下面做了简单翻译摘录: […]
October 21st, 2007 at 6:50 am
[…] Of A Link by Sutoco How To Use Google Webmaster Tools - And 5 Reasons Why You Should by James How To Secure Your WordPress Blog by Fab Common Internet Marketing Mistakes by Bryan Ultimate List Of Free Blogging Platforms by Fred […]
October 21st, 2007 at 9:12 am
[…] Of A Link by Sutoco How To Use Google Webmaster Tools - And 5 Reasons Why You Should by James How To Secure Your WordPress Blog by Fab Common Internet Marketing Mistakes by Bryan Ultimate List Of Free Blogging Platforms by Fred […]
October 22nd, 2007 at 2:37 pm
[…] How To Secure Your WordPress Blog by Fab at FabNetRevenue.com […]
October 28th, 2007 at 11:59 am
[…] How To Secure Your WordPress Blog by Fab Common Internet Marketing Mistakes by Bryan Ultimate List Of Free Blogging Platforms by Fred How Do You Build Relationships With Your Blog Visitors? by Pearl The One Thing To Know When Writing With Keywords by Simonne […]
October 28th, 2007 at 2:11 pm
[…] How To Secure Your WordPress Blog by Fab at FabNetRevenue.com […]
October 29th, 2007 at 11:29 am
[…] How To Secure Your WordPress Blog by Fab at FabNetRevenue.com […]
December 15th, 2007 at 7:14 am
very interesting, but I don’t agree with you
Idetrorce
December 15th, 2007 at 8:33 am
Idetrorce: What do you do differently to secure a wordpress blog ?
January 29th, 2008 at 7:16 am
[…] Wordpress以其简单易用而又有强大的扩展性成为了世界上最为流行的blog软件,但如同其他cms系统一样,wp也有许多的安全问题,比如Google中搜索wordpress漏洞有103,000项向结果。今天正好看了一篇如何保护你Wordpress博客(How To Secure Your WordPress Blog)的文章,介绍了几条保障你wp blog安全的做法,下面做了简单翻译摘录: […]