(Image Credit – ClickonF5)
Since few months, I’ve been hearing lot of horror stories regarding the security compromises that bloggers have to deal with. It’s open source nature, what has been the boon for WordPress, is now standing against it (For Hardcore Open-source lovers – I am in favor of Open-source all the way and that statement of mine should not be taken as personal attack). There have been many blogs that weren’t using the latest version of WordPress are now infected with some sort of worm or some hacker gets access to the web server and misuses your precious resources. There are cases where they even harm the website by effecting its search engine rankings.
It’s always a nightmare when it comes to cleaning up the WordPress installation that has been compromised with some or the other warm, however few precautionary steps will always ensure some level of security that’ll keep “stupid hack scripts” away from your precious blog. Just follow these steps and you won’t have to shell out hundreds of dollars to make WordPress secure -
Here are some of the steps that one can take to keep the WordPress installation secure -
1. Keep your blog software up to date – WordPress has been very quick in taking actions against security attacks and generally its the older versions that become the target. WordPress now has automatic upgrade feature and with touch of a button, you’d be able to upgrade WordPress. You can read more about upgrading WordPress over here.
2. Keep strong password – It’s always advisable that one should keep a secure password. A good password is always combination of alpha-numeric characters. I’m sure these 16 firefox extensions will surely help you generate stronger password and will keep it safe for you too!
3. Use Secret key for WordPress – Some time back, I’d written the use of Secret key feature of WordPress. It’s a default feature of WordPress and one should definitely use it. Definitely, its not the only solution, however it makes sense to implement it as well. Small precautions like these will only make your WordPress more secure!
4. Set proper file directory permissions – One of the biggest loop hole starts from here itself. It’s important for every blogger to ensure that they keep proper file directory permission that is recommended for WordPress. This way, no unauthorized scripts will be able to gain access to the folder structure of your web hosting account.
5. Table prefix can be a weak point too – Table Prefix is one of the important part of WordPress’ database (in fact any database) and it is recommended that one shouldn’t use the default prefix as the default prefix is known to everyone and hackers tend to misuse that information for their evil intentions. I’d written a guide on how to change the table prefix that one can follow to strengthen the security.
6. You thought only passwords should be secure, What about the username? – I believe that these are few points that WordPress community can always do to ensure that the bloggers get safe at the time of installation, I just hope someone works on this point at least. By default, WordPress makes a default user by the name of “admin”. Most of the users keep it the same and unfortunately, that is exactly what we don’t want to do. Here’s the post that talks about securing WordPress by not displaying your actual username.
7. Make important folders inaccessible – If you thought that just setting up directory permissions is more than enough then I would say that it’s just not that simple mate! I would suggest that one should drop an empty html file (ensure that the name should be index.html) in wp-content/themes/ & wp-content/plugins/ folder. This way whenever some one will try to see the content of those folder, they’ll be presented with a blank page and nothing else. Isn’t that a smart move?
8. Keep your own computer free from viruses & malware – Lets say that you got a pen drive from your friend to copy some document and a while later you realize that your computer is infected from virus because that pen drive was full of viruses. Will you blame your own computer for that mishap? Similarly, if your computer is infected with malware and while you upload files on your blog it can get transfered to the servers too. I would suggest that one should use a good anti-virus and anti-malware scanner to avoid such kind of things.
9. Use of SSH instead of FTP – Most of the FTP software support SSH, a protocol that acts like FTP. The good thing about this protocol is that it has encryption and thus all the activity that you perform on the server is done under secure environment. Here are some tutorials that you can go through to get better understanding of SSH -
10. Up to date server environment – Alright, this is not in your hands, but in the hands of web host. It’s always advisable that while choosing your web host, you should confirm from them that which version of MySQL, Apache & PHP are they using. Match it with the latest version mentioned on their respective websites and if they are out dated, you should ask them to update them (very unlikely) or change the web host asap – Here’s the guide to help you do that quickly.
11. Use Robots.txt to deny access to robots at important areas – There are various important folders like wp-content or wp-admin, wp-includes that don’t need to be indexed in search engines. So, its better to deny robots to let them crawl their content. Here’s this quick tutorial that’ll educate you about the use of Robots.txt.
Other important reads that’ll enhance your knowledge about WordPress security
- Securing your WordPress install the foolproof way.
- Hardening WordPress.
- 11 ways to secure your WordPress blog.
- WordPress security whitepaper.
- 16 WordPress plugins to secure WordPress.
If you have written articles on WordPress security feel free to share it with us and we’d love to include it on our blog.