Published: 5 years ago

How to secure your WordPress blog

A couple of days ago, I decided to add a small javascript in the footer of my blog and by accident I found out that there was a hidden div with hundreds of links. Obviously someone hacked into my blog, and added those links to increase their Page Rank at my expense.

After few minutes of panic and desperation, I decided it was time to start securing my blog (something I’ve honestly been overlooking for a long time). Luckily, there are a lot of cool plugins that can help with this, and I’d like to share them with you.

First of all, it’s important to have periodical backups of both your files and your WordPress database. To accomplish this, you can use the very creatively named plugin called WordPress Backup. It performs regular backups of your uploads (images included), current theme, and plugin directories. Backup files are available for download and can also be e-mailed to a specified address.

To backup my WordPress database I’m using WP DBManager, this plugin not only lets you backup, but it also allows you to optimize, repair, restore and delete your database, and manage your tables. This plugin, like the one previously mentioned, automatically schedules database backups and optimizations.

Now it’s time to check your blog for security vulnerabilities and take corrective actions. A very comprehensive tool is a plugin called WP Security Scan.

Here’s few things I learned from this experience:

  • Always update your blog to the latest version as soon as possible. If the WordPress folks found out about an exploit, be sure hackers did too.
  • When you setup your database, change the prefix of your wordpress tables to something different than the default “wp_”
  • Make sure your WordPress version is hidden (some plugins, like Secure WordPress), can do this for you.
  • Check that your database errors are turned off (WP Security Scan will check that for you). If not, ask your hosting company to turn them off for you.
  • Get rid of the Admin user. Just create a new one with admin privileges and use that to delete the Admin user.
  • In the wp-config.php file of your blog there are three KEY phrases that can be changed. You won’t have to remember the phrases later, so make them long and complicated.
  • Make sure you have granted the right permissions to your WordPress folders (WP Security Scan will check that for you as well).
  • If you’ve already been attacked, make sure you check for any suspicious files or scripts (in my case, there was a file called wp-atom2.php) that can be used as a backdoor, and change your passwords.

There are a lot more steps that could be taken, like protecting your admin area via .htaccess or using plugins like Login Lockdown to limit the number of login attempts by a particular IP adress.

Is your blog secure? Is there anything in particular that you have done to protect it from hackers?

  • http://twitter.com/TheDudeDean The Dude Dean

    Don’t delete admin in WP MU.

  • http://twitter.com/TheDudeDean The Dude Dean

    Don’t delete admin in WP MU.

  • http://www.resurrectyourhero.com Blanca Stella Mejia

    Murray (@murrayiz) was speaking about this at the Social Media workshop yesterday. Thanks for posting this.

  • http://www.resurrectyourhero.com Blanca Stella Mejia

    Murray (@murrayiz) was speaking about this at the Social Media workshop yesterday. Thanks for posting this.

  • Pingback: Securing your Wordpress blog | South Florida Web Marketing Blog

Some HTML is OK