• Tweet
• Sharebar

WordPress is a the most popular blogging platform, bar none. It’s very easy to use for both beginners and advanced bloggers. It’s free to use thanks to the large open source development community.

However it’s popularity can be a double edged sword in that it makes it a target for hackers and rogue programmers who may use it to inject code into your blog to enable backdoor entry or to steal information.

In order to protect your blog from malicious parties I will highlight 7 steps that you need to take in order to make sure you have the highest security measures around.

Please bear in mind that this guide will require you to make a few safe adjustments to your site, which you should be able to perform with minimal computer knowledge, however please make sure you make a backup of your files and database before you begin, just in case.

Tip 1: Always keep wordpress updated

Firstly it goes without saying that you need to regularly update your blog to the newest version in order to avoid being hacked. The wordpress team are constantly working on updates and patches as security issues arise, keeping your wordpress updated will ensure you are protected from all known threats. The good news is that wordpress has made it very easy to stay updated through your back end administration panel. As well as through your web hosts cpanel, which is great if you have multiple blogs on the same hosting account.

Some users should rightly be concerned about incompatibilities arising with plugins and themes after updating wordpress, this is a legitimate concern and you can do one of many things to make sure you do you end up with a broken site.

• Check the plugin coders’ blog to find out if it’s compatible
• Set up a test site with the same plugins and themes and a few test posts on the server, and perform the guinea pig test on that site to check for compatibilities before performing on the life site.
• Back up all your database and files before a wordpress upgrade so you can roll back in case there are problems.

Tip 2: Set up an unbreakable username and password

WordPress sets the default admin username as ‘admin’ but I would advise you to change it to a unique nickname which isn’t publicly known anywhere, this makes it twice as hard for brute force hackers to guess your username and password. If you’ve already set up your username as admin then you will need to create a second admin user and log in using the second admin account to change your main admin login information. Alternatively you can log into phpmyadmin and change the wp-users table directly.

Exercise your right to use uppercase, lowercase, special characters, punctuation etc in your password, the longer and more varied characters you use the harder it is for hackers to break in.

Install the Login-Lockdown plugin, this will block an IP address from trying to login after a set amount of failed attempts [3 by default], this is a great way to prevent brute force password hackers from finding out your password through repeated guesswork.

Tip 3: Use secondary account for posting

Set up an account with a lower permission level e.g. Author for posting from a public computer or wifi connection, for more information on permissions read WordPress Codex Roles and Capabilities. Keep the display name different from the login name.

Using an Author level account is ideal for posting from a public computer, as it means the account can only post, edit and delete it’s own posts, so should your login credentials be compromised the hackers will not be able to install any plugins or modify the theme code to place any malware on your blog.

Tip 4: Lock down your sensitive folders

Secure your wp-includes folder

If your server allows directory listings then all the contents of this folder will be visible to prying eyes check by browsing to yourdomain.com/wp-includes/

If the directory listing is visible, create a index.php file with the code

And upload it to the /wp-includes folder

Double Pass Security for your wp-admin folder

Use htpassword generator to generate a MD5 password file and use the .htaccess authentication creator to password protect your folders, now when you have both of these files, check to make sure there isn’t already a .htaccess or a .htpassword file in your wp-admin folder.

NOTE: If you have both of these files already in wp-admin folder do not overwrite them, understand what they do and add the new htaccess code onto the appropriate position in the file.

Using double pass security on your admin page is important, wordpress does not keep logs of when or how someone tried to log into your admin page, also .htaccess passwords are less liable to crack.

Tip 5: Pick your plugins and themes carefully

Always make sure that you stick to the plugins authorised by wordpress.org, these are the ones available on the Search Plugins and Search Themes pages from within your wordpress administration panel, and if you use premium themes and plugins outside of wordpress.org, then make sure you do your research look up reviews and search around for background information to make sure they are legitimate and verifiable.

Plugins aren’t as secure as the core wordpress site, the more plugins you have the higher the chance of bugs and conflicts, which can mean security issues lurking up.

Tip 6: Backup your wordpress blog periodically.

For backup purposes the wordpress blog is split in two parts, the database which holds all the posts and settings and the website files which contain the wordpress software, plugins, themes etc.

The most important element is the database, if you lose your database you lose everything, but if you have a copy of your database then you can at least rebuild your blog by reinstalling your plugins, and themes. I use WP-Db-Backup to create scheduled weekly backups, which are then emailed to me, WP-Db-Backup is highly configurable, I would suggest that you download all custom tables [those created by plugins], the frequency of your backups should reflect on how frequently you post, since I post a couple a week, I backup weekly, other busy blogs that are commented on frequently and have several new posts a day may need daily backups.

It’s also important to backup your files, I create monthly backups as my files do not change that often. Use a FTP client like filezilla to download all your files onto your computer, zip them up into one file and keep it backed up on CD or on an offsite server using online backup services. It’s important to keep backups offsite, and this is particularly true for people who blog off laptops, and public computers.

NOTE: It is imperative to perform on demand backups prior to upgrading wordpress [both files and database]

Tip 7: Install Security Plugins to scan for threats

Secure WordPress makes a few tweaks to your wordpress installation, mainly to cover any clues that may leak about what wordpress version and plugins you are using, it also places index.php files in folders that do not have one so third parties cannot view directory listings. This is important as hackers may search for outdated wordpress versions or for the existence of vulnerable plugins in order to exploit security loopholes.

WP-Security-Scan is also a pretty good, most of the issues are already covered by secure wordpress, however this covers a few more.

Conclusion

Implementing these tips should help keep your wordpress blogs away from hackers, and while I can’t guarantee that you’re never going to be hacked at least we’ve taken enough measures and made enough backups to prevent an irepairable damage from taking place.

Guest post by Abdul Karim, a self confessed internet geek and a fan of wordpress, Abdul Karim writes from online backup services, and is a keen MMA fan, swimmer and powerlifter.