With WordPress being so popular its no wonder that in many ways its become a target for would-be hackers. WordPress has many doors available that if left open make your website easily accessible for hackers. But we all love WordPress and would like to use it, so how can you remain secure?
Before you make any changes according to the suggestions below, back up your blog, just in case you need to undo the changes or additions.
A few simple easy steps to a secure WordPress:
1. Stay updated
Join the mailing list for release notifications and update when announced. Staying updated is perhaps the most important and easiest thing you can do. Also, if you are running an older version of WordPress, make sure to not announce it to the world. Remove version listings from your templates that could announce what version you are running, and possibly alert hackers to exploits you have available. Make sure when updating your install of WordPress to read the Upgrading WordPress section of the codex.
Staying updated should also mean backing up your website, so if you do get hacked your website can be restored from backups. Backing up WordPress requires you to have both the database and its files. Backing up your files is as easy as clicking and dragging them to your computer via FTP. Backing up your database can be complicated for some if attempted from within your hosts control panel, but fortunately, a number of plugins exist that help automate and simplify the process.
The following plugins can help automate the database backup process, visit their websites for more information:
Visit the the WordPress codex for further details on backing up your website.
2. Permission your files
Make sure that your wp-config is not world read or writeable. Otherwise, people could steal your login information or even overwrite your login with their own. And make sure to delete your install.php after installation is complete.
WordPress codex has an excellent walkthrough on setting file permissions here.
3. Protect against comment spam
Spam can be a danger to your blog and its visitors. Comment spam can insert unwanted content onto your website. One way of protecting against spam is using plugins that track comments and trackbacks, running them through tests to check on whether they are spam and then refusing or approving based on the test results. Though it’s worth noting that this is not completely full proof and depending on the size of your blog you may even want to personally moderate commenting, or maybe even limit commenting to specific posts.
Anti-spam Plugins and additional resources on how to protect from comment spam:
- Akismet
- Spam Karma 2
- Codex on Combating Comment Spam
- Codex listing of Spam Tools
4. Limit self-registration of users
WordPress supports the ability for users to create new accounts for the purpose of posting. Though this registration does allow them to subscribe as well, which gives them access to reading only. Turn self-registration off in options: general: general options: uncheck anyone can register
(see screenshot below.) or limit your readers to the subscribe role only.
5. Make sure your login information is unique
I’d suggest creating a new WordPress admin user account and deleting the default admin account. Its very important to create a unique password in conjunction with your name. Check out the automated password generator to create a unique and difficult to crack password.
In summary:
- Stay updated with your WordPress install.
- Permission your files.
- Protect against comment spam.
- Limit self-registration of users.
- Make login information unique.
Along with this post I’d recommend reading the other options available in Hardening WordPress. Don’t let your blog or website be vulnerable to attack.
