How to Secure Your WordPress Blog

wordpress-password-thumbnailSecuring or as some have dubbed ‘hardening’ your WordPress is important. Why? Well, it allows you to keep out hackers or if you have guest writers, you can make sure they do not take over your blog and boot you out. Also, it could help you with spammers. If you are reading this article and doing a first-time installation (for a self-hosted blog, meaning you have an account with a web host and your own domain), make sure that your web host is up-to-date on things like PHP, MySQL, Apache.

If your web host uses cPanel, then make sure that it is also up-to-date. Most web hosts will update if you ask. The up-to-date concept also extends to your WordPress. If you are not using the most current version, as well as the most current plugin versions for your WordPress site, you could be risking your site’s security. According to Matt Mullenweg during WordCamp Chicago 2009, keeping your WordPress up-to-date is the first and most important thing to do. (paraphrasing)

Here are some steps in creating a more secure WordPress.

How to Secure Your WordPress Blog – For Intermediate Users and Developers

1. Don’t use basic usernames like “admin” for your site. This is the first thing hackers try before moving onto different usernames.

2. Make a dynamic password. It is best to not use an easy or common password. Sometimes with numbers and letters (both capital and lowercase) mixed together are great. It is best to write these down in a special ‘book’ of login information. Even if it might be convenient to put something you will remember, there is also those times when you may not feel well and not be able to recall your password.

3. Keep your WordPress install up to date with the most current version.

4. Keep all of your plugins, code snippets, and external scripts up to date.

5. Use level privileges to specify your guest writers. Even if you think they are nice and trustworthy, sometimes the strangest things may occur like some falling out and if you do not set the user level, you will risk the integrity of the blog.

In fact, you can limit their access even further by installing the Role Manager plugin.

6. Use Askimet to help flush out the spam OR Growmap Anti-spam Plugin, also known as GASP. Also, in your WordPress settings, you can set IPs to deny, words, and such to filter out spammers.

7. Use your .htaccess file to restrict access to certain areas like wp-admin, wp-content, wp-includes, and single files like wp-config.php. These are often called Hardening WordPress and you can read more about hardening WordPress in the Codex if you desire.

In order to do this, you can write a new .htaccess file. A lot of times with automatic installers like Fantastico Deluxe, they will generate a htaccess file for you. If you are using permalinks, you will have to keep that information in your htaccess file, so if you go to your WordPress under Manage>Files>.htaccess, you can get the code to retain your permalink structure. However here is a simple one that you can put together. It protects your .htaccess file, your wp-config.php file, your directories, and a little snippet to protect yourself from spammers. Just copy and past the lines into your .htaccess file.

    Step 1. Protect Your .htaccess file itself


    order allow,deny
    deny from all

    Step 2. Protect wp-config.php

    Step 3. Disable directory browsing

    Options All -Indexes

    Step 4. Protect from comment spammers

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post.php*
    RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Optional Hardening

Disallow and protect individual files

When you have done this, it is best when implementing anything to test your website to make sure these commands are working properly. It is also advisable before doing these updates to have a full backup.

You may even want to try blocking bad bots. In fact, Perishable Press has a great list of bad bots you can block. You just need to copy their list, and paste it into your htaccess file.

How to Secure Your WordPress Blog – For Basic Users

If you’re not code savvy, and the above information just about scare the poo out of you, don’t worry, there are some plugins that can help! There are actually 2 really good WordPress security plugins on the market: Better WP Security or Wordfence. Both of these plugins are not much different so I’ll give a quick recap of at least Better WP Security.

betterwpsecurity-securityscanroadmap

Above is a screenshot of results after a scan with Better WP Security. (You can click on it to view it larger.)

Some other features of Better WP Security are:

  • Removes the generated meta tag
  • Change the urls for WordPress backend, especially: login and admin
  • No more being logged in forever
  • Restrict access to theme, plugin, and core update notifications for roles that are not allowed
  • Does away with Windows Live Write header information
  • Does away with RSD header information
  • Renames the account name “admin” if such exists
  • Changes ID number of the ID 1 user if such exists
  • Changes the WordPress database tab prefix from wp_ to something else
  • Changes path to the wp-content foldeer
  • Locks down login
  • Bans bad bots
  • Enforces users to use stronger passwords
  • Throttles bad user agents brute force attacks

…and much more.

Both Better WP Security and Wordfence are very comprehensive, even with their basic free download version, and give you a cool roadmap of things you have to do in order to make your site secure. Some of the suggested fixes are things that you can even have the plugin do for you. :)

Here are some other resources on securing your WordPress blog:

If you believe you’ve been hacked, you can do a scan of your site at Sucuri. Or, you install a plugin like Better WP Security or Wordfence, as mentioned above. Again, the plugins do offer to do an option to scan your site and gives you a roadmap toward securing your site. Your other option is to tell your web host that you might be hacked and ask them for a scan on the server.

Do you have any extra suggestions that should be added?

(Updated December 1, 2013)


This is where YARRP will go

About Nile

Nile is a 33 year old female from Southern Illinois. Nile is a mother of 1 son. She is also a web designer and developer, a graphic designer, and a public speaker, who exclusively designs and develops using WordPress. She is currently a student working for a Bachelors in Business. She also blogs at FamousBloggers.net and her very personal site, Blackish.net. Click to read more about Nile and Blondish.net

Comments

  1. Securing a blog is the first thing a blogger should do.

  2. Great Tips Nile !! I love this :) and thanks for post :)
    Unique Wedding Gift Idea, Unique Gift

  3. Great tips, Nile! I need to add the codes to my files.

  4. hi Nile

    Your post is it really useful to learn about securing a WordPress blog from malicious attacks. Changing the default administrator username,keeping stronger passwords and defining user-level access is definitely the first configuration any blogger must do. I’m thankful especially for those hints about the code required to tighten the security. I was using plugins to tighten the blog security, and now I hope I will be able to better configure using at the .htaccess file. Thank you for the awesome post.

    • I like to use the more developer approach and not use plugins. Aside from using htaccess and robots, I also have a list to block bad bots.

  5. Great tips as always Niles. I’ve been using Bulletproof Security and have had no issues (knock on wood!). I began using LastPass a few months ago and that has also helped and made me feel a bit more secure, but with the latest news about passwords being leaked for Facebook, Gmail and Twitter I’m thinking I will make it a priority to change all of my passwords before the end of the year – just in case.

    • That’s great. I know that Bulletproof security plugin is not too bad and quite a few use it. I listed the 2 that I felt were the most helpful.

      I usually recommend changing passwords at the latest… every 90 days.

  6. Hi Nile

    This is an great method to secure our wordpress blog which I have been hacked not able to recover my data because its been my beginning stage later, a great blogger who helped me to recover my data and thought me on how to secure the data really your post can give idea for all bloggers

  7. Hello Nile! I did install the Better WP Security plugin but have never ran a scan I suppose this is something I should do HUH? I still have not updated to WordPress 3.7.1 nor any of my plug-ins for a while now!! This is a great reminder I did just write it on my To-Do List for this week Thanks for sharing.. Chery :))

    • You definitely need to update your WordPress install. We are nearly at WordPress 3.8 now, and stable. Once you update everything, then do the scan. :)

  8. kilat aryanto
    Twitter:
    says:

    i also use wordpress, nice post, my friends says to make password you can combinate alphabet, number and symbols. he say password with that combining will very difficult to hack.

  9. Marketing needs always guts to perform on a big scale.
    I appreciate you raised the right points.

  10. Hey Nile , what a great information you have . I like this. I came here by mistake, but now , i realize its not a mistake , its my Luck . Thanks for sharing :)

  11. Thanks Nile for your post. After reading your post I have enabled Better WP security which was disabled by default when I changed my domain. The best way to prevent hackers and bots is to implement captcha on the login page.

    • Actually, the best method is not to allow registration if you aren’t allowing subscribers to your blog and any authors, you should manually create. You don’t need the Captcha in place if you have a security plugin as it has things in place to lock down and block bots.

  12. Nile,

    On one of my servers, 3 web sites were blocked last week. It seems that 2 of the sites that I don’t often use had either outdated plugins or the WP had not been updated. The hosting company did the scan, since I was unable to access the site or the cpanel.

    I am not as technically savvy as you are, and I noticed that with these security packs I also need to enable certain things. it can be confusing. My current issue is to choose a back up for my recent blog site. Any suggestions of which might be the best plugin?

    • The biggest things is to keep your WordPress site, and your plugins up to date. Any plugins or themes you aren’t using, remove them.

      BackUp Buddy (paid) or Back WP Up (free) are good for backing up WordPress. Just a note though, I really only recommend having these plugins activated when you are using it… its better to just conduct the backup once or twice a week as sometimes the scheduling feature is not always honored.

  13. Great.. I never actually looked at security of my blog until it was hacked last month. I appreciate the efforts you put in making this amazing post so much useful. Thank you very much :-)

  14. WordPress blogs are more vulnerable than blogger blogs that’s why we should make sure to make it more secure.
    and that’s awesome information for doing just that! :)

    thanks for sharing such a good article do keep it up please
    Im a royal visitor to this great blog :)

  15. Terrific tips Nile! I learned the hard way a long time ago how important it is to secure your site. I was hacked and it took hours of work to get it back up and running. What a nightmare!

    I’ve used WP Security and Wordfence and since installing haven’t had a problem. It’s well worth the time to ensure your site is secure.

  16. Nile,
    as always, so much t learn here in your blog.. it is amazing for me to just imagine al what you write about and securing the WP blog was interesting since I never thought of any of this so far hhaah :-)

    I find this info very useful to learn about how to secure the WP blog from attacks.

    I did change the passwords to something different that admin was something that some one else suggested and I done it right away… but the rest.. well, I am doing it slowly, since I can only learn some at a time.

    Thanks so much for sharing so much knowledge…and useful information.
    _nickc

  17. Great share Nile , really an informative post , pretty interesting to read too ..Thanks for sharing with us

  18. Hi Nile,

    I hope your readers take your security advice seriously! I’ve been fortunate not to be hacked, but it wasn’t for lack of trying. Hackers were hitting GrowMap so much it was impacting the other sites on the server – and it is currently on the largest dedicated server at HostGator! Their brute force logging in attempts were continuous starting Friday night through Sunday. (I guess they thought they would be less likely to be stopped manually using Wordfence.)

    • Gail, it was because HostGator let themselves be compromised and they took nearly a whole month to fix the problem at the hub. They also provide a level of security as required of them, but they’ve been really horrible about it.

  19. Security of your blog is the first thing that matters a most. If your blog is insecure then there is no point in blogging . WordPress blogs are the most suffered one’s to these kind of hacking attacks bloger blogs are quite secure because it’s hosted on google server. Thanks for sharing this information with us. Hope you would share contents like this more and more.

  20. Great advice, Nile! A couple of tricks I use are:
    1. Use Softaculous rather than Fantastico to install WordPress, because this allows you to set the admin name to something other than “admin” and also to change the file prefix to someting other than “wp_”. Both of these inhibit hackers.
    2. I use the BulletProofSecurity plugin to manage the .htaccess file (and others). It takes a bit of setting up the first time, but is pretty secure and very easy to update.
    3. I also use the paid version of Sucuri, because even with all that some of my sites get attacked. I used the free version to try it, and then upgraded when I needed to.
    Hope this helps
    Alan

  21. Hi Nile,

    You have shared some “valuable” information here about blogs. I don’t think some people realize how important it is to keep you blog secure.

    Thank you again, Monna

    Have a great day.

  22. Thanks for sharing these wonderful tips. As securing the WordPress blog is a major concerns and I was not aware that we need to restrict htacess file as well. I was always thought that some plugins to secure wordpress is enough.

  23. Hi Nile,

    Thanks for sharing these security tweaks. These are simple tweaks, but without fixing lead to some serious vulnerability.

  24. Hi Nile thnks for this information i had been suffering from hacking issues on my blog ,but now i updated my wp-config & htaccess file & im feeling secure

  25. Very good info. Very useful. Thanks and keep posting this type of stuff.

  26. Great tips Nile. I would also recommend to completely remove inactive themes and plugins. Hackers can also manipulate them to get into a blog.

  27. Every blog post should having good content and that content should briefly describing the title of that blog thanks for sharing. Just Like I wrote about Valentines day in my blog.

  28. As we know,Wordpress is the best platform and also most widely used platform to start a blog.
    So there should be security in it..
    You have shared such great security tips..I really like and now will implement on my blog.

  29. Hey Nile
    Thanks for explaining us about this most valuable information, As WordPress security is the most important for bloggers and webmasters. I am using ” Better Wp security ” plugin for the security of my WordPress blog.

  30. Thanks for these tips! Sometimes I get paranoid about someone hacking my site. But I’m glad that I’m already doing most of the tips here. :) Btw, love the color combination of your blog! <3

  31. I am afraid playing with the htaaccess file because my whole site was destroyed because of some minor changes I made. I think a video tutorial on this would be really awesome for a non coder like me to work things out.
    Thanks mate!

  32. Nitta Roy says:

    Dear Niles!
    That is wonderful article for every wordpress blog/site user. A blog that has been hacked can suffer from loss of content, stolen data and expensive downtime. Maintaining the security of our blog helps we protect our reputation and provide our visitors with the best service possible.

    Because WordPress is such a popular platform for blogging, it’s a regular target for hacking attacks launched by people who find and exploit weaknesses and vulnerabilities in websites.
    your best regards

  33. The problem with the wordpress is that Its easy for anyone to see what type of plugins you are using by visiting the wp-content/plugins folder. To keep potential intruders from finding out the plugins that you use, you can create an empty ‘index.html’ file and place it in your plugins folder.

    Better WP Security is great plugin but its not working on multisite.

  34. A better article on wp-security, Though most of my friends will still not able to implement your hacks in htaccess. Wp better security is a must have plugin for any wordpress site, what is your opinion after hardening your wordpress security and then delete wp better security plugin.

  35. Thanks you for these helpful tips, Recently a group of hackers had attacked my blog, So these tips are very valuable for me..

  36. I’m still on WP.com and each time I add a post I see this notification on top that asks me for a two-step authentication. I think I have askimet already. Would this be necessary?
    I’m planning to get self hosted this month so I am very glad I found your site. Great blogging resource!

    • The cool thing about being on WordPress.com is that they do have a layer of security in place. You usually only need what they provide, their 2-step notificiation and Akisment. When you go to self-hosting, you will have to put some of these suggestions in place for your website. Oh, and I host for as low as $40 a year as well on my dedicated server. ;)

  37. Great tips thanks a lot for sharing them

  38. Hi Nile,
    This such an excellent article with a lot of great tips and resources. Thank you for a very detailed write up on WordPress Security.

    By the way, I use Sucuri for protecting my WordPress and I also use their WordPress plugin to protect my installations. In that case, what I would probably like to ask you is, how do you compare Wordfence or Better WordPress security with Sucuri’s plugin and do you think what I am going is better or same or worse?

    Thank you for putting some light on this.

    Regards,
    Kumar

  39. I always spent my half an hour to read this website’s articles or reviews daily along with a cup of coffee.

  40. nice post. i like your work……….

Speak Your Mind

*

CommentLuv badge