Improving Wordpress Security In Easy Steps
November 29, 2008 · Print This Article
Whilst Wordpress is a great publishing tool it does have it’s challenges and one of my greatest concerns is always security. The Wordpress team of developers do a good job of releasing regular fixes but as always hackers inevitably find loopholes and exploits in each new version. Left in its default state Wordpress can prove particularly vulnerable so here is a list of simply steps you can make to ensure your Wordpress blog or website is hacker proof.
Delete the Wordpress version information that appears in the header template.
This is the first step you should take as it tells hackers who view the source code of your Wordpress site what version your using. If they know the specific version then they may be able to exploit certain loopholes. Simply delete the string that looks like this (see below) in the particular theme folder you have installed.
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
<!– leave this for stats please –>
Ensure your plugins folder isn’t viewable.
Now this can be achieved in two ways you can simply upload an index file (i.e. index.html) in the plugins folder or make sure that directory browsing is turned off. If your using a web host that supports cPanel then this is straightforward as you can use the Index Manager to turn off indexing for the public_html folder where your web files are uploaded. If a hacker can see the plugins your using then they will be able to exploit potential loopholes in them.
Restrict access to your wp-admin folder.
If a hacker knows your using Wordpress then they will be able to guess the login url for the admin area and this will expose your Wordpress login page to a lot of punishment. So its best to restrict access to this folder via IP address. Now if you have a static IP address then great otherwise this maybe tricky as your ISP may change this frequently and you’ll have to manually change your IP each time. To restrict access you can use the .htaccess file with the following code uploaded to the wp-admin folder.
order deny,allow
allow from 127.0.0.1 # Change this to your particular IP address
deny from all
Stop wp-admin and wp-includes from being indexed by search engines.
This may seem hard to believe but its happened to me in the past so you’ll want to ensure you have your trusty robots.txt file set-up so that these folders aren’t crawled by search engine spiders or those pretending to be search engines. The code you’ll need looks like this (see below) and in should be uploaded to the root directory.
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Keep Wordpress up to date.
This may seem like a no brainer but its easy to lose track of what versions of Wordpress you have installed and on what sites. If you have a web host that supports cPanel then your in luck as upgrading is usually a one click process. If you don’t then you’ll have to upgrade manually. This doesn’t take too long and Wordpress has detailed upgrade instructions however if you have several websites to upgrade then it can be a pain.
Related articles:
Comments
Got something to say?
You must be logged in to post a comment.