How Make WordPress More Secure
The following ideas will help to make your WordPress installation less hackable.
Upgrade WordPress to the latest version. If you’re using 2.7 or later, you can do this from the admin dashboard automatically by clicking on, “Please update now,” just under the header.
Make sure all your plugins are upgraded to their latest versions. You are notified on your plugins admin page whether or not your plugins need updating. Old versions can present a security risk.
Just to make hackers work harder, delete the “Admin” user. Do that by creating a new user with administration rights, and give it a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original “Admin” user.
Of course, use a strong password. Use letters, digits, special characters, and upper and lower case. I use RoboForm to remember my passwords. There’s a free and paid version.
Another idea is to hide your WordPress version. In your theme’s folder, open “header.php”, search for the line:
content=”WordPress ” />
Delete it. It has no useful purpose.
Get rid of the WP ID META tag by deleting it from the WordPress core. After The wp-security-scan plugin will do this automatically after you activate and run it.
Check to see if you have an .htaccess file in “wp-admin/” If not, open a new text file and paste this…
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Save the file as .htaccess and upload it to your “wp-admin/” folder, i.e., to http://www.yourblog.com/wp-admin/
It’s a good idea to hide your pPlugins Check to see whether they’re hidden or not by navigating to http://www.yourblog.com/wp-content/plugins. You’ll see a 404 error page if they’re hidden. If not, you’ll see them listed. If you do, copy the following into a new .htaccess file, adding the file to your wp-content/ folder…
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress
If your web host won’t allow you to administer .htaccess files there’s a work around. Instead of using an .htaccess file to hide the list of plugins, create an index.html file. You can write something about restricted access in there, if you
like. Either way, this file will prevent a plugin listing.
After you’ve done any or all of the above, just to be thorough, and because a few things have changed backup your files again, using your ftp client backup your database again, using the wp-phpmyadmin plugin.
These few things will make your blog more secure, and less hackable.
Tagged with: 404 Error Page • Admin User • Administration Rights • Content Folder • Dashboard • Digits • Hackers • Header Php • Htaccess File • Latest Versions • Lower Case • Meta Tag • Nickname • Old Versions • Passwords • Php File • Rewritecond • Rewriterule • Security Risk • Security Scan
Filed under: WordPress Plugin Tools Articles
Like this post? Subscribe to my RSS feed and get loads more!
Leave a Reply