Securing your worpdress install
Taking security measures for your blog is a must. Learning some security skills and spending a few hours applying them might save you tons of trouble and days and maybe weeks of wasted time.
With that in mind, I’m offering some easy-to-do, yet effective tips and tricks on how to secure your blog and protect your dear online belongings. I’ll start with a tutorial on securing WordPress blogs.
The following tips are arranged from easiest to trickiest:
1 – Don’t use “admin” as your username. Delete it once you have created your own username and assigned yourself administrator privileges.
2 – Use a strong password. Doh, make sure to include symbols and numbers, upper case and lower case letters. Also, think in passphrases, not just passwords. An example of an easy-to-remember passphrase is “i<3toblog” (but that one’s taken ;P).
3- Make frequent backups of your site, in case you lose your data. Most blogging platforms provide an easy way to export your posts. Web hosts also provide tools for backing up your sites. Set a schedule for this, and follow it.
4- Keep your WordPress installation and your plug-ins updated to the latest versions. Just be careful when updating, because sometimes plug-ins versions don’t keep up with WordPress versions.
5- Change your WordPress table prefix. When installing for the first time, you can specify your prefix as part of the install. A good strategy for making an attacker’s life a bit harder is not allowing them to know your table names.
6- In addition to your administrative account (not admin!), create a “posting user” that has no administrative privileges. In addition to protecting your blog from unscrupulous hackers, you’ll be protecting it from you! If someone managed to sniff your account or to use a keystroke logger, they will have minimum opportunities to damage your site. (A keystroke logger is a piece of software or hardware that saves everything you type on the keyboard.)
7- Limit login attempts. By limiting the number of false login attempts allowed, you will be able to avoid brute-force attacks or password guessing strategies. Here’s an example of a plugin that helps you do just that.
8- Create stealth logins. You can create your custom address to login to your blog. By not using the classic “myblog.com/wp-admin” path to get to your dashboard, you will give attackers a hard time trying to log in to your site even if they know the password. This will also help you avoid those bots that automatically subscribe to your blog. This page will help you with creating stealth logins and other security measures.
9- Encrypt your password before sending it to login. Sniffing people’s password from the network is a nasty trick that always works. No matter how strong your password is or how secure your site, if someone can scan the network for your login info, they might be able to gain access to your blog. That’s why it is a good counter measure to encrypt your password before sending it.
10- Use an onscreen keyboard to enter your password. You can avoid the typical keystroke logger’s trap by simply using an on-screen keyboard, where you don’t “type” your password but instead input it using a screen and a mouse.
11- Activate the Secure WordPressplugin. This nice plugin helps you do many nice tasks in one go, such as:
- removing error-information on the login-page
- adding index.php plugin-directory (virtual)
- removing the wp-version, except in admin-area
- removing Really Simple Discovery
- removing Windows Live Writer
- removing core update information for non-admins
- removing plugin-update information for non-admins
- removing theme-update information for non-admins (only WP 2.8 and higher)
- hiding wp-version in backend-dashboard for non-admins
- adding strings for use with WP Scanner
- blocking bad queries
Those are really simple and really easy to use steps that can help you increase the security of your WordPress site or at least make it really, really hard to hack. Safe blogging everyone!
Read More
Recent Comments