In light of recent events I managed to find time to look a lot more closely at the security of my WordPress blogs and was surprised to find that although I had done a lot to square things away pretty well, there was actually a lot more that I could be doing.
Fortunately none of it is too difficult and hopefully this will save you some research time.
The most important thing to remember is to keep your installation up to date. It can be a royal pain if you use a lot of plugins because invariably the latest version of WP will cause issues with some of them until the plugin developers get around to updating their add ons too. However, that is just the way it is and it is better to keep your WP current than wait around for the occasional plugin to catch up.
I had long ago learned of some of the most obvious precautions to take with Worpdress but it is surprising how many people are unaware of many of them.
Since writing this post things have been made much easier for you with the introduction of the BulletProof Security Plugin. It’s free although there is a premium version available too. It installs quickly and easily and plays nicely with most other plugins. I recommend every WordPress user install this one.
If you choose to use the aforementioned plugin. most of the following will have taken care of but if you prefer to keep plugin use to a minimum these simple manual steps will make your blog far better than 95% of others in terms of basic security.
Protect your WP admin Area using .htaccess – Sadly this blog is no longer updated by its owner but this post is still a nice easy explanation.
Protect your plugins directory from snoopers. If you can type in the path to your plugins directory in a browser, so can everyone else. By doing so they can see a full directory list of what plugins you have installed. This is easy to remedy. You can either upload a blank index file to the directory or, if you are on cpanel hosting, turn off indexes from there. Just go to index manager in cpanel and you will see how you can turn off indexes for specific directories. Alternatively, you can add the following line to your .htaccess file:
Options All -Indexes
Now, these are just basic measures but they will deter many idle hackers who will move on to easier pickings. There are also various Worpdressplugins that you can use to beef up your security even further.
BadBehavior was a plugin that I resisted using for a long time as there seemed to be so many issues with it but I eventually gave in and installed it. Judging by the number of suspicious things it blocks, I’m glad I did and so far it seems to be functioning in harmony with everything else.
Other plugins you may find beneficial are:
WordPress Firewall (Do not use this in conjunction with BulletProof Security)
Whether you choose to use one or all of the above, none of them will be a waste of time and all have helped me to ensure that my WP installation is as secure as I can possibly make it. The Firewall plugin has stopped several potential SQL injection attacks already. The Anti virus is a bit oversensitive at times but there are plenty of settings to fine tune its performance to suit.
There are other things you can do with htaccess too. For example, you can prevent access to your wp-config and you can also protect the htaccess file itself (See above regarding plugin BulletProof Seurity which will take care of this for you).
For a full list of WordPress Security Plugins and choices head over to the plugin repository.
Helpful videos On WordPress Security
Related articles by Zemanta
- WordPress Security – A Comprehensive Guide (bloggingpro.com)
- Secure Your WordPress Install with Secure WordPress Plugin (wpjedi.com)
- Daily Tip: Secure WordPress by Preventing Directory Listing (pressography.com)
September 14, 2009
Wordpress