How to protect your WordPress site

Did you know that the standard WordPress installation is vulnerable to attacks from hackers? Well, it is, but fear not – there are steps you can take to protect your precious WordPress site/blog:

1. WPDesigner gives tips on securing your blog. This includes:
   1. Staying updated – always make sure your site is running on the most updated version of WordPress.
   2. Make sure your wp-config file is not read or writable. The wp-config file is the one that is originally called wp-config-sample.php when you download the installation files, and you rename it to wp-config.php and change the information in it to match the database you set up. If you don’t know how to change file permissions, WPDesigner points us to the WordPress codex entry on the subject.
   3. Delete install.php once you’ve finished installing WordPress.
   4. Protect yourself against comment spam. WPDesigner has links to four resources that can help you with this.
   5. Limit self-registration of users – users can subscribe to your site very easily by visiting your login page. Make sure that either you have set WordPress to not allow anyone to register, or that if you do allow registrations, they are limited to the lowest permission levels. Again, see WPDesigner for more info.
   6. WPDesigner suggests creating a new admin account with a unique password, and deleting the default admin account.
2. See the entry on Hardening WordPress in the WordPress codex for more information on securing your WordPress site or blog.
3. Securing your plugin directory: Bill Hartzer says that it is important to protect your WordPress plugins directory. He says he doesn’t want people snooping around his plugins and seeing what he does with them, but I’m guessing that it’s probably not great from a security standpoint to leave the plugins directory wide open for hackers. Since the plugins directory does not have an index.html or index.php file in its root, if someone goes to your directory, they will see all your plugins. So he provides some code for creating a simple index.html page to put in your plugins directory. Once it’s there, no one can snoop (at least not easily).
4. Update July 17, 2007: Josiah Cole gives a detailed explanation of how to create a .htaccess file that will help you secure your site, and aid the site in handling traffic and visitors. His .htaccess file will do the following:
   1. Protects itself (security)
   2. Turns the digital signature off (security)
   3. Limits upload size (security)
   4. Protects wp-config.php (security)
   5. Gives access permission to all visitors with exceptions (security, usability)
   6. Specifies custom error documents (usability)
   7. Disables directory browsing (security)
   8. Redirect old pages to new (optional)
   9. Disables image hotlinking (bandwidth)
   10. Enables PHP compression (bandwidth)
   11. Sets the canonical or “standard” url for your site (seo, usability)
5. Update Sept. 5, 2007: Follow these instructions at BlogSecurity to create an .htaccess file that restricts wp-content and wp-includes, and restricts access to wp-admin.

I am definitely going to make the above part of my list of things to do to every WordPress site. Better safe than sorry!

Tags: security

Category: Good Blogging Practice