My Account

Three pronged approach to securing wordpress installation

WordPress has become one of, if not, the most popular pieces of software for bloggers the world over. Its simple design has given millions of people the ability to create a blogging site that is easily customisable. Different themes and plugins freely downloadable from the Internet have enabled anyone with little to no coding experience to design their own personal blog. However, this rise in popularity has not gone unnoticed by the darker side of the Internet. Hackers, crackers and spammers all looking for an easily exploitable website that they can break in to and use for their own nefarious purposes.

1) The Basics

The greatest invitation you can give a hacker to compromise your blog is a failure to ensure that your WordPress installation is running the most current version. Older versions of WordPress suffer from numerous security vulnerabilities which the more current versions have patched. Upgrading WordPress is a simple process, log in to admin area and select ‘Updates’ from the Dashboard.

At the time of writing you should be running version 3.0.1

It is also important to keep all your plugins and themes up to date. The Updates area of the Dashboard will tell you if there is a newer version available. It is recommended that you regularly check this page to keep on top of the latest releases.

A strong password is a must. The use of special characters will make brute-forcing your password a much less appealing method of attack for a hacker. A simple password can be made quite strong by using numbers to replace letters as shown in the example below. Instead of ‘hosting123’, use ‘H0$t1ng123’

2) The less information you give a hacker the harder his job will be

A default WordPress installation will give away certain information that a hacker can use to formulate a plan of attack against your blog.

WordPress by default broadcasts what version it is running in your pages meta-tags. This information lets a hacker know what attacks your blog is vulnerable to.

The default username is admin. This can be used in conjunction with a brute-force attack that if successful will give a hacker full access to you blog and can do with it what ever they wish.

The default database prefix is wp_. This should be changed to something more unique.

While making the above changes may sound like a daunting task especially to users who may not consider themselves “technical”, there are many plugins that can be downloaded to do the job for you.

3) Security Plugins

WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/
WP Security Scan will check you WordPress installation for the most common vulnerabilies and give suggestions as to how you can improve your security. It will ensure that your files are using the correct file permissions, remove the version of information from the Meta tags and test the strength of your password. It is recommended that you preform regular security scans of your WordPress installation.

Login LockDown http://wordpress.org/extend/plugins/login-lockdown/
This plug-in will record any failed login attempts. It records the IP address of the copmuter used along with a timestamp of every attempt. Too many failed attempts results in that particular IP address being blocked from connecting to your blog.

Stealth Login http://wordpress.org/extend/plugins/stealth-login/
Change the default login page to one of your choice. The first place a a hacker will attempt to enter a password is the default http://www.exampleblog.com/wp-admin