WordPress plugins, themes, tips and hacks

How to protect your WordPress site

July 6, 2007 – 6:44 am | by

Did you know that the standard WordPress installation is vulnerable to attacks from hackers? Well, it is, but fear not – there are steps you can take to protect your precious WordPress site/blog:

  1. WPDesigner gives tips on securing your blog. This includes:
    1. Staying updated – always make sure your site is running on the most updated version of WordPress.
    2. Make sure your wp-config file is not read or writable. The wp-config file is the one that is originally called wp-config-sample.php when you download the installation files, and you rename it to wp-config.php and change the information in it to match the database you set up. If you don’t know how to change file permissions, WPDesigner points us to the WordPress codex entry on the subject.
    3. Delete install.php once you’ve finished installing WordPress.
    4. Protect yourself against comment spam. WPDesigner has links to four resources that can help you with this.
    5. Limit self-registration of users – users can subscribe to your site very easily by visiting your login page. Make sure that either you have set WordPress to not allow anyone to register, or that if you do allow registrations, they are limited to the lowest permission levels. Again, see WPDesigner for more info.
    6. WPDesigner suggests creating a new admin account with a unique password, and deleting the default admin account.
  2. See the entry on Hardening WordPress in the WordPress codex for more information on securing your WordPress site or blog.
  3. Securing your plugin directory: Bill Hartzer says that it is important to protect your WordPress plugins directory. He says he doesn’t want people snooping around his plugins and seeing what he does with them, but I’m guessing that it’s probably not great from a security standpoint to leave the plugins directory wide open for hackers. Since the plugins directory does not have an index.html or index.php file in its root, if someone goes to your directory, they will see all your plugins. So he provides some code for creating a simple index.html page to put in your plugins directory. Once it’s there, no one can snoop (at least not easily).
  4. Update July 17, 2007: Josiah Cole gives a detailed explanation of how to create a .htaccess file that will help you secure your site, and aid the site in handling traffic and visitors. His .htaccess file will do the following:
    1. Protects itself (security)
    2. Turns the digital signature off (security)
    3. Limits upload size (security)
    4. Protects wp-config.php (security)
    5. Gives access permission to all visitors with exceptions (security, usability)
    6. Specifies custom error documents (usability)
    7. Disables directory browsing (security)
    8. Redirect old pages to new (optional)
    9. Disables image hotlinking (bandwidth)
    10. Enables PHP compression (bandwidth)
    11. Sets the canonical or “standard” url for your site (seo, usability)
  5. Update Sept. 5, 2007: Follow these instructions at BlogSecurity to create an .htaccess file that restricts wp-content and wp-includes, and restricts access to wp-admin.

I am definitely going to make the above part of my list of things to do to every WordPress site. Better safe than sorry!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 10 Responses to “How to protect your WordPress site”

  2. By Sarah Lewis on Jul 6, 2007 | Reply

    Thanks for compiling this excellent list. I had overlooked a couple of these so I’m making changes already based on your info.

  3. By zefranck on Jul 6, 2007 | Reply

    Snooping the plugins directory seems to be the way PluginMeter.com works to build some statistics about the WordPress plugins usage in the world.
    For those who don’t want PluginMeter to display what plugins are used on their blogs, they suggest to install their own pluggin…
    Why not, it is a good idea to have a real “World Wide Top of the plugins” in real time.

  4. By Miriam on Jul 8, 2007 | Reply

    Sarah – I’m glad this list is helpful!

    Zefranck – Thanks for telling me about PluginMeter. I can’t figure out if it’s good or bad! On the one hand, it’s interesting to see what plugins are being used around the world, but on the other hand, do I really want them snooping around my plugins directory? The fact that installing their plugin is a possible solution is not so comforting.

  5. By Sajid on Jun 5, 2009 | Reply

    Thanks for telling me about Plug-in METER. I can’t figure out if it’s good or bad! On the one hand, it’s interesting to see what plug-ins are being used around the world

  1. 6 Trackback(s)

  2. Jul 6, 2007: Things I do to optimize and secure every WordPress site and blog » wordpressgarage.com
  3. Jul 7, 2007: Beskytt din wordpress innstallasjon
  4. Jul 9, 2007: ?????? WordPress ?? - Nicky's blog
  5. Jul 17, 2007: StumbleUpon can bring you serious traffic » wordpressgarage.com
  6. Nov 26, 2007: bonq.net/flipp » Blog Archive » wordpress primer
  7. Feb 15, 2008: Wordpress blogunuzu korumak için öneriler | Teknoloji Her?eyim

Post a Comment

Revolution Premium Themes