View Profile
View Forum Posts
Private Message
View Blog Entries
Visit Homepage
View Articles
You have probably heard firsthand about someone who had their Wordpress site hacked. There are several steps you can take to prevent this from happening to you.
Things You Need to Know About Wordpress Security
I recommend Wordpress to all my clients looking for a blog or CMS website, it has fantastic features and is one of the best solutions for providing ease of use for beginners but flexibility for power users all in one.
However, like all websites, Wordpress is not a ‘set and forget’ solution. There are several steps you can take to keep your site safe, both when setting up your Wordpress site and the day-to-day operations.
One of the best parts about hosting your own blog is that you have full access to set it up and tweak it just how you like it, making your own installation as secure as you can.
Tips to Keep Your Wordpress Blog Secure
- ALWAYS keep your Wordpress installation up to date. This is now easy to do with the latest versions, but make sure you take a backup first.
- When you install Wordpress, you have the option of selection what’s called a database table prefix. This is simply the short number of letters before any database tables, the default being wp_. By changing this to something random, you will block a large number of automated hacking scripts that will be looking for tables starting with the default extension.
- Wordpress now allows you to chose your admin username, and so don’t use admin. Pick something that’s hard to guess. The same goes for your password here, use something hard to guess, which ideally has letters, numbers and special characters.
- Set a password on your wp-admin folder. If you host on a cPanel host you can easily do this using the Password Protect Directories feature in your control panel. If you’re on a static IP, you may also wish to use .htaccess to limit access to the wp-admin folder to your IP address.
- Check your file and folder permissions, there’s no need to have 777 permissions on anything and this will make your site insecure. You can set folders to 755 and files to 644. Most FTP programs allow you to right-click on the directory or file(s) to set these.
- Add an empty index.html file to your wp-content/plugins/ folder (just open a notepad document and save it as a blank file). This prevents people being able to browse what plugins you have installed.
- Many themes, especially older ones, display what version of Wordpress you’re running for anyone to see. If you’re comfortable with editing files, remove the Wordpress version info from your theme. There are several plugins that can do this for you. Also, if your blog has a link to the admin folder in the theme, remove it if you can.
The vast majority of blogs that are hacked are old versions, and so by keeping your Wordpress installation up to date and making sure its setup using the above tips, you’ll be ahead of the crowd in Wordpress security.