Essential Security Tips For Your WordPress Blog

More and more of my I.M. colleagues and indeed new people that I meet on line are `getting into blogging’. And why not? Blogs are relatively easy to produce and use, no matter which platform you choose, and they can be a brilliant tool for internet marketers.

However, no matter how easy they are to install and use, and no matter how helpful they can be to your business, the one thing that I’ve noticed more frequently is that many people are neglecting the security of their blogs.

Now I’m actually talking in particular about WordPress blogs here. Yes, I have used Blogger blogs in the past, and I know that many people swear by them, but I found Blogger a bit too restricitive for my liking (though I understand that things have changed a lot at Blogger since I first used them).

Because WordPress is an open source blogging tool, meaning that it’s free and available to everyone, it’s a prime target for hackers and ne’er-do-wells. Of course, the WordPress development team are tireless in constantly working on the script for our benefit, but none of this is any use if we don’t actually get up off our backsides and do a bit of work on our blogs behind the scenes.

It’s par for the course to worry about your blog theme, your next blog post, your readership, attracting subscribers to your RSS feed etc. etc., but do you actually think very much about your blog’s security?

I suppose that I might perhaps see more WordPress blog security problems than most, being in the hosting business. Did you know that probably the biggest cause of server compromisation is actually people who install WordPress blogs and other open source scripts and don’t keep them up-to-date with the latest versions and patches?

Hackers find it easy to search around, find a way in through an old script, hack your blog, access your email accounts, start sending viagra and cure for baldness spam emails `from you’ and generally get up to all kinds of nasty things.

I can’t tell you how many panicky emails I’ve had to answer from people who’ve logged into their blog one day and have been smacked in the face by a skull and cross bones proudly proclaiming that their carefully crafted, lovingly nurtured blog has been hacked by Hound Dog Horris the Hardcore Hacker!! Great!

So I’ve put together a few suggestions that you might like to implement to help keep your WordPress blog safe.

Keep Up-to-Date

First of all, the most obvious fix is to ensure that you keep your blog up-to-date with the latest version released by WordPress.

Most WordPress blogs display a little warning in the Dashboard that tells you when a new version is released and a link for you to click to download it. If yours doesn’t, then it’s worth checking the WordPress website fairly regularly for updates. They also invite you to sign up for email notification of updates.

If you feel a bit daunted installing updates via FTP, or you installed your blog initially using Fantastico in your cPanel, so are not sure how to install the updates, WordPress offer quite a good set of instructions for this.

Plugins

It’s a good idea to hide the list of plugins you are using. Any known vulnerabilities and bugs that may occur in some plugins can be used as tools to harm your website.

Check out your blog, now… yourdomain.com/wp-content/plugins

The chances are, you will see the full directory of all of your blog plugins, and in some cases, the date they were installed.

To hide your plugins, simply create an index.html file and upload it to the wp-admin/plugins folder. This index file can be blank or you can be really creative and add some promotions to it.

Another way that Hound Dog Hacker uses to determine whether your blog is furtile ground for hacking is to check which WordPress version you’re using.

So, if you’re one of those that has put upgrading on the back burner, then you could be announcing that you’re ripe for a hack harvest with a huge magaphone!

How so? Well, go to your blog… go on.. open a new tab in your browser and type in your blog’s url. Then right click on your blog with your mouse and select View Source, View Page Source, or similar, from the drop down menu.

Check out the coding….. about 10-12 lines down, you will see something like this

< meta name=”generator” content=”WordPress 2.6.3″ / >

< meta content=”WordPress 2.6.3″ name=”generator” />

Obviously the 2.6.3 version is the latest version as I’m writing this article today, and your one, hopefully, tells you the latest version on the day you check your code. However, there’s a possibility that you’ve not updated your version and an old version is showing. Naughty, naughty! Talk about dipping your cut finger in shark infested water and inviting all the sharks for a slap up meal!!! Slight exaggeration, there, but I’m sure you get what I mean?

Why advertise that you’ve been a bit too busy to update your blog to the latest version, or that that upgrade keeps get shoved down your list of things to do?

I’ve been using an excellent plugin by David Kierznowski, which removes the display of your WordPress version to prevent attacks. Check out your blog… do the right mouse click and then view source code.

The plugin is merely one small .php file that you upload to your plugins folder, and then activate it in the usual way in the plugins section of your Dashboard.

Block Access

A folder that Hound Dog Hacker likes to have a good old nosy around on your blog is your wp-admin folder – this is the storage place for all your blog’s most sensitive data. So here’s a quick tip to secure this directory…

Open notepad or wordpad on your computer, and add the following code:-

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny, allow

deny from all

allow from TYPE YOUR IP ADDRESS HERE

If you don’t know your IP address, you can find it here whatismyipaddress.com

Next, save your txt file as .htaccess and then upload it to your wp-admin folder.

NOTE: This method might be a pain in the neck for you if you don’t have a static IP address, however, if you are with an internet service provider that has a range, you can add the range.

I have to say that my IP address isn’t static BUT, I’ve only had to add extra IP addresses twice in the past 6 months or so, to allow me to login.

I did wonder why, when I went to my blog login page whilst on my laptop that I was denied access… doh, then I realised that my .htaccess file was denying me access from this computer. I now keep the .htaccess file on my desktop and just add an IP address, if and when it changes, to the file and upload it in seconds. So your file might look something like this

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny,allow

deny from all

allow from TYPE YOUR IP ADDRESS HERE

allow from TYPE YOUR IP ADDRESS HERE

allow from TYPE YOUR IP ADDRESS HERE

I hope this has helped give you some ideas, or at least galvanized you into taking a closer look at your blog security.

Meet our team?

Find out more

Interested in working with us?

Get in touch