Securing a WordPress blog
WordPress is the leading Content Management System (CMS) for blogs in existence today, with more than 8.000.000 blogs using it. And this makes it a good target for any kinds of attack – more users mean more targets in the eyes of website attackers. However, a lot of websites and users mean also a lot of ways to defend your website – WordPress would have never gotten so popular if it was unsecure and unsafe to use. The first and most important rule with a CMS script is to always use the most current version available out there. A lot of times, a simple update will save you tons of trouble. With WordPress, you will be constantly reminded if a new version is out there via a notification on the top of the Admin section. If you see that a new version is available, the time for updates is now. And always remember to back up your data before an update – this means not only your web files, but also your database where all of your posts are kept. When starting your quest for securing your WordPress installation, the first task is to choose secure passwords – check how many users will have administrator rights for your WordPress installation and make sure that all of them are using secure passwords. For a password to be completely secure, it must be composed of not just words, no matter how complicated, but also of numbers, special characters and combinations of upper-case and lower-case letters. For example, the following password – “thisismynewpasswordwhichistotallyunhackable” is long, difficult to remember, easy to mistype while entering and on the whole – not a best choice. If you shorten it, changing some of the letters with numbers and using some capital letters, you will have a much better result – “7h1SiSmYn3W”. Also, change your admin username – by default, the administrator account for each WordPress installation is simply named “admin” and most people never bother to change it. Another simple step is to protect your /wp-admin page – the place from where you log in. Adding a simple .htaccess file will do the trick – you can restrict the access and allow only your personal computer to log in, or make the /wp-admin page password protected. Both steps take a total of 5 minutes and add an additional level of security – anyone using a brute force attack on your WordPress installation will have a hard time trying to guess two usernames and passwords and to access a forbidden area of your site. Another tip is to update your plugins – an old version of a plugin with known exploits can get you in a lot of trouble. Most of the plugins will notify you if a new version is available, so that you can act quickly. And always be careful with the plugins you use – double check user comments and reviews concerning problems before installing a given plugin. Update your file permissions – be sure that you are the only one allowed to both modify and execute them. All file permissions should be set to 644 and all folder permissions – to 755. You can do that via the File Manager tool we provide you with. However, some plugins require specific files to have 777 permissions set – read carefully the given plugin’s readme file before installing it. Originally published Monday, January 4th, 2010 at 11:25 am, updated January 4, 2010 and is filed under The Free Reseller Program.