If you’ve read our article on how to speed up WordPress, then you probably already know how to create a pretty fast WordPress blog. So, now it’s time to turn our attention to blog security issues. We have already covered the subject of how to secure a WordPress blog once, but it never hurts to add something new. Here are some new tips on how you can additionally secure your WordPress blog. These tips are a bit more advanced and will require some code editing manipulations on your part.
1. Prevent the WordPress version from being displayed
WordPress, as well as other web hosting apps, has its vulnerabilities. The WordPress team discovers security holes in each new version, so those who do not upgrade to the latest WordPress version are left exposed to the discovered threats. So, it’s a good idea to hide the WordPress version – this way each visitor will think that you are using the latest version and that old security holes are not present. You can do that by adding a simple line of code in your selected WP theme’s functions.php file:
remove_action(‘wp_head’, ‘wp_generator’);
And that’s all. When you refresh your blog, you will see that the WordPress version is no longer visible.
Note: hiding the WordPress version can cause some problems with plugins, which insist on using it.
2. Ban spam bots from your blog
If your blog is fairly popular, then you have run into the spam problem – there are a lot of spammers out there who leave spam comments on your blog. And while you can use an anti-spam plugin like Akismet, you can always go the extra mile and forbid the spammers from accessing your blog.
To do that, gather the IP addresses of the spammers who have posted the spam comments and paste them in our IP blocking tool in the Hepsia control panel. This way, the owners of these IPs will no longer be able to visit your website. Additionally, you can do that manually, using the .htaccess file in the root folder of your WordPress installation. There, you will have to paste the following code:
<limit get=”” post=”” put=””>
order allow,deny
allow from all
deny from 10.20.30.40
</limit>
You have to replace the 10.20.30.40 IP address with the given spammer’s IP. To add multiple IPs, simply add more deny lines.
<limit get=”” post=”” put=””>
order allow,deny
allow from all
deny from 10.20.30.40
deny from 20.50.10.70
deny from 30.60.20.80
deny from 40.80.30.90
</limit>
3. Protect your wp-config.php file
The wp-config.php file is one of the most important files for any WordPress installation – it contains all the info a person would need to access your MySQL database where all the posts and comments are kept. So, it’s vital to add additional security levels for this file. A great way to do that is the .htaccess file.
It’s the same file I told you about in the previous step – the one located in the root folder of your WordPress installation. You can add the following lines to it:
<files wp-config.php=””>
order allow,deny
deny from all
</files>
This way, no one but you will be able to access it.
4. Restrict access to your wp-admin page
If you are the only person who uploads content to your blog, and if you do it from the same computer every time, why not restrict the access to the admin section of your website? To do that, go into the /wp-admin folder and create an .htaccess file with the following rule:
order deny, allow
allow from 10.20.30.40
deny from all
Make sure you replace the 10.20.30.40 IP address with your personal computer’s IP address. Also, make sure that you use a static IP address – this means that your IP address remains the same each time you browse the Internet. If you don’t know whether your IP address is static or dynamic, consult your ISP.
In the end, there is a very helpful WordPress plugin, called WP Security Scan, which will help you find any security holes in your blog.