WordPress powers over 70 million blogs. Being able to boast a number like that is pretty impressive, but it can also draw the wrong kind of attention as well.
You see, malicious hackers go after the low hanging fruit; basically the easiest targets they can find. Out of those 70+ million WordPress blogs you can guess that a large percentage of their owners have taken few steps, if any, to secure them. As a result they are vulnerable.
As a blog owner, there are several steps you can take to give your WordPress blog a more secure foundation. The following steps will help prevent automated attacks from compromising your blog while making it more difficult for even skilled hackers to break in.
Start with a strong password
There are quite a few differing opinions on password strength and security but what you need to remember is:
- Make your password strong using a combination of uppercase letters, lowercase letters, numbers and symbols; Password123! does not count
- Create a password that you are going to remember
- Do not use a password that you have used for something else; this one should be unique
While you are at it, make sure that the default username “admin” has been changed to something else. Attackers know that this is the default so if they get your password, they own your site. Make it more difficult on them by changing this right now.
Update WordPress
The next step you need to take is to make sure that WordPress has been updated. Most of the time WordPress updates are released to patch known security vulnerabilities in the application itself so keeping up with the updates can help plug the holes in WordPress that may let the bad guys in.
Now that you have updated your site, let’s take away any identifiers that let a potential hacker know what version you are running.
First, FTP into your server and navigate to the folder wp-content/themes/(the name of your theme) and locate the file named functions.php. Make a copy of this file as a back up and then open the original for editing. Scroll down to the bottom of the file and add the following code:
/** Remove WP Version from Header and RSS * *From WPThemes * */ function wpt_remove_version() { return ''; } add_filter('the_generator', 'wpt_remove_version');
Now save the changes and test your site.
Change the .htaccess file
The original purpose of the .htaccess file was to specify security restrictions for directories on your web site. By making a few additions to this file we are going to protect our wp-config directory as well as the .htaccess file itself.
FTP back into your WordPress site and locate your .htaccess file. Again, make a back up of this file just in case.
Once you have backed everything up, open the file for editing. It should look like this:
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress
After the last line, add the following:
<Files wp-config.php> order allow,deny deny from all </Files>
This will protect your wp-config directory from falling into the wrong hands. To protect the .htaccess file, add the following code:
<Files ~ "^.*.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
As stated earlier, these will give you a foundation for securing a WordPress blog.
Stay tuned for the next part in this series where we will discuss some of the more popular plug-ins to help lock down your blog.