How To Secure Your Wordpress Blog

For most business bloggers, security is the last thing on their minds. Trying to come up with new content and keeping an updated site design tend to take priority.

Unfortunately, security doesn’t become important until your website website gets hacked.

So, I thought it would be a good idea to remind everyone — and post a list of things you can do to secure your Wordpress website:

1. Install WP-Scanner and check for vulnerabilities.

You can download WP-Scanner at BlogSecurity.net.

Follow the instructions on the site to install and generate a list of security risks on your site.

For more information, you can read this Wordpress Security Whitepaper. Or, if you would like for us to work with you to repair or secure your Wordpress website, please submit your request via our contact form.

Some of the vulnerabilities mentioned in a WP-Scanner report are listed below.

2. Stop your Wordpress version from being displayed.

You can do this by removing the following code from your theme’s header.php file:

<meta content=”WordPress <?php bloginfo(’version’); ? />” name=”generator” />

I changed it to the following code on my sites:

<meta content=”Powered by Wordpress” name=”generator” />

3. Change your Wordpress tables prefix.

OK, so this would have been much easier to do during the installation process. But if you have an existing site, and you aren’t sure how secure your server is, then I would recommend going ahead and changing the table prefix. BlogSecurity.net has a plugin to make changing the Wordpress table prefix much easier.

4. Upgrade all of your plugins.

You can go to the websites for each of your plugins to check for updates. I’d also recommend subscribing to the newsletter of plugin creators so you can be notified of any new versions or security issues.

5. Put a blank index.html file in your /wp-content/plugins/ directory.

This will prevent people from being able to see which plugins you have installed on your site. You also need to check all your folders/directories to make sure they have index files in them, to keep out prying eyes.

6. Change your admin username.

If your admin username is “admin,” then I recommend you change it to something else. Even if it isn’t, or you go ahead and change it, I also recommend using a strong password. A password like “IloveAimee” — and your kid’s name is Aimee — is way to easy to guess. If you need help generating a strong password, use a random password generator. It’s safer to write your password down and hide it in your desk drawer, than to have a weak password on your website.

7. Limit access to your wp-admin directory.

You can do this by denying access to all but your static IP address via this code added to an .htaccess file, that you’d put in your wp-admin folder:

Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX

Replace XXX.XXX.XXX.XXX with your IP address. You can find your IP address online.

(You can create an .htaccess file by opening notepad, adding your content clicking save and then naming the file .htaccess. Once you have done this, select All Files from the Save As Type dropdown menu.)

However, if your IP address with your ISP changes often, you may want to password protect the directory instead. If this is the case, and you are a cpanel user, you can use the Password Protect Directories function in Cpanel. Not sure how to do this? Watch our password protect video tutorial.

8. Restrict access to your wp-config.php file.

Open up the .htaccess file in your Wordpress wp-admin directory and add the following code to the end:

<Files wp-config.php>
Order Deny,Allow
Deny from All
</Files>

This modification keeps people from being able to view your config file, even if your PHP installation messes up.

9. Restrict access to wp-content and wp-includes directories.

Add the following to code to the .htaccess files within these directories:

Order Allow,Deny
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

Be aware: This code might adversely affect some plugins, so checkout your plugins after you install this modification.

10. Make sure you’re using a secure contact form.

I recommend using this secure contact form plugin for your site. It will keep out the spam and make sure your form isn’t exploited.

And finally, keep your Wordpress installation up to date. But that goes without saying…

If you aren’t sure how to do any of this, don’t have the time, or just don’t want to mess with it, contact us and we’ll take a look at your site and see what we can do for you!