There are numerous actions a prudent web admin can take to make their site more secure. In an effort to place the key safety precautions you can employ on a WordPress site I have gathered a number of actions from multiple sources and placed them here.
Please note that this posting is not original content, rather it is a merged aggregation from the references listed below.
Item 1.
Always Upgrade to the current version of WordPress
Upgrade your WordPress as soon as possible. Most WordPress releases patch security loopholes, fixes which are essential for your continued protection.
Item 2.
Change Default Passwords
That is the first thing to do, if you are still using the default 6 lettered admin password which is sent to you via e-mail. Give a tight and secure password with numbers and letters and symbols jumbled up so that granny’s bruteforcing technique doesn’t cost you your blog. Don’t be too concerned about loosing your password and choose a simple password as you can always change your lost WordPress password.
Item 3.
Remove WordPress ‘version string’ in your theme files
1. Go to WordPress dashboard, click on presentation -> edit themes -> header.php
2. Find and remove this. bloginfo(‘version’) Save the file.
Explanation: Hide the version number of your WordPress such that it will be hard for hacker to find security loopholes for the specific version of WordPress.
Item 4.
Place empty ‘index.html’ file in the plugins folder
1. Open a text editor ’save as’ and save the file as index.html (be sure to change the filetype from text files to all files if you are running in windows)
2. Upload the file to WordPress wp-content/plugins folder in your web server.
Explanation: Hide the plugins used by your WordPress blog. It uses the same concept as above which is to hide security loopholes in the plugins.
Item 5.
Upload a copy of .htaccess file in the wp-admin and wp-includes folders
1. Using FTP program or your webserver file manager, go to the root folder of your server and download .htaccess file (set ’show hidden files’ first if you’re using FTP program such as FileZilla)
2. Go to your wp-admin folder
3. Upload the .htaccess file you’ve downloaded from the top level directory.
Item 6.
Use SSH instead of Telnet, SFTP instead of FTP
For real security use ssh to access your site instead of ftp which is inherently insecure and open to snooping of your account details as the authorization details (login & password) are transmitted in clear over the internet. With ssh you can use secure ftp protocol like sftp to do anything you can do with ftp. Similarly you can use ssh instead of telnet to securely connect to your Linux / Unix server
Item 7.
Create a robot.txt to place in your top level directory
Recommended contents include:
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /trackback
Disallow: /feed
Disallow: /comments
Disallow: /category/*/*
Disallow: */trackback
Disallow: */feed
Disallow: */comments
Disallow: /*?*
Disallow: /*?
Allow: /wp-content/uploads
References:
- http://www.bloganything.net/922/secure-your-wordpress-blog
- http://blog.taragana.com/index.php/archive/20-wordpress-security-plug-ins-and-tips-to-keep-hackers-away/
- wordpress codex
eirenicon llc is pleased to announce that we now support and create symbiotic web communities for use by our clients. If your community, group or organization is interested in presenting a cohesive, yet unique, face on the world an eirenicon Symbiotic Web Community Site may be the answer. These sites, modeled on and using software from WordPress.com, are readily available and extremely affordable. This website provides an example of a WordPress-MU based symbiotic Web Community from eirenicon llc. Feel free to tour this site to see examples of how this style of Web Community might support you and your community needs.
Recent Comments