Vincent Sparreboom

Posted on October 09, 2009

It doesn’t matter if you use Wordpress as a blog, as a static site or as a sales page; you need to protect your online business and protecting your Wordpress site isn’t that difficult to do. At the most it would take you 20 minutes and if you make yours secure it can save you a big headache. Fixing a hacked site will take you much longer.

The first step is to make sure your Wordpress version is up to date. Same goes for your theme and plugins. Always update immediately to the latest release, almost every security hole is covered in the latest edition. Secondly you need to subscribe to the Wordpress development blog. Here you can find all the news about the security of Wordpress.

Now you need to install the most essential plugins. These are added to my best Wordpress plugins post too.

WP Back Up – WP back Up let’s you schedule your back up so you don’t have to think about it. We made a Gmail address for it and once a week all our Wordpress backups are send to that address. Don’t delete your backups. It’s wise to save them, if you see that your site is hacked it doesn’t mean that your site was hacked this week.

Login LockDown – Login LockDown records the IP address and timestamp of every failed Wordpress login attempt. You can set the max login retries and the time period in-between logins.

WP Security Scan – This plugin performs a scan of your files, folders and settings. The plugin will show you if your files and folders have the right permissions. He removes the WP ID Meta tag and WP version for you, so that your site can not be identified. It also turns of the DataBase errors so that hackers can see the flaws in your installation.

It’s most likely that you’ll get an error mentioning that your table prefix should not be WP_. If you don’t want to do this yourself because if can be tricky there’s an excellent plugin for this.

WP Prefix Table Changer – The WP Prefix Table Changer plugin helps you hide WP_ table prefix so that the hackers won’t find out that you manage a WP site.

IMPORTANT: make sure you have a complete backup of your site before you use this plugin.

AskApache Password Protection – I have another plugin for you. The plugin is called AskApache Password Protection. AskApache protects your directories with a password and works really simple.

These five plugins and keeping your site up to date are probably the most important steps that you can do to keep your Wordpress site secure but there are several other things you can do.

Remove the admin user. Use your own username with a good password, preferably a long one with letters and digits. And if you have multiple blogs, use variations. I use Roboform as my password manager and the software is absolutely fantastic. The software is downloaded more than 23 million times. They also have a free version and I highly recommended it.

Create an index.html file and place it into your plugins and theme folder. For if you don’t know how to do this; create a txt file called index.txt and upload it to your server and rename it to index.html. I mentioned in it “nothing to see here” but you can leave it blank if you want.

This next tip comes from Matt Cutts, who’s the head of Google’s Webspam team. I don’t use this because I’m online from many different places but you can allow the use of your /wp-admin/ directory per IP address.

This is what Matt Cutts’ .htaccess file looks like.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27

If you Google for “index wp-admin” you’ll be amazed how many people don’t have their directories protected for indexing. If this is the case for you should create a robots.txt file.

Save a text file with the content something like this. You should add additional directories too, like downloads etc.

User-agent: *
Disallow: /cgi-bin/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /feed
Disallow: /*.php$
disallow: /*.pdf$

# Google Image
User-agent: Googlebot-Image
Disallow:
Allow: /*

# Google AdSense
User-agent: Mediapartners-Google*
Disallow:
Allow: /*

# Internet Archiver Wayback Machine
User-agent: ia_archiver
isallow: /

# digg mirror
User-agent: duggmirror
Disallow: /

And to close this post; if a hacker really wants to hack your blog they can. If any MS Windows version is hacked before they are sold in the stores, they can hack your blog too. It’s up to you to secure your Wordpress site and make it as difficult as possible. If you have any additions please share your thoughts or recommendations in the comments.