Securing your WordPress blog
Bloggers have rushed to secure their selfhosted WordPress blogs after the recent massive hacks on shared hosts. I was one of them, even though only one of my blogs was affected. I spent hours browsing, looking for good resources, common knowledge, and solid tips to form a list of quitessentials on WordPress security. I also found some useful plugins.
However, as with all things, there are good tips, tips that kinda work and tips that might bring you into more trouble. At the same level, you can keep on uploading plugins into WordPress until the year 2020. Each plugin is a potential hazard by itself. The developer can cease its support, leaving you standing in your underwear in the middle of Blogging Street. And the more plugins you have, the more maintenance your blog will need: upgrading to new releases might become a hassle, knowing every single release is a potential bug farm. It would not be the first time I do a quick ‘Upgrade’ of a minor plugin “just before going to bed” only to find myself trying to get my blog to work again as ‘the minor upgrade’ conflicted with something else and crashed the whole site. Sigh.
So… think before you do anything hastily. For every plugin, check the forum posts related to it, check for bug reports and Google its name to see if there are any complaints.
In a past week, I installed several recommended plugins on some of my test blogs, and will report back if I find good and useful stuff. Meanwhile, I will restrict my recommendation to the WordPress File Monitor plugin I wrote about in my previous post.
As for the tips on security, same thing: I will restrict myself to the bare essentials. After all, I am a blogger, not a systems engineer or a web designer. I have limited time and patience to devote to the technicalities of keeping a blog up and running. I’d like to concentrate on contents more than PHP code and SQL database queries.
Nevertheless, I want to list some of the posts on WordPress security that have been cross referenced several times.
- 12 Essential Security Tips and Hacks for WordPress by Syed Balkhi
- Hardening WordPress from the WordPress site itself.
- WordPress Security Tips and Hacks
- 11 Best Ways to Improve WordPress Security
- The Almost Perfect htaccess File for WordPress Blogs by Josiah Cole
After going through all of these, I found some good tips which I will consider, some I will disregard (e.g. I can not lock any file access to a fixed IP address as I don’t work from a single location, and my ADSL lines have dynamic IPs), but there is one I highly recommend to you:
Secure the wp-config.php file!
If you are not familiar with the wp-config.php file in your root directory, take a look at its content….
Yep, that’s right, you’d better believe your eyes… Here is the basic security access data for the inner workings of your WordPress blog. All readable in plain ASCII. So you’d better secure that file, or your blog is wide open as the Louisiana flood gates!
The fastest and easiest way to protect your wp-config file is by adding the following lines at the bottom of the .htaccess file on your root directory:
# BEGIN protect wpconfig.php
deny from all
# END protect wpconfig.php
This code basically blocks “world access” to the file.
Do it now. Safe blogging!