Bloggers have rushed to secure their selfhosted WordPress blogs after the recent massive hacks on shared hosts. I was one of them, even though only one of my blogs was affected. I spent hours browsing, looking for good resources, common knowledge, and solid tips to form a list of quitessentials on WordPress security. I also found some useful plugins.
However, as with all things, there are good tips, tips that kinda work and tips that might bring you into more trouble. At the same level, you can keep on uploading plugins into WordPress until the year 2020. Each plugin is a potential hazard by itself. The developer can cease its support, leaving you standing in your underwear in the middle of Blogging Street. And the more plugins you have, the more maintenance your blog will need: upgrading to new releases might become a hassle, knowing every single release is a potential bug farm. It would not be the first time I do a quick ‘Upgrade’ of a minor plugin “just before going to bed” only to find myself trying to get my blog to work again as ‘the minor upgrade’ conflicted with something else and crashed the whole site. Sigh.
So… think before you do anything hastily. For every plugin, check the forum posts related to it, check for bug reports and Google its name to see if there are any complaints.
In a past week, I installed several recommended plugins on some of my test blogs, and will report back if I find good and useful stuff. Meanwhile, I will restrict my recommendation to the WordPress File Monitor plugin I wrote about in my previous post.
As for the tips on security, same thing: I will restrict myself to the bare essentials. After all, I am a blogger, not a systems engineer or a web designer. I have limited time and patience to devote to the technicalities of keeping a blog up and running. I’d like to concentrate on contents more than PHP code and SQL database queries.
Nevertheless, I want to list some of the posts on WordPress security that have been cross referenced several times.
- 12 Essential Security Tips and Hacks for WordPress by Syed Balkhi
- Hardening WordPress from the WordPress site itself.
- WordPress Security Tips and Hacks
- 11 Best Ways to Improve WordPress Security
- The Almost Perfect htaccess File for WordPress Blogs by Josiah Cole
After going through all of these, I found some good tips which I will consider, some I will disregard (e.g. I can not lock any file access to a fixed IP address as I don’t work from a single location, and my ADSL lines have dynamic IPs), but there is one I highly recommend to you:
Secure the wp-config.php file!
If you are not familiar with the wp-config.php file in your root directory, take a look at its content….
Yep, that’s right, you’d better believe your eyes… Here is the basic security access data for the inner workings of your WordPress blog. All readable in plain ASCII. So you’d better secure that file, or your blog is wide open as the Louisiana flood gates!
The fastest and easiest way to protect your wp-config file is by adding the following lines at the bottom of the .htaccess file on your root directory:
# BEGIN protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# END protect wpconfig.php
This code basically blocks “world access” to the file.
Do it now. Safe blogging!
This WP-config tip was discovered via WPSecurityLock and DevLounge
Pictures courtesy Public Domain Image and The Nosebean’s Blog
Peter. Flemish, European, aid worker, blogger, expeditioner, sailor, traveller, husband, father, friend, nutcase. Not necessarily in that order. (
{ 7 comments… read them below or add one }
When I was running the Bad Behavior plugin, I would get 2 or 3 spam comments a day. I have since removed it (no big reason, I just don’t run a lot of plugins) and used some referrer blocking code in htaccess, I get about 20 spam comments a day – all caught by Akisemet, though I still have to go in and empty the spam folder. With no referrer protection, I can get 80 to 100 comments in the spam folder, every day (yikes!).
Were I to make my blog all over again, I’d definitely install Wordpress in a subdirectory so I could move wp-config up a level and out of the main Wordpress directory.
@Roy: Wordpress since v 1.6 allows you to move the wp-config.php file to site root. That is one level above the /public_html directory where your site currently resides.
Thus there is no need for you to install wordpress in a subdirectory.
Correction: it should have read v 2.6 in my earlier comment.
.htaccess is a very powerful and you should research it thoroughly because it allows you to secure everything you need.
Thanks for this great post – I will be sure to check out your blog more often ….
I just lost my blog and contents to hackers.Thanks for sharing this useful tips.
At the very least, take the whole 2 seconds to secure your wp-admin folder using htaccess.
{ 3 trackbacks }