Follow BlogTips via RSS Get BlogTips updates via Email Follow @SM4NP - Social Media for NonProfit

Securing your WordPress blog

Posted on May 25th, 2010 by

old padlock

Bloggers have rushed to secure their selfhosted WordPress blogs after the recent massive hacks on shared hosts. I was one of them, even though only one of my blogs was affected. I spent hours browsing, looking for good resources, common knowledge, and solid tips to form a list of quitessentials on WordPress security. I also found some useful plugins.

However, as with all things, there are good tips, tips that kinda work and tips that might bring you into more trouble. At the same level, you can keep on uploading plugins into WordPress until the year 2020. Each plugin is a potential hazard by itself. The developer can cease its support, leaving you standing in your underwear in the middle of Blogging Street. And the more plugins you have, the more maintenance your blog will need: upgrading to new releases might become a hassle, knowing every single release is a potential bug farm. It would not be the first time I do a quick ‘Upgrade’ of a minor plugin “just before going to bed” only to find myself trying to get my blog to work again as ‘the minor upgrade’ conflicted with something else and crashed the whole site. Sigh.

So… think before you do anything hastily. For every plugin, check the forum posts related to it, check for bug reports and Google its name to see if there are any complaints.

In a past week, I installed several recommended plugins on some of my test blogs, and will report back if I find good and useful stuff. Meanwhile, I will restrict my recommendation to the WordPress File Monitor plugin I wrote about in my previous post.

As for the tips on security, same thing: I will restrict myself to the bare essentials. After all, I am a blogger, not a systems engineer or a web designer. I have limited time and patience to devote to the technicalities of keeping a blog up and running. I’d like to concentrate on contents more than PHP code and SQL database queries.

Nevertheless, I want to list some of the posts on WordPress security that have been cross referenced several times.

After going through all of these, I found some good tips which I will consider, some I will disregard (e.g. I can not lock any file access to a fixed IP address as I don’t work from a single location, and my ADSL lines have dynamic IPs), but there is one I highly recommend to you:

Secure the wp-config.php file!

If you are not familiar with the wp-config.php file in your root directory, take a look at its content….

scared face

Yep, that’s right, you’d better believe your eyes… Here is the basic security access data for the inner workings of your WordPress blog. All readable in plain ASCII. So you’d better secure that file, or your blog is wide open as the Louisiana flood gates!

The fastest and easiest way to protect your wp-config file is by adding the following lines at the bottom of the .htaccess file on your root directory:

# BEGIN protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# END protect wpconfig.php

This code basically blocks “world access” to the file.

Do it now. Safe blogging!

This WP-config tip was discovered via WPSecurityLock and DevLounge
Pictures courtesy Public Domain Image and The Nosebean’s Blog




11 Comments to “Securing your WordPress blog”

  1. [...] may also want to check out: How to secure your WordPress blog?12 Essential Security Tips and Hacks for WordPress « Son of Byte …20 Powerful WordPress Security [...]

  2. Roy says:

    When I was running the Bad Behavior plugin, I would get 2 or 3 spam comments a day. I have since removed it (no big reason, I just don’t run a lot of plugins) and used some referrer blocking code in htaccess, I get about 20 spam comments a day – all caught by Akisemet, though I still have to go in and empty the spam folder. With no referrer protection, I can get 80 to 100 comments in the spam folder, every day (yikes!).

    Were I to make my blog all over again, I’d definitely install WordPress in a subdirectory so I could move wp-config up a level and out of the main WordPress directory.

  3. Ritwik says:

    @Roy: WordPress since v 1.6 allows you to move the wp-config.php file to site root. That is one level above the /public_html directory where your site currently resides.

    Thus there is no need for you to install wordpress in a subdirectory.

  4. Ritwik says:

    Correction: it should have read v 2.6 in my earlier comment.

  5. Sams ftp says:

    .htaccess is a very powerful and you should research it thoroughly because it allows you to secure everything you need.

  6. Balaji says:

    Thanks for this great post – I will be sure to check out your blog more often ….

  7. Africa Directory says:

    I just lost my blog and contents to hackers.Thanks for sharing this useful tips.

  8. Creative Rob says:

    At the very least, take the whole 2 seconds to secure your wp-admin folder using htaccess.

  9. I would like to show thanks to this writer just for bailing me out of
    this difficulty. As a result of scouting throughout the the web and coming across methods which are not helpful, I thought my life was done.
    Existing devoid of the approaches to the
    issues you’ve sorted out by way of your entire site is a crucial case, as well as the kind which might have negatively affected my entire career if I had not encountered your website. Your primary understanding and kindness in playing with all the stuff was valuable. I am not sure what I would’ve done if I hadn’t discovered such a point like this. I’m able to at this point relish my future.

    Thanks for your time so much for your specialized and sensible guide.
    I won’t be reluctant to recommend the sites to any person who should receive recommendations about this area.

Leave a Comment

*