10 Tips to Secure Your WordPress Blog | WebReference

10 Tips to Secure Your WordPress Blog

By Sukrit Dhandhania


1. Protect Your Plugins Directory

The plugins for your WordPress blog are installed under the blog/wp-content/plugins directory. In older versions of WordPress this was not protected adequately, but in recent versions there is better protection. A simple way to protect it from prying eyes is to leave a blank HTML file with the name index.html in it. Make sure to check if this file in there.

2. Hide Your WordPress Version

Knowing which version of WordPress you are running will be helpful to people who are looking to break into your blog. By default WordPress displays the version info. A simple way to fix that is to edit the file header.php to hide this information. Change the following line:

<meta name="generator" content="WordPress <?php bloginfo("version"); ?>" />
...to look like this:
<meta name="generator" content="WordPress" />

3. Use a Secure Username, Password

Until version 3.0 WordPress created the user admin by default, now you get to choose your own username, instead. This does not prevent all attacks, but it reduces the chances of your website being broken into by brute force scripts. Using a username with multiple words separated by a space, such as "Tom Jones," might help more. Also make sure that you use a good alphanumeric password, and not your date of birth or your ex-girlfriend's name. Ideally you should use a password which has a combination of uppercase and lowercase letters, and numbers in between.

4. Change Your Password Frequently

A good practice is to change your password every once in a while. You can do this once a week, or once a month. This is particularly helpful if you log in from other people's computers or worse, publicly shared computers.

5. Keep Your WordPress and Plugins Updated

WordPress notifies you when the plugin or WordPress install have a new release. You should make it a habit to check for this and update both frequently. Older releases have known vulnerabilities that could be exploited. On the other hand, if you update to the latest release of WordPress on the day of the release you might walk into vulnerabilities which have yet to be discovered.

Figure 1: An Example of How WordPress Alerts You When an Update Is Available