13 Tips to Protect Your Wordpress Blog

Wednesday, July 15, 2009
Posted by Takumi 86

Protect Your Wordpress

Unlike blogger blogspot, Wordpress is more susceptible to be hacked and securing it is the top priority. This article will outlines a lot of different ways to secure your wordpress blog from the installation to the thing you should be doing.

1. Hardening your Password
Don use simple password that anyone can guess it, use the hard one e.g combine the letter, number and special character at the same time, ensure you don use the password that has something related to your personal life.

2. Encrypt Your Login
Everytime you try to login to your wordpress admin CP, your password is sent unencrypted by default. If you intend to open your account on public place e.g cyber cafe, hacker can easily sniff out your login credential info by using some tools. The best way to protect this is to encrypt your login with the help from Chap Secure Login and Semisecure Login plugin. Both of this plugin has the same purpose but in different perspective. Chap Secure Login will hides and encrypt your password with md5 algorithm hash once you have login to your Admin CP. The login process itself is done with the help of Chap protocol. Semisecure Login will encrypt your login password by using a public key on client side then decrypts the password using the private key on the server side.

3. Hides and Protect Your Admin CP Page
It is a must that you should never let the 'spidey' from crawling your admin CP page. Use Robot Meta plugin to prevent spidey from indexing your admin CP and AskApache Password Protect to password protect wp-admin/ folder and login page. You can either set up HTTP Basic Authentication, or HTTP Digest Authentication for more secure login.

4. Always Updating The Latest Version of Wordpress and Plugin
Giving updates to the latest version will fixes the bugs and security vulnerabilities. The best ways for this is to install the latest Wordpress Automatic Upgrade Plugin and always keep your eyes on the latest version of your plugin

5. Perform Regular Security Scan
Install WP-Scanner Plugin will perform security check and regular scan of the security holes such as:

  • Wordpress theme for basic vulnerabilities

  • Enumerates number of installed Plugins and test the security

  • WordPress Version Check

6. As Matt Cutts says, You should protect your wordpress installation. There are three ways that matt cutts defined about this including securing your /wp-admin/ directory, hides your wordpress plugin directory and subscribe to the WordPress Development blog

7. Stop The Brute Force Attack
Brute force is another attempt from hacker to crack your login password and credential info. But the guy from bad neighborhood has noticing this problem and create Login Lockdown plugin to records the IP address and timestamp of every failed WordPress login attempt. If they have detected more than a certain number of login attempts failed within a short period of time then it will disable the login function for all requests from that range. Another good plugin to have is Limit Login Attempts. This plugin will blocks a user for 20 minutes after he enters wrong password 4 times. But you should consider to have only 1 plugins for these matter. Choose the best that you think its suit to be installed

8. Stop The DDOS Attack

DDOS attack

DDOS attack stands for distributed denial-of-service attack. What is this attack do is to send numerous ping request from thousand of client computer that were hijacked and forced to be their slave to attack a single target. This DDOS attack doesn't really affecting so much if its only come from one single IP address but what if from 30.000 IP address? You can stop DDOS attack by following few things

  1. Install and activate WordPress Firewall Plugin

  2. Have DDOS protection installed on your host provider

  3. Running (D)DoS-Deflate script on your site. To do this, login as root by open SSH secure shell access to the server, and run the the following commands one by one:

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh

More information to protect your site from DDOS attack

9. Remove The Wordpress Current version
This tips isn't really necessary but it will give a boost to your wordpress speed by not loading the current version. To do this manually, go to your Admin CP > Appearance > Editor and click on header.php and remove the following code
[meta name=”generator” content=”WordPress ” />

Or you can simply modify it into something like
[meta name=”generator” content=”Powered by WordPress” />

There's also a plugin named Replace WP version to 'lie' about the Wordpress version you're using at the moment or Secure WordPress to hides information regarding your wordpress version from non-administrator user and plugin directory from visitors by dropping a blank index.php file

10. Backup Your Database
You can easily backup your database from your hosting manager company but if you prefer by doing it in plugins then WP Database backup might be the best option to have. What the plus point of this plugin is that it will offers to daily e-mail you a backup of your database.

11. Stop The Fake Registration
For those who allowing their reader to sign up and commenting at your blog, these plugin might be a must to have as it can prevent fake registration by bots. It can add image verification or math test to registration process to ensure fake users/bot are not created. You can also install Role Manager plugin to define the capabilities for each user group and the ability to control what users can and cannot do in your blog. This is a good option if you have so many author on your blog and you want to limit their privileges.

12. Ban Those Spammer!
Bad Behavior and WP-Ban can suspend each IP that has been proven as a spammer. Bad Behavior checks the visitor’s IP to see if it’s a spammer or not. If the IP has been proven as malicious, it can block that IP from accessing your blog. While WP-Ban will display a custom ban message when the banned IP tries to visit you blog. You can also exclude certain IPs from being banned

13. Hardening Your Codes
You might wanna read this document from Wordpress that covers a few things to applies such as

  • setting up file permission

  • secure MySQL Database Design

  • securing wp-config

  • Implementing SSL Encryption Security that you can install it when you purchase in your web host company

  • understanding about network and server vulnerabilities

  • Security through obscurity, etc

Additional Tips: Read this article to learn how not to get hacked

Attention! To make the works, please replace [ with <

If you like my post, please subscribe to my RSS feed!


1. This blog is DoFollow
2. If you like my post, please leave your review and i'll appreciate that and do not spam, Thanks

Post a Comment