5 WordPress Security Essentials
Blogging can be a lot of fun and there is nothing more thrilling than having people appreciate your hard work by leaving comments and passing the word around about how great your blog is. Unfortunately along with all of your great fans there are also just as many bad guys out there that would love to deface and hack your beautiful creation. Here are five basic security tips that you can easily implement on your WordPress blog to try and keep the bad guys out.
Use a Strong Password - Choosing a good strong password is one of the first and easiest defenses against being hacked. Choosing your partners first name is probably not the most secure password. While there are many differing opinions out there on what makes a secure password here are some things to keep in mind. Passwords that are longer than 8 characters and contain a combination of upper and lowercase letters, numbers, and symbols creates a stronger password. I often don’t use special characters but will make passwords at least 10 characters long. If you need to create a strong password and don’t already use a password manager check out this great tool from LastPass to generate a strong your password.
Protect the WordPress Admin Folder - Stopping the bad guys from getting into the WordPress admin folder in the first place is an excellent place to start to secure your blog. There are many different ways to increase the security of your WordPress admin folder including:
- Using the WordPress Plugin - htaccess password protection for wp-admin. Nothing like adding an extra layer of protection by using some Basic HTTP Authentication on the wp-admin folder.
- Using the Login LockDown - WordPress Security Plugin to ban ip addresses from accessing the wp-admin login if they have had 3 failed login attempts within 5 minutes.
- Deny access to the WordPress admin folder by ip address. You can read more about this method over on Reuben Yau’s post Protecting the Wordpress wp-admin folder.
Deny Access to Other Folders - Many web hosts by default allow people to browse a folder if there is no default index.html file. This can be a security concern for folders like your WordPress plugins folder. You can prevent people from snooping in these folders by adding blank index.html files or setting up an htaccess file to prevent browsing of folders without indexes. You can read more on All Tips and Tricks.
Remove the WordPress Version - Many hackers are looking for vulnerable WordPress installs. You can slow them down by removing the WordPress version that is included in most themes by default. If you don’t want to dig around in the code of your theme you can install Blog Security’s bs-wp-noversion plugin: Removes WordPress Version to remove the WordPress version for you.
Update WordPress - Perhaps one of the easiest security essential to keeping your WordPress blog secure is to keep an eye on your WordPress dashboard for announcements of new releases of WordPress and to update your install as soon as you can. The same also goes for the plugins you run. WordPress 2.3 and up notify you when plugins have been updated. Take the time to update your plugins regularly to keep security concerns down to a minimum.
A very valuable page to read is the Hardening WordPress over at WordPress.org. By doing some very simple things you can make it more difficult for the bad guys to ruin your day by defacing or hacking your blog. A few minutes spent on these items can save you hours if your blog gets hacked. If the bad guys do happen to get in, restoring your blog is much easier if you have a recent backup of your website.