Without a doubt, for a self-hosted blog, WordPress is the best blog CMS that you can get. However, being a popular and open source software, it also means that hackers have full access to the code which they can scrutinize to find any exploits they can use to hack into any WordPress-enabled site.
On the good side, one of the best things about WordPress is its plugin system that allows anyone to install any plugins or create your own plugins to extend its functionality, including improving security.
Here, I have listed some wordpress security plugins (and a couple of tricks) that you can use to secure WordPress blog.
All the plugins and tricks listed below are meant for WP 2.7 and above. If you are still using an older version of WordPress, it’s time to upgrade your blog.
Protecting Your Login
This plugin uses the CHAP protocol to encrypt your password. The password is first salted with a random number (nonce) generated by the session, followed by the md5 transformation algorithm. This result is then sent to the server where it is decrpyted and authenticated. This is a zero-configuration plugin, which means you can use it immediately after activating it.
2. Stealth Login
Stealth Login obfuscates your login page by allowing you to define a custom login page rather than the default wp-login.php. In the event that your password is leaked, the hacker will also have a hard time finding the correct login URL. A good use of this is to prevent any malicious bots from accessing your wp-login.php file and attempting to break in.
Login Lockdown is useful in preventing a brute force attack. What Login LockDown does is to record the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, it will lockdown the login function and prevent any people from that IP range to log in.
This plugin adds an additional HTTP authentication to provide a second layer of defense for your blog. You can set up password protection for your blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication.
Note that this plugin might/might not work depending on your server capability. If your site does not pass the AskApache configuration tests (the tests run by the plugin to detect your server capabilities), contact your web host and see if they can make changes on the server side.
This plugin provides a “semisecure” login environment by encrypting your password with the RSA cryptography
Protecting Your Database
Perhaps for some of you, backing up a database could mean a troublesome technical chore. With WP-DB-Backup, you just need to configure it once and get it to run automatically at regular intervals.
What this plugin does is to automate the backing up of your database and have it sent to your email inbox. Other than the default table created by WordPress, you can also backup custom tables created by plugins. In the event that your account crashes, you can easily import and restore the database with the backup.
Wp-DBManager is just like a phpmyadmin within your dashboard. You can easily manage your database directly within your dashboard. There are useful features such as optimizing/repairing/backing up/restoring your database and if you are technical enough, you can even run your own SQL query from the option page.
On the bad side, if any hackers manage to login to your site, this plugin is going to be a gateway for them to create havoc in your database.
8. Change database table prefix
The default prefix used by WordPress is “wp”. You can easily change the prefix to other terms that are difficult to guess using the WP-Security-Scan. More detail on this plugin below.
9. Protect your wp-config.php file
Your wp-config.php file contains all your database login credentials and it should be hidden from public view in all circumstances. In your htaccess file, put in this line:
order allow,deny deny from all
to prevent anyone from viewing the wp-config.php file.
Protecting Your Admin Page
This plugin forces SSL on all pages where passwords can be entered so that all information transmitted are encrypted.
One thing though, you have to own a SSL certificate before you can do it. If you are not willing to shell out the extra money to buy a private SSL certificate, you can ask your Web host about Shared SSL. Most web hosts provide Shared SSL for all their clients and it is easy to configure.
11. Change login username
Using “admin” as your login username is the last thing you want to do. When you first installed WordPress, you should immediately create another administrator account with your own username and password and delete the “admin” account.
Prevent Others From Viewing Your Internal File Structure
12. Hiding the WP version
In most WordPress themes under thesection, there is always a line of code showing the WordPress version that you are using. Giving away your WordPress version number means telling the hacker what exploit to use to hack into your site.
Since WP2.6.5, WordPress has made it even harder to remove the wp version as it embeds that information within the wp_header tag. A plugin that you can use to remove that information is WP-Security-Scan.
13. Hiding the WP-content
The WP-content folder is where you stored all your plugins and theme files. This is the place where you want to prevent other people from looking into. You can either upload a blank index.html file to the wp-content folder, or create a .htaccess file in the wp-content folder and add this line:
Smartphones vs. Desktops: Why Is My Phone Slower Than My PC?7 Great Plugins for Windows Live Writer 2009Options All -Indexes
14. Block wp-folder from indexing by search engines
While you want the search engines to index your blog and bring in lots of traffic, the last thing that you want to see is to let the search engines expose your internal file structure to the public. What you can do is to block all your wp-folder from indexing by search engine by adding the following entries to the robot.txt:Disallow: /wp-*
I have mentioned this plugin several times, so it is time for me to explain what it does. WP-Security-Scan checks your WordPress for security vulnerabilities and suggests/provides corrective actions. The corrective actions include changing your database prefix, hiding the WordPress version number from the header and allows you to test out the strength of your password.
Once in a while, it is a good idea to run the inbuilt security scanner and check your blog for any security invulnerabilities.
16. Change password regularly
Not only should you change your password regularly, you must also make sure that it is a strong one. If you have difficulty in creating one, find one how you can create strong passwords that you can remember easily How To Create Strong Passwords That You Can Remember Easily How To Create Strong Passwords That You Can Remember Easily Read More .
17. Update WordPress and all plugins to the latest version
Needless to say, upgrading to the latest version of WordPress and plugins is the best way to protect yourself.
Protecting Your Connection
Transferring files to your online account is a common thing to do. However, instead of using the unsecured FTP, you should use SFTP (Secure FTP). This will create a SSH connection and sent all your files encrypted to the server. If you need help creating a SFTP connection, here’s the guide.
The above information should be sufficient for you to create a secure WordPress blog. If you have not implemented any of these, I would urge you to do so now.
What other methods do you use to secure your WordPress blog?
Leave a Reply Cancel reply
February 2, 2010 at 10:58 pm
Just what I was searching for. Found a few I didn't know about, thanks much, now I'm off to do them.Reply
November 3, 2009 at 8:52 am
I think that disallow access in .htaccess file (for apache use) to blacklisted host is a good idea to prevent big problem...and also, have a good robots.txt file to make sure that webcrawler (who's using correctly this file) doesn't hig load your website (it can be a security issue I think), and even with the robots.txt file, just disallow critical directory to webcrawler in the .htaccess... Hey, good post also! ;)Reply
October 9, 2009 at 5:11 pm
Nice article on WordPress security, good work.
I have also done up an article on WordPress Security that may be helpful http://thesocialmediaguide.com.au/2009/10/09/wordpress-security-guide/
October 4, 2009 at 11:14 pm
Nice post. Do you like britney ? You can find Britney's new Songs and MTVs at
September 24, 2009 at 10:55 am
Tip #9 is rather pointless. The only way php code is visible via a browser is if your php installation is completely borked, at which point you would not even be able to install wordpress (or any other php application) anyway. The only thing you have managed to do is turn a blank page into a "you're not authorized" message.
For example, here's a link to the config file for wordpress.org. Not very informative, is it?
A better solution is to move wp-config.php out of the web-accessable area on your server, if you are concerned about this issue.Reply
August 27, 2009 at 11:59 pm
Very useful for non technical folks like me and something I intend to implement in the next day or so.
I didn't realize it was that easy to find such sensitive information and as you say, every little helps.
Good article nice and clearly laid out, thank you.Reply
August 14, 2009 at 6:31 pm
I was wondering how can we prevent DDOS effectively.
I'm tired of someone who always DDOS my blog.Reply
August 14, 2009 at 11:19 am
"well, we all know theirs huge benefits to register a company in Cyprus, lol. My account pointed me to a few blogs on the net which i'm rather reluctant to check out as i've been so busy lately"Reply
July 19, 2009 at 9:40 am
Thanks for your compilation of the security requirement.
It is very helpful to a blogger like me. Also some items are eye opener for me.
Alwin Chuah (Malaysia)Reply
May 2, 2009 at 4:04 am
Point number 6,11,12 are really great , Thanks a ton damien!Reply
April 26, 2009 at 4:54 am
Nice Job, Keep it up!Reply
WordPress is Dead
April 7, 2009 at 3:32 am
LOL WordPress is dead. This is a list of stuff that protects WordPress right now. But what about tomorrow? For multiple instances of wordpress it isn't feasable anymore. If you have to do this much stuff to protect your installation you might as well go back to static html.
This is a total joke and WordPress should be sued for the damage they have caused.Reply
March 28, 2009 at 4:29 am
Damien, (forgive the newbie) could you tell me which plugin could fully password protect a site? As in, I do not want the blog visible to any anonymous users. I want ONLY registered users to be able to view the site, similar to a login page like the first image on this article (how could I set up a login page like that picture?). Suggestions? Thank you!!Reply
March 29, 2009 at 3:25 am
I have not come across any plugin that does what you want (though I think they are available). What you can do is to insert the following code to your theme's header.php file, at the very top:
This will check if the user is logged in. If no, it will redirect the user to the login page.Reply
Edward de Leau
April 26, 2009 at 10:12 am
uhm... that would be not smart since changing the header is only ADVICE for "browsers", if I write a script to do bad things I obviously wouldnt listen to that advise and just skip the header relocaton and read the rest of the page. So be sure to put exit; behind the header relocation.Reply
- Edward de Leau April 26, 2009 at 10:12 am
April 26, 2009 at 5:07 am
Alex, The plugin you're wanting is called "Members Only": http://wordpress.org/extend/plugins/members-only/Reply
- Damien Oh March 29, 2009 at 3:25 am
March 18, 2009 at 2:15 am
My apology, the htaccess code for No. 9 should be
deny from all
March 17, 2009 at 5:48 am
I can't visit my site (500), if I implement No.9. Why?Reply
March 15, 2009 at 9:03 pm
Thank for your information
March 14, 2009 at 3:16 pm
Thanks for the list...Will try out some...Reply
March 14, 2009 at 2:32 pm
I am surprised that Phonefactor wasn't mentioned. It adds two-factor authentication to your logon page. You should check it out - http://www.phonefactor.com/news/phonefactor-makes-wordpress-logins-more-secure-than-most-online-bank-accounts.php. The plugin can be found here:Reply
March 15, 2009 at 6:05 am
I guess I have missed that one. Thanks for informing.Reply
- Damien Oh March 15, 2009 at 6:05 am
March 14, 2009 at 3:23 am
new 2 wordpress and this gr8 list certainly will help protect my bloggie. keep it up. discovered via twitterReply
March 14, 2009 at 2:12 am
Thanx.. Very useful information!Reply
Daryn St. Pierre
March 13, 2009 at 10:12 pm
Wow, this is one heck of a list. I just grabbed 2 items for use on my blog. Thanks for putting this together. I can tell it took some time. Gonna give CHAP Secure Login and WP-DBManager a try.Reply
March 13, 2009 at 7:51 pm
#9 didn't work for me. I ended up getting an Error 500.Reply
March 13, 2009 at 5:57 pm
Thanks for the post, I've used Security Scan and WP-Database-Backup, but the others are welcome new info.Reply
March 13, 2009 at 4:34 pm
Good article. I'm using some of these methods, but I'll definitely be adding a few from this list to my self-hosted WordPress install.Reply
March 13, 2009 at 3:19 pm
Nice job. Some here that I'm not using. Security Scan is a great plug-in. Highly recommend that one.Reply
March 15, 2009 at 6:01 am
You are right there. Security scan is at the top of my plugins list.
Source : http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/
- Damien Oh March 15, 2009 at 6:01 am