Wordpress Security: Close Every Loophole

Mar 10
08:46

2009

Martin Malden

Martin Malden

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

A review of some security precautions you can take to secure your blog, plus a couple of areas that are often overlooked.

mediaimage

Securing your Wordpress installation against hackers means you have to look at areas beyond your installation itself. Don't leave other doors open.

If a hacker is absolutely determined to get into your site they're probably going to succeed. But you can protect your WP installation from the mass bot hackers with a few common sense precautions.

Here are some steps you can take:

Firstly,Wordpress Security: Close Every Loophole Articles make sure you keep your version of WordPress up to date.

In addition to that, I've changed my login name from admin to something else (long and complex), made sure my password is as strong as I can make it, I've put an extra layer of security around the wp-admin directory, created a blank index.html file to hid the plugins I'm using and a few other steps.

There are a number of good plugins that will carry out those steps and continuously monitor your blog for security vulnerabilities. I do recommend you install one of these - and keep it up to date!

The risk increases in line with the number of users to whom you give access rights. I don't have guest bloggers, but if I did I'd ask them to send me their articles for posting, instead of giving them access rights. I also don't ask people to register.

But there are some areas that people often overlook, and which allow hackers to get access to your Wordpress installation via your FTP details.

If you're not using SFTP (or Secure Shell Access if your hosting provider doesn't support SFTP) then your FTP login details are being transmitted across the Internet in clear every time you log on and upload/download stuff.

I back up my blog system files each week by copying everything back to my PC. Since this takes around an hour there's plenty of opportunity for someone to intercept my FTP details.

Also, of course, you could have spyware on your machine which would pick up your FTP logins from there. (Along with all your other logins!).

Make sure you include your entire PC environment when you're putting security in place - not just your WP installation.

In addition to all those WP specific precautions, make sure your PC is absolutely clean (use a good anti-spyware application and scan it regularly) and use SFTP or Secure Shell Access to upload/download stuff from your server.