11 Ways To Secure Your WordPress Blog

By | August 12, 2008 |

secure wordpressSecuring your WordPress blog is the most important thing that you must do after you have set it up on your server. There shouldn’t be any reason for you to leave your WordPress wide open for hackers to creep in and steal your information and/or destroy your data. Here are 11 ways that you can use to secure your WordPress blog.

1) Encrypt your login

Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.

2) Stop brute force attack

Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you can install the login lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.

3) Use a strong password

Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.

4) Protect your wp-admin folder

Your wp-admin folder contains all the important information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.

5) Remove WordPress version info

A large number of WordPress theme include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability for that version.

To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

Delete it and press Update File.

Update: In WP2.6 and above, WordPress automatically includes the version in the Wp_head section. To fix this, you can simply install the WP-Security Scan plugin.

6) Hide your plugins folder

If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.

Open your text editor. Save the blank document as index.html.

Using a ftp program, upload the index.html to the /wp-content/plugins folder.

7) Change your login name

The default username is admin. You can make it more difficult for the hacker to crack your login credential by changing the login name.

In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion.

8) upgrade to the latest version of WordPress and plugins

The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times. The latest version is WP 2.6 (as of this post). You can download it here.

9) Do a regular security scan

Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

10) Backup your wordpress database

No matter how secure your site is, you still want to prepare for the worst. Install the wp-database-backup plugin and schedule it to backup your database daily.

11) Define user privilege

If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.

Image credit: rommel_md



Print this pageSave as PDF

Damien Oh is the owner and chief editor of Make Tech Easier

  • Pingback: Fatih Hayrio?lu'nun not defteri » 14 A?ustos 2008 web’den seçme haberler » FriendFeed, Nedir, de?ildir, Ba?lant?, Ajax, Niçin, CSS'de, Tan?mlamalar, EtkinlikleriSpecificity, Tasar?mc?

  • Pingback: 11 Ways to Secure your WordPress Blog :: WPLover

  • Pingback: Learn How to Secure Your WordPress Blog

  • http://www.code-styling.de/blog/english codestyling

    You state at point
    6.) Hide your plugins folder
    to use a blank html page. What about a .htaccess file containing only:
    Options -Indexes

    This also avoids directory listing of that folder.

  • http://www.code-styling.de/blog/english codestyling

    You state at point
    6.) Hide your plugins folder
    to use a blank html page. What about a .htaccess file containing only:
    Options -Indexes

    This also avoids directory listing of that folder.

  • http://www.texto.de/ Monika

    @ 5

    WP 2.6.1. creates the version info between head and /head by itself

    your info about deletion is false

    regards Monika

  • http://www.texto.de/ Monika

    @ 5

    WP 2.6.1. creates the version info between head and /head by itself

    your info about deletion is false

    regards Monika

  • http://www.texto.de/ Monika

    @ 5

    WP 2.6.1. creates the version info between head and /head by itself

    your info about deletion is false

    regards Monika

  • Pingback: What Had Happen Wuz! » Blog Archive » How to secure a WordPress blog from hackers!

  • Pingback: Ist Deine Wordpress Installation sicher? | Rol!'s Blog

  • Pingback: 11 formas para aumentar la seguridad de tu blog en WordPress | Blogs Bazaar

  • Pingback: 11 formas de aumentar la seguridad de tu blog en WordPress | Blogs Bazaar

  • Pingback: What blog software to use if not WP

  • http://www.ifyouwas.com/ Baoky

    Nice writeout ,good tips shared

  • http://www.ifyouwas.com Baoky

    Nice writeout ,good tips shared

  • http://www.coolnailsart.com/ Lily

    thanks for the great article…very help..from Lily–http://www.coolnailsart.com

  • http://www.coolnailsart.com Lily

    thanks for the great article…very help..from Lily–http://www.coolnailsart.com

  • Pingback: Wordpress Security Issues | SEO, PPC and Analytics by Ryan Nagy. The Web Whisperer

  • Pingback: Ways To Secure Your Wordpress Blog | im.a.lame.shit

  • Pingback: Grab bag: Capping broadband (Jarrett House North)

  • http://www.metaloop.com/ Stephen

    Very useful info–thanks for sharing!! from Stephen at http://www.metaloop.com

  • http://www.metaloop.com Stephen

    Very useful info–thanks for sharing!! from Stephen at http://www.metaloop.com

  • http://www.ozeworks.com/ Kym

    On Linux you should use .htaccess files to protect folders – all not just plugins – look at themes!.

    Never have a database backup routine in your Admin panel. They hack your Admin panel and then ha, ha they restore an old version and delete all backups.

    And what about renaming wp-admin to something else?

  • http://www.ozeworks.com Kym

    On Linux you should use .htaccess files to protect folders – all not just plugins – look at themes!.

    Never have a database backup routine in your Admin panel. They hack your Admin panel and then ha, ha they restore an old version and delete all backups.

    And what about renaming wp-admin to something else?

  • http://www.peachygreen.com/ Stephanie

    Wow – these are all great tips. All of my blogs are WordPress and I am off now to make some changes to increase security.

  • http://www.peachygreen.com/ Stephanie

    Wow – these are all great tips. All of my blogs are WordPress and I am off now to make some changes to increase security.

  • Randy Tobes

    Most of the suggestions you list are features of this plugin: Maximum Security for WordPress – Keeps WordPress Secure

    I just ran across it today while looking for info on how to make WordPress security stronger.

    Thanks for your tips too.

    • http://maketecheasier.com/ Damien

      That seems to be an useful plugin. It is still in beta. I will test it out and see how it fares.

  • Randy Tobes

    Most of the suggestions you list are features of this plugin: Maximum Security for WordPress – Keeps WordPress Secure

    I just ran across it today while looking for info on how to make WordPress security stronger.

    Thanks for your tips too.

    • http://maketecheasier.com Damien

      That seems to be an useful plugin. It is still in beta. I will test it out and see how it fares.

  • Dword

    Point #5 is not accurate anymore, under WP 2.6 or later I think. The generator and version info is now more difficult to remove, but still advised to do it. It is now called in wp_header, instead of simply appearing in the header.php template. Can you repost and explain the current way to remove this revealing information, as many people may wish to disable the version from showing for privacy and security reasons?

  • Dword

    Point #5 is not accurate anymore, under WP 2.6 or later I think. The generator and version info is now more difficult to remove, but still advised to do it. It is now called in wp_header, instead of simply appearing in the header.php template. Can you repost and explain the current way to remove this revealing information, as many people may wish to disable the version from showing for privacy and security reasons?

  • Juhari

    Good Article . Thanks . Another one I found is good and very step by step hands on approach :

    http://www.itoneworldsystem.com/blog/2009/01/12/how-to-protect-your-blog-from-the-hacker/

  • Juhari

    Good Article . Thanks . Another one I found is good and very step by step hands on approach :

    http://www.itoneworldsystem.com/blog/2009/01/12/how-to-protect-your-blog-from-the-hacker/

  • http://techpaparazzi.com/ TechPaparazzi

    Hmm just moved to WP ……and was thinking that if my account can be hacked….how to protect it…..?
    And got some points here….

  • http://techpaparazzi.com TechPaparazzi

    Hmm just moved to WP ……and was thinking that if my account can be hacked….how to protect it…..?
    And got some points here….

  • http://www.googade.com/ Martin

    Nice tips. Thanks for Sharing tips.

  • http://www.googade.com Martin

    Nice tips. Thanks for Sharing tips.

  • http://www.ampercent.com/ Amit Banerjee

    There is an alternative to point #6.

    You can also Create an .htaccess file to prevent others from Browsing your Directories.Open Notepad and add the following code :

    Options –Indexes

    Save it as .htaccess and Upload the file to your plugins and themes directories.This is a more secured and Correct way of denying permissions to the Browsers.

    • http://maketecheasier.com/ Damien

      Thanks for the tip.

  • http://www.ampercent.com Amit Banerjee

    There is an alternative to point #6.

    You can also Create an .htaccess file to prevent others from Browsing your Directories.Open Notepad and add the following code :

    Options –Indexes

    Save it as .htaccess and Upload the file to your plugins and themes directories.This is a more secured and Correct way of denying permissions to the Browsers.

    • http://maketecheasier.com Damien

      Thanks for the tip.

  • http://guvnr.com/ the_guv

    Handy Damien.

    Ha! Just wrapped a security video tutorial about this, because I was fed up of finding such bitty guides everywhere. Wish I’d seen this first… I should have added your points about brute force attacks and encryption! –> Drawing board.

    Still, there are some other fresh points there, spelling out .htaccess and stuff, and saving installing AAPP for most folks with apache svr access, so hope that helps too..

    Video How-to: 10 Tips To Make WordPress Hack-Proof

    http://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/

    • http://maketecheasier.com/ Damien

      It’s great of you to create the video to educate the masses. I appreciate that.

  • http://guvnr.com the_guv

    Handy Damien.

    Ha! Just wrapped a security video tutorial about this, because I was fed up of finding such bitty guides everywhere. Wish I’d seen this first… I should have added your points about brute force attacks and encryption! –> Drawing board.

    Still, there are some other fresh points there, spelling out .htaccess and stuff, and saving installing AAPP for most folks with apache svr access, so hope that helps too..

    Video How-to: 10 Tips To Make WordPress Hack-Proof

    http://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/

    • http://maketecheasier.com Damien

      It’s great of you to create the video to educate the masses. I appreciate that.

  • http://guvnr.com/ the_guv

    Hey Damien,

    Thank you. Hopefully lots more of them.

    It’s nice to meet you, Sir. Duly subbed up. Hmmn, gotta find time to read them thar feeds, mind ;)

  • http://guvnr.com the_guv

    Hey Damien,

    Thank you. Hopefully lots more of them.

    It’s nice to meet you, Sir. Duly subbed up. Hmmn, gotta find time to read them thar feeds, mind ;)

  • Pingback: How to Secure Your WordPress Website :: Christopher Ross

  • http://www.per-autopilot-zum-reichtum.de/ Tobias

    great security tipps! thank you so mutch. now i have downloaded and install some of the plugins in your post :)

    regards tobias

  • http://www.per-autopilot-zum-reichtum.de Tobias

    great security tipps! thank you so mutch. now i have downloaded and install some of the plugins in your post :)

    regards tobias

  • ydread

    if u use plugins, it shows in head profile. how do u hide the plugin info from showing in head( ie: . )

    • http://maketecheasier.com/ Damien

      Most plugins show up in the head tag is because they are using extra javascript or css files. You can use the plugin php_speedy to combine them all and show only one file. In this case, your plugin won’t appear in the head tag.

  • ydread

    if u use plugins, it shows in head profile. how do u hide the plugin info from showing in head( ie: . )

    • http://maketecheasier.com Damien

      Most plugins show up in the head tag is because they are using extra javascript or css files. You can use the plugin php_speedy to combine them all and show only one file. In this case, your plugin won’t appear in the head tag.

  • http://insured365.com/ Chris

    The AskApache Project is outdated and does not work properly anymore on WP 2.7.1 – only a few items left are working and it is more hassle than help. I would manually setup a .htaccess file for wp-admin and either allow access based on IP address or username/password instead for now.

  • http://insured365.com Chris

    The AskApache Project is outdated and does not work properly anymore on WP 2.7.1 – only a few items left are working and it is more hassle than help. I would manually setup a .htaccess file for wp-admin and either allow access based on IP address or username/password instead for now.

  • http://www.nikanails.com/en/ creative

    Nice writeout, thanks for the tip.

  • http://www.nikanails.com/en/ creative

    Nice writeout, thanks for the tip.

  • http://www.rockinwordpress.com/ Chris

    Thanks for the great tips and plugins!

  • http://www.rockinwordpress.com Chris

    Thanks for the great tips and plugins!

  • Pingback: Configure the Settings on a WordPress Blog (Tutorial)

  • Pingback: Ultimate Resources to Help Secure Your Wordpress Blog - blog hacking, blog security, securing wordpress, Wordpress, wordpress hacking, wordpress hacks, Wordpress plugins, Wordpress security, wordpress security plugins, Wordpress tips - Technically Persona

  • Pingback: 15 règles pour sécuriser WordPress | Emmanuel GEORJON

  • Pingback: 36 New Wordpress Tips, Tricks, Tutorials & Hacks | TechnoBuzz.net

  • Pingback: Securing your WordPress blogs — Hoyden About Town

  • Pingback: Securing your WordPress websites

  • http://pwnwear.com/ Gravity

    Thanks for the tips.

  • http://pwnwear.com Gravity

    Thanks for the tips.

  • http://www.themepremium.com/ Harsh Agrawal

    Hay Damien some good and clean points. Thanks for putting all of them at once place.

  • http://www.themepremium.com Harsh Agrawal

    Hay Damien some good and clean points. Thanks for putting all of them at once place.

  • Pingback: 11 Ways To Secure Your WordPress Blog | MTA Base

  • Pingback: Is Your WordPress Blog Haunted? | The Blog Herald

  • http://www.techmaish.com/ Bilal Ahmad

    Hmmm great post.All the points are very important.Thanks for your help.

  • http://www.techmaish.com Bilal Ahmad

    Hmmm great post.All the points are very important.Thanks for your help.

  • Pingback: Pixelware » How secure is your Wordpress?

  • http://www.mohamedadamjr.com/ MohamedAdamJr

    Awesome post it was really helpful.

  • http://maketecheasier.com/ Damien Oh

    I am glad that it is useful to you.

  • http://maketecheasier.com/ Damien Oh

    I am glad that it is useful to you.

  • Pingback: Securitate sporita pentru WordPress | Cine Sunt ?

  • Pingback: Marketcalls » Blog Archive » How my wordpress blog got attacked and restored

  • http://www.net-based-income.com/ affiliate

    is there any update on this since we are now in 2010?

  • http://www.exclusiveniche.com/plr-articles.html Jessica

    Very nice and informative post. I'll implement them soon on my blog.

  • http://www.daywatcher.com daywatcher

    Thanks a lot for this useful information, much appreciated.

  • http://maketecheasier.com/ Damien Oh

    Even though we are in 2010, most (if not all) of the points listed above will still work

  • http://lynxfactor.com David, The Lynx

    You forgot an extremely important tip – use a host that doesn't suck. Some hosts are vulnerable to security breaches and will lead your site to be hacked even if you have the best security practices.

  • http://maketecheasier.com/ Damien Oh

    That will apply to all websites, not only wordpress site. The best way is to google around for various webhost reviews before commit yourself to a good host.

  • http://lynxfactor.com David, The Lynx

    Fair nuf, though the current wave of viral infections targeting a certain host seem to be both host and wordpress specific =) great article, thanks!

  • http://www.technofreaky.com admin@technofreaky

    Very nice info there…certainly security is a major concern which should be taken seriously.

  • http://marvelinthesky.com Marvel

    Thank you for putting this list together… I was actually looking for some sort of https wordpress login… does it exist! the search goes on.

  • Pingback: Installing your SEO blog to an existing site

  • http://maketecheasier.com/ Damien Oh

    You might want to check out http://codex.wordpress.org/Administration_Over_SSL for instructions on https login

  • http://www.99Points.info Zeeshan

    Thanks a lot for such a nice article. It helped me a lot !

  • Pingback: How to Secure Your WordPress Website :: WordPress :: WordPress Design & Tutorials

  • Pingback: 35 Security Plugins to Make Your Wordpress Bulletproof

  • Pingback: 4 Important Lessons I Learned from Working on the Web « DivitoDesign

  • Pingback: VietNamTips » 36 WordPress Tips, Tricks