WordPress is one of the most popular blogging platforms around. However, if you self-host your blog (and not host on wordpress.com), you are responsible to make it more secure. WordPress blogs are constant target of automated and manual hacker attacks. When your site gets infected, it redirects your visitors to exploit pages that infect their PCs. Also, your site will get blocked from Google search results or by visitors antivirus. Thus it is very important to protect your blog and avoid infections.
There are couple ways to make your WordPress installation more secure:
1. Hide your WordPress version
It is very useful when you don’t have time to update your WordPress version or you can not do this just yet. This might happen if you run highly customised theme or plugins. While hackers don’t know the exact version of your blogging software site, they cannot be sure if it’s outdated or not. WordPress developers added these metrics just to count the versions people are using, but this is a green light for hackers when your site out dates.
To remove the WordPress version from your site, simply open your functions.php file and add a line:
Some templates have it already removed, but it’s really a good practice to check if it’s there.
2. Prevent people accessing your WordPress admin panel from unknown IPs
Blocking unknown IP addresses from admin panel ensures that hackers can not log in and access administrative WordPress functions. There is a catch though: it works the best if you use single IP address for blogging. Even if you use dynamic address or several networks, you can limit access to the wp-admin folder by allowing specific IP ranges only
On apache, this can be done by adding .htaccess file in wp-admin folder. This file should contain following rules :
deny from all
3. Keep your WordPress updated
When a new update comes out, WordPress developers post the vulnerabilities they fixed, so it’s quite easy for hackers to search for an outdated site and try to hack it. So it’s a good thing to keep your WordPress updated to the latest version. Personally, I do not rush to update to new major releases, but install starting first security-patched version.
It is very important to have plugins updated as well. Many of automatic wordpress worms try to exploit know plugins and themes. For example, older versions of TimThumb (image processing plugin) had vulnerability that is exploited even now. Plugins might get maintained at slower pace, thus you should not use rarer, less tested plugins at all.
4. Backup your site
It doesn’t matter how great your security on WordPress is – you should do backups of your site. There are several ways to do it: you might use cron jobs, or maybe your hosting service provider gives some good tools to do that.
However, there are automatic tools to keep up with backups. You can use VaultPress, which has a nice admin backend for you.
Additionally, you can log in to the admin panel, then go to Tools and click Export. This function is also useful then you need to set up your site again.
5. Remove the default administrator user (admin).
That’s one of the easiest things to do to make your WordPress blog more secure. Administrator account shouldn’t be used for everyday blog writing. You need it only for managing themes, plugins and updates, which you don’t do every day. Create 2 accounts : one for writing posts and one for administrating wordpress. The second admin user should not be used for posting at all. Why this should be done I explain in the post about username bruteforcing in wordpress.
6. Change your site files permissions
It is very important not to leave open permissions to make sure your site is secured. For most files, the best permissions are CHMOD 744, which will allow you to make changes, but will restrict everyone else. The single exception is upload folder, where you upload images and other files through administration panel. This folder should be writable by your webserver account.
7. Use security plugins
There are several great WordPress plugins out there, which helps you to secure your blog and keep in track with hacking attempts. Some hackers try to brute-force the admin login, so there’s a very useful plugin called Login LockDown (http://www.bad-neighborhood.com/login-lockdown.html), which logs failed attempts of login with a timestamp and IP address. Additionally, it lets you block an IP after a amount of unsuccessful logins. Most of the brute-force hackers give up when they get banned every 5 minutes.
Another great plugin is BulletProof Security (http://wordpress.org/extend/plugins/bulletproof-security/). It fixes the .htaccess files and protects against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts.
8. Make sure your other web applications are safe
Even if your WordPress site is secure, hackers might find a way to get into your site through additional software, like forums, helpdesk, etc. Update them regularly. Also, analyze your server logs, to see if the applications are working as it supposed to, without errors.