Getting Started
First thing I recommend is that you login to your wordpress blog and upgrade to the latest version straight away via the dashboard as wordpress are always working on new patches that fix any known threats.
Then start upgrading all your plugins as there may also be new patches that the plugin developer may of fixed that are known threats to his/her plugin that could harm your blog.
Protecting Your Plugins
With so many plugins available free on the Internet which most of us have installed, you may be open to an attack as some plugins may have flaws in them, which an attacker could use to alter your blog in some way.
All a hacker has to do is go to www.yourdomainname.com/wp-contents/plugins/ to find out what plugins your using. Some clever hackers will have some sort of scanner software to scan your blog for any open backdoors to gain access to your plugins.
Solution
To prevent a hacker from accessing your plugins simply setup a index.html file and upload it to your plugins folder /wp-contents/plugins/
Password Security
This one is common sense, yet most of us use the same password for all of our website logins. It’s wise to use a different password for all your logins and have a mixture of numbers and upper and lowercase characters.
If a hacker has managed to get your password and has hacked into your hosting server and finds all your other blogs, if your using the same password to log onto all your blogs, you’ve just given the hacker full access to your entire network of blogs.
You should also change the default admin username to a different name. Because if the hacker knows your username then he’s halfway there to getting into your site. To do this create a new username and give it admin privileges and delete the original admin username.
Protecting Your WP-Config.php File
Your wp-config.php file within the root of your wordpress blog contents information about your database. For example the database name, username and password. This is a file you should protect.
All you need to do is add the following code to your .htaccess file if you have one. If you don’t have a .htaccess file setup at your root then open up notepad.exe and add the following text:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>
# limit file uploads to 10mb
LimitRequestBody 10240000
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# disable directory browsing
Options All –Indexes
I put this text into a file I call htaccess.txt on my local drive, I upload it to the root of the host, and then I rename it on the host to .htaccess and then it immediately disappears because it acts like a system file
Login Limitations
It’s a good idea to limit how many times a user can enter in a wrong password to get access to your blog. There is a good plugin for this called “LockDown” which will lock out users if they enter their password wrong too many times. You can choose how many times users enter their password and also how long they’re locked out for via the options page – Click Here To Download
Hiding Your Wp-Admin Login Page
A great plugin called “Stealth Login” can hide your wordpress login page so if your password did leak out, a hacker would have a hard time trying to find your login page. A good use for this plugin is to prevent any malicious bots from accessing your wp-login.php file and attempting to break in.
Click Here To Download Stealth Login
Hiding Your WordPress Version
By default, WordPress theme’s have a line in the header.php to display the current version of WordPress you use (can be found by viewing source).
Since anyone can find your WordPress version this way, your blog is prone to hackers until you upgrade to the latest version. To prevent displaying your WordPress version, just open your theme’s header.php file and look for the following line
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
And replace it with <meta content=”WordPress” />
To access your header.php within your wordpress dashboard, click on Appearance / Editior and then click on the Header.php file as shown below:
Some themes might already have this done for you, but it’s worth taking a look.
Protecting Your Database
Another great free plugin is called WP-DB-Backup, which makes backing up your databases very easy and automated. You only need to set this up once and set it to run at regular intervals.
This plugin automates the backing up of your databases and can have it sent to your email inbox. Other than the default table created by WordPress, you can also backup custom tables created by plugins. In the event that your account crashes, you can easily import and restore the database with the backup.
Click Here To Download WP-DB-Backup
Change Database Table Prefix
When installing wordpress, it uses the default “wp” prefix in your database tables which makes it easy for a hacker to hack your database tables if he managed to get in. You can easily change the prefix to other terms that are difficult to guess using the wp-security-scan plugin. Click Here to Download
WP-Security-Scan checks your WordPress for security vulnerabilities and suggests/provides corrective actions. The corrective actions include changing your database prefix, hiding the WordPress version number from the header and allows you to test out the strength of your password.
Once in a while, it is a good idea to run the inbuilt security scanner and check your blog for any security invulnerabilities.
Protect Your Blog From Comment Spam
Spam can be a danger to your blog and its visitors. Comment spam can insert unwanted content onto your website. One way of protecting against spam is using plugins that track comments and trackbacks, running them through tests to check on whether they are spam and then refusing or approving based on the test results. Though its worth noting that this is not completely full proof and depending on the size of your blog you may even want to personally moderate commenting, or maybe even limit commenting to specific posts.
Anti-spam Plugins and additional resources on how to protect from comment spam:
Codex on Combating Comment Spam
Limit Self Registration Of Users
WordPress supports the ability for users to create new accounts for the purpose of posting. Though this registration does allow them to subscribe as well, which gives them access to reading only. Turn self-registration off in
Settings: uncheck anyone can register
or limit your readers to the subscribe role only.
Delete the Install.php from your root directory
After you have installed wordpress make sure you have deleted the install.php from your root directory, as anyone could run this file and cause damage to your website.
Checking Your Theme For Harmful Links
When you are installing a free wordpress theme you have found on the Internet you need to make sure the free theme doesn’t have any harmful links that could potentially ruin your rankings with Google.
Some designers will sell footer links on these themes, which is how they make money by allowing you to download them for free, but some designers will hide the footer links so you don’t see them, which is against Googles webmaster algorithm and will harm your rankings. Also some of this links will link to what is known as a bad neighbourhood of websites which are currently blacklisted by Googles eyes and if your linking to them, your blog will loose its rankings.
Here is a typical themes footer with links you will find on a free theme
Now if I run my cursor over the bottom of my entire footer and highlight it, I might find some hidden links just like the following in red:
Now you can guess how bad this would look in Googles eyes and what affect this would have on your blog.
So when you download a free theme make sure to check the template files for any hidden links
You can do this from within the dashboard under Appearance / Editor / Footer.php
I highly recommend you get your wordpress themes from Woo Themes
Click Here To See Their Themes
Keeping Your Computer Clean
Its very important to make sure the computer your using to edit your wordpress blog is clean from any spyware, viruses, malware, adware, etc. For example you could have an infection of keylogger on your pc, which will track all your passwords, and be able to hack into your wordpress blog and other websites you use.
Make sure you have an up to anti virus and firewall protection on your computer. A very good application, which is free to use, is called “C Cleaner”, which will scan your computer for any spyware, adware and delete them. I recommend installing this and running this at least once a day if you use the Internet a lot as it will detect any infections you get from visiting websites that install applications in the background without you knowing.
Server Vulnerabilities
The webserver running WordPress, the database with the WordPress data, PHP and any other scripting/programming language used for plugins or helper apps could have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server, database, scripting interpreter, or make sure you are using a trusted host that takes care of these things for you.
It should also be mentioned that if you’re on a shared server (one that hosts other people besides yourself) if someone else is compromised, then it’s very likely you could be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.
One Hosting Company I recommend is Hostgator –
Subscribe To Our Latest Updates
