At the beginning of 2009 there were approximately 133 million blogs online. This is quite a large market and also the perfect playground for unscrupulous people who live to spam, scam and simply create malware that can seriously compromise and disable unsuspecting sites. As WordPress blog owners, we must do everything possible to ensure that our sites are never compromised.
Here are 10 very simple steps, tools and tips to ensure your blog can withstand malicious attacks and not be overrun by spam.
1. Use the login lockout plugin
Hackers can easily crack your password and other login credentials using brute force attacks (click here for a definition). This plugin adds an additional security feature to WordPress by restricting the rate at which failed logins can be retried from a given IP range.
2. Remove Unused Plugins
Always make sure to remove unused plugins, as these can provide loopholes that can be easily exploited.
3. Secure the /wp-admin/ directory using .htaccess
I found this on Google’s Matt Cutts blog. Secure your /wp-admin/ directory using an .htaccess file to only allow access from specific IP addresses. Create a new .htaccess file, which you can place directly in /wp-admin/.htaccess.
This is what the .htaccess file contains:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
Basic authentication type
order deny, allow
deny everything
# whitelist home IP address
allow from 111.111.111.111
# whitelisted working IP address
allow from 111.111.111.111
allow from 111.111.111.111
Replace 111.111.111.111 with the IP addresses you want to whitelist. This file says that the IP address 111.111.111.111 (and the other whitelisted IP addresses) can access /wp-admin/, but all other IP addresses are denied access. The ‘#’ lines are just notes and can be changed to suit your needs.
4. WordPress Security Scanner Plugin
Install this plugin to help detect any gaps that may exist in your database and blog archives. Provides a report on what needs to be done to prevent attacks.
5. Limited access to blog registration
If your blog accepts registration, make sure that a user cannot immediately register and receive administrative access. To change this, go to your Settings option in the WordPress dashboard, select General. Next, change the new user’s Default Role to Contributor. This can easily be changed as the need arises. User privileges can also be assigned using the Role-Manager plugin.
6. Change your login name
The default WordPress username is admin and hackers will always try to infiltrate using this default value. So make it harder for them by changing it.
In your WordPress dashboard, go to Users and set up a new user account. Assign this new user the administrator role. Sign out and sign back in with the new user account.
Go to Users again. This time, check the box next to admin and hit Delete. When requesting removal confirmation, select “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all posts to your new user account. Press Confirm deletion
7. Use a very strong password
Be sure to use a strong password that is difficult for others to guess. Use a combination of digits, special characters, and upper and lower case letters to form your password.
8. Always update to the latest version of WordPress
The latest version of WordPress always contains bug fixes for any security vulnerabilities, therefore it is very important to keep your blog up to date at all times. The latest version at the time of this post is 2.9.2.
9. Install the Akismet plugin
Once installed, Akismet checks your comments against the Akismet web service to see if they look like spam or not and prevents them from being published. Spam is stored in a separate folder where you can review everything that is detected. This can be downloaded from Akismet.com
10. Backup your WordPress database
There is a free plugin that can schedule backups of your database to reduce the risk of data loss.
Yes, I know it’s a pretty tedious to-do list, but invest the time to ensure a strong WordPress blog. It will cost 100 times more to recover from a malicious attack. Think of downtime, lost revenue, lost trust from your readers, hiring a professional to get rid of malicious code, lost information, lost integrity, and the list goes on forever.
Are you doing what it takes to secure and protect your online presence? If not, now is the time to do it. If you have any additional ideas on how to secure a WordPress blog, please leave a comment to let us know.
