Due to some troubles with a few of my WordPress blogs. I have recently learned a lot about security and protecting my WordPress blogs from hacking. There is no way to be 100% sure that your website couldn’t get hacked. However, using the best practices described below, you can make it very hard for someone to crack into your WordPress installation. Taking these steps does not take much time but it saves you from a lot of trouble, even if your website get’s attacked you can fight back quickly and restore your website easily. Without these security precautions you not only make your WordPress installtion vulnerable, but you also make it difficult for yourself to recover from horrible accidents. So lets begin securing of your blog:
Back up often
You have heard this many times. Here it is once again, back up your website and database at least once a week if you update your website daily, or atleast once a month if you don’t update that often. But please back up. Do not trust your webhost when they tell you that they have back ups of your website created on a daily basis. It is very smart to have backups on hand just in case something goes terribly wrong with you or your webhost. There are many WordPress plugins to back up your database. I use WordPress database manager plugin called wp-dbmanager. Using this plugin you can schedual weekly backups to be sent to you via email.
Stay Updated
Whenever there is a new version of WordPress, upgrade your installation as soon as possible. Since 2.7 WordPress has automated the upgrade process or you can manually update to latest version. It only takes about ten minutes but it saves you from a lot of trouble. Older, outdated and upsupported installations often get hacked. Once hacked it is a very lengthy process to clean your blog and upgrade. So protect yourself now upgrade your WordPress.
Also keep your plugins updated to newest versions. If you notice that a plugin author has not released an updated version since a long time go to plugin’s home page and check its status. If the author has abandoned the plugin then stop using it right away.
Strong Passwords
If no one has ever stolen your password then it does not mean that no one ever will. There are some really bad people out there who randomly pick their victims and crack their passwords to take control of their websites. WordPress has strong password indicator which you can use to generate a strong password. A strong password contains atleast 8 characters a combination of alphabates and numbers and special characters. Avoid using words that can be found in a dictionary.
You should have strong passwords not only for your blog’s admin interface, but also for your site’s SSH shell and FTP access. Doing so you make it very difficult for hackers to crack your site and access your files via ftp. Try to use SSH or SFTP instead of plain FTP.
But strong passwords are difficult to remember. Well you should then read this wonder post from the blog herald that tells you how to create strong but memorable passwords. You can also generate a strong password using Aautomatic password generator tool.
File Permissions
One drawback of using WordPress or some of its plugins is that sometimes you need to make a few files writeable on your server. For security it is important that you keep file permissions as strict as possible. It is ideal to have your directories file permission set to 755 and your files 644. See WordPress Codex Changing File Permissions.
Default Username
At the first installation WordPress automatically creates a user account with the username admin. Now using the default username means that half of cracking is done without any guessing. Unfortunately it is not possible to change this username from the WordPress admin interface. However you can change it by running a simple mysql query.
Update tableprefix_users set user_login='newusername' where user_login='admin';
Replace tableprefix with the table prefix in your wp-config file. If you didn’t add a table prefix then it would the default one which is wp_ . You can run this query or manually edit table in phpMyAdmin or you can also run this query using wp-dbmanager plugin.
Other tips:
Remember, no website is 100% secure. But taking these precautions reduces the chances of your blog or website getting compromised easily. The following web pages has more tips on securing your WordPress even more.
Hardening WordPress
WordPress Security Tips and Hacks
WordPress Security Whitepaper