WordPress blogs can be targets for hackers looking to take over for SEO, traffic-redirection and other purposes. Most bloggers aren’t aware of the threat posed by hackers and the blog owner may not even know that a successful attack has taken place.
There are some simple security measures that any blogger can implement today to make a blog more secure.
1. Create a new user account
It is harder for a hacker to break into your blog when both the username and the password have to be cracked. That is why you should create a new user and delete the WordPress default “admin” user.
You create a user by going into “Users” then “Add New” in the WordPress menu. When creating the new user, make sure to give it the role as an “Administrator”.
That will make sure that you have the full authority over your blog.
Now simply logout from your default “admin” account and log in with the new user details. In “Users” you can delete the default admin username. Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account.
2. Use strong password
Do not use simple passwords when creating the new user account. It might be simple for you to remember it, but it is also easier for a hacker to crack it. Your password should be at least eight characters long and should include numbers mixed with characters in uppercase and lowercase.
3. Set a new nickname
You do not want your new username to be the author name that is shown on all posts. Set the nickname WordPress uses as author name to something different than your username. You do this in “Users” under “Your Profile” in the Nickname field. Choose a new nickname and set “Display name publicly as” to your new nickname.
4. Use Login Lockdown plugin
Login LockDown plugin records the IP address and timestamp of every failed login attempt to your WordPress blog. If more than a certain number of login attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.
5. Do not allow guest user registrations
If you do not have a membership blog, then there is no reason to allow visitors to register for a guest account on your blog. To check that you’ve got registration turned off, click “Settings” and make sure that “Anyone can register” option is not checked.
6. Protect your plugins
Plugins are an easy way for a hacker to get access to your blog if they’ve got flaws in them. An easy way for hackers to find out which plugins you’re using is to go to /wp-content/plugins/, and they’ll find all the plugins that you’re using.
Put a blank index.html file in the wp-content/plugins/ folder.
7. Protect your WP-Config.php file
Your WP-Config.php contains your database name, database username and database password. It’s something to protect.
Just add the following code to your .htaccess file:
# protect wpconfig.php
order allow,deny from all
8. Hide your WordPress version
First off, go into your header.php file and remove the meta data (something like <meta name=”generator” etc). Trouble is, WordPress adds in the meta data automatically! How do you remove it? Paste this code into your functions.php file.
<?php remove_action(‘wp_header’, ‘wp_generator’); ?>
9. Limit WP-Admin access by IP
If you’re with a fixed IP, then this is a great hack for you: you can restrict access to the wp-admin directory with a simple .htaccess hack:
order deny, allow
allow from 0.0.0.0 #your static ip
10. Always upgrade
Always upgrade to the latest version of WordPress, latest version of your WordPress theme and latest version of plugins you use. One of the reasons for new versions of software and plugins, is the security vulnerability found in older versions. With WordPress 3.0+ all of these upgrades are simple, automated, one-click processes within the WordPress interface.
11. Backup regularly
Taking regular backups is important. In case if something happens, you can always use the backup to recover your blog files. WordPress Database Backup plugin makes it simple to backup your files. Activate the plugin and set it to automatically take backups and send them in a file to your email address.
With all the necessary precautions taken your blog might not be completely immune. But the chances of your blog being attacked might decrase tremendously.
Even though new exploits are being discovered every now and then, no permanent solution has been available yet. Still it can give you a piece of mind, as your blog will be protected up to some point.