Archive for the ‘WordPress’ Category

So I setup a new WordPress blog and did everything I could to make sure it is secure. As my first post I will detail all the steps I took in hopes that it will help other WordPress users.

1. Security keys

Implemented in WordPress v. 2.7 these will help security by encrypting your WordPress cookies. There are four of these keys which can be set in your wp-config.php file. 

You can use the key generator tool provided by WordPress here:
http://api.wordpress.org/secret-key/1.1/

2. Update table prefix from wp_ to something random

Alot of automated tools will assume you are using the wp_ prefix and scan for this. Updated it to something random can help block this type of attack. The prefix can be changed to anything random, as long as it is not “wp_” for instance “Hng93m12”.

If your blog is already setup you can follow the steps here to update your table prefix:

http://tdot-blog.com/wordpress/6-simple-steps-to-change-your-table-prefix-in-wordpress

3. Move the wp-config.php file out of the webroot

WordPress allows the wp-config.php file to be moved up one directory outside of the web root. This is great for security since the main configuration file which has your database connection info will not be accessible by the web.

Simply move the file up one directory. No extra configuration is needed.

4. Restrict access to wp-admin with .htaccess

If you only connect to your WP admin section from one or a few locations, you can limit what IPs can access this area. This will prevent unwanted access to your admin section which means hackers will not be able to brute force your login information.

Here is an example of the .htaccess file. Remember to replace 1.2.3.4 with your IP address(s):

order deny, allow

allow from 1.2.3.4

deny from all

If your IP changes too much or you connect from various locations and this is not an option, consider password protecting the wp-admin directory. This will provide two sets of logins which will decrease the likeliness that someone guesses your login info.

5. Delete the admin User Account

Automated attacks and manual ones tend to assume the administrative user is “admin”. Creating an admin user with a different name will prevent this.

  1. Create another administrative user in your WP admin section
  2. Log out
  3. Log in as the new user
  4. Delete the old “admin” user

6. Create a robots.txt file to block indexing of certain WP files

Hackers sometimes use indexed information to attack your site. It is not necessary for search engines to index certain files such as the ones in wp-admin. To prevent this create a robots.txt file in the web root of your site and enter the following:

User-agent: *

Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content

Disallow: /tag

Disallow: /author

Disallow: /wget/

Disallow: /httpd/

7. Use the WP Security plugin

This is a great plugin to automatically scan permisisons and other security vulnerabilities and provide the recommended settings. You can download this here:

http://wordpress.org/extend/plugins/wp-security-scan/

8. Keep WordPress and your plugins up to date

This is a big one that people tend to forget. If WP or your WP plugins are out of date, this creates an easy point of access for potential attackers.

9. Last and hopefully most obvious, use strong passwords

An easy way to create strong passwords is to use a password generator tool. There are many available but here is one I tend to use:

http://www.pctools.com/guides/password/