0131 560 1790 0131 560 1790

WordPress Security – Essential Top Tips To Protect Your Blog!

To say that the WordPress blogging platform is popular is to flagrantly underestimate the number of sites that rely on this impressively extendible and customisable system. But as with all things, this popularity attracts a certain degree of unwanted attention – the interests of the nefariously motivated are awoken.

I'm not sure I care.

Well you should! We aren't talking about the odd spam comment beneath your blog here. If someone manages to compromise your blog then you stand to lose your sites reputation and rankings – never mind all the wasted time you will need to spend cleaning the mess up.

Unfortunately people do indeed hack other peoples sites for SEO purposes. As crazy as it sounds, these people aren't hacking ecommerce sites looking for credit card numbers, they are jimmying-the-lock on wordpress blogs to insert links to help another site's search engine rankings.

You would spot this though, right? If someone stapled some links to the bottom of your blog then your hawk-eye for detail would identify the unusually heavy references to 'viagra' and 'gambling' as evidence of your site being hacked? But what if those links weren't there?

Confusing as it might sound, your hacked site may seem to be just fine from the outside. “Cloaking” is the process of delivering a different version of a site to a visitor depending on who they are. Often using the 'User-Agent HTTP header' as identification, your compromised site can actually deliver a link-encrusted version of your site to Google when it comes checking. Your hackers gain their links while leaving you left in the dark with a rapidly diminishing site.

Ok I'm convinced, what can I do to avoid getting my WordPress hacked?

Excellent, glad you're coming round to the idea. There are a number of steps you can take to secure your blog, some are quick, some more lengthy and others requiring more of a long term attitude change. Stick with them though, your blog is depending on you!

  • Keep Your WordPress Updated

I really can't stress this enough. It’s a fairly quick process to keep your WordPress updated. So when that bar appears across the top of your admin page, don't ignore it! Update as soon as you can!

  • Use a Decent Password

And no, your second name, you website name or the word 'password' aren't decent passwords. You want to use something that people can't research (so no dictionary words as well). In addition, don't use a password that you are already using for another website. If that site was to become compromised and your password taken, you want to restrict the potential damage that can cause you.

  • Remove Meta Tag Containing WordPress Version Number

This is a quick job, you just want to remove this tag:

<meta content=”WordPress 2.9.2″ />

This tag displays the version of WordPress that your site is using. Obviously this is a flag for any unscrupulous person looking to compromise your site. If they know what version of WordPress they are dealing with, then they can identify any potential security holes.

  • Remove Default Admin Account

Many people just use the default admin account with a new password, however it’s a good idea to create another account with the same privileges and use that for the same purpose. Why? If people are looking to hack into your WordPress site then it is even more difficult for them to guess the user name in addition to the password.

  • Keep A Reign On Those Plugins

We all know that there is a wondrous plethora of plugins available for WordPress – a rich tapestry to adorn your site with functionality and super-awesome features. But with all that loveliness available at your fingertips it is important to make sure that the bewildering array of choice doesn't go to your head. Use the same methodology you would use for your actual WordPress – update the plugins with the latest version as soon as possible. Also, if you have decided that, for example, the plugin isn't actually the holy grail of comment captchas, then don't just leave it installed. Uninstall all unused plugins!

  • Stop directory snooping

As WordPress uses a standard directory structure, it is possible for people to know the layout folders of your website. For example, they will easily be able to guess your plugins directory and find a listing of its contents, and if they know what plugins your WordPress has loaded then they may be able to use 'known exploits' to compromise your site. An easy way to guard against this is to put a blank index.html file in each folder of your WordPress system. This way people looking to snoop through your server directories will only be served a blank web page.

  • Restrict access to your wp-admin folder

As the command back-end to your site, this folder should be kept under a metaphorical (and digital) lock and key. Only problem with that system (and this metaphor) is that keys can be copied and locks can be forced. An even better security setup would be to actually vet those people seeking to try and open the lock. Using your .htaccess file you can do just that: restricting access to the wp-admin directory based on ip address means that you can dictate who even gets close to your site.
Downsides? Well, if you try and legitimately access your wp-admin folder from an ip address you haven't allowed then you're going to be turned away with the great unwashed.

  • Rename your WordPress Table prefix

Ok, no lie, this is a bit techy. But one way that sites are compromised is through 'SQL injections'. Changing the prefix of your WordPress table will help guard your site from these type of attacks – though you may need some web-developer-level help to set this up.

  • Google Alerts

This is a great idea, a really nifty use of Google's free search watchdog. Where normally you would input a search string that you would want notification of, you can also use the 'site:' command to limit the results to your site. This means you can keep watch on your site for certain 'key words' that would be indicative of it being hacked.

E.g. For our site we could use the search string “site:www.cozy-digital.co.uk pharmacy” (without the quotation marks) to check our site for instances of the word “pharmacy”. You can set up a number of these alerts for other words that hackers might be using in links to their sites.

  • File Permissions

This one is pretty dependant on how your server is setup so there are no set rules that can be given. Basically, you want to ensure that site users only have the correct read, write and execute permissions. One rule-of-thumb is to set directory permissions to '755' – this means the owner has read + write + execute permissions, whereas other users can only read and execute. Similarly, file permissions can be set to '644' – owners can read and write, other users can only read.

If this looks like crazy talk, ask your web developer / tech team to look into it.

  • Backups

Backup, backup, backup, backup. There are a multitude of reason to take regular backups of your site and its databases – that warm feeling of knowing your information is safe is just one of them. It certainly beats the cold sweat of regret when it turns out your glorious site content is lost…

Your security hunger still not sated?! Well watch this great WordPress security video presented by Brad Williams, it's packed with even more security nuggets:



You may also be interested in:

  1. New Anti-Malware Search Engine Security Firefox Add-On to Protect Your Search Results Find out why search engines are becoming a haven for malware and what you and Firefox can do about it....
  2. Webmaster Videos – Domains, Blog Hackers and Post-Frequency for SEO Matt Cutts answers yet more questions... ...
  3. Is The UK Waking Up To Online Security? A recent Ofcom report shows that people may becoming more internet security savvy....
  4. Ramsay’s Web Wire – Issue #26: Internet Security goes to the Blogs Internet security's taken a bit of a bruising this week as Android users get scammed and black hat SEO's are...
  5. Has This Site Been Hacked? Just check your Google search results page. Google provides a new notification to let you know when someone's been compromised...

You can follow any responses to this entry through the RSS 2.0 feed.