Wordpress is known to have security glitches, but given the openness of the platform, there are a few wonderful plugins and mechanisms to ensure that your wordpress blog is secured.
First, let me start off with simple basic stuff that you need to incorporate:
WordPress Folder Permissions
Using a FTP software (like Filezilla), change your server folder permission settings to reflect the following values:
- root directory : 0755
- wp-includes/ : 0755
- .htaccess : 0644
- wp-admin/index.php : 0644
- wp-content/themes/ : 0755
- wp-content/plugins/ : 0755
- wp-content/themes/ : 0755
- wp-content/ : 0755
- wp-admin/js/ : 0755
Remove the default ‘admin’ user
It’s always advisable to remove the default/admin user and instead, create another user and assign admin privilege to the user.
Remove the wordpress version from header.php
You are prone to attacks, if you show the wordpress version in your header (hackers know the vulnerability of each version).
Remove this piece of code from header.php file.
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
Upload an empty file to wp-content/plugins folder
Do not make public what plugins (and version) are you running on your blog. Create an empty index.html file and via any FTP program, transfer that to wordpress’ plugin folder.[via: mattcutts]
And needless to say, run the latest version of wordpress, and keep backing up the DB (Essential WordPress Plugins You Can’t Live Without).
List of WordPress Plugins to help you secure your blog
Scans your WordPress installation for security vulnerabilities and suggests corrective actions. The plugin lets you check for possible vulnerabilities with file permissions/DB security etc.
SecurePress Website Security Analyzer
Once you install this plugin, you will be alerted instantly of any hacking attempts and will also be able to automatically block (available with the Pro version) and also automatically report the attackers to the authorities (available with the Plus). This plugin eventually reduces and eliminates repeat offenders from your site.
Limits the number of login attempts from a given IP range within a certain time period. This plugin records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site. The plugin adds password protection using .htaccess file and protects your entire wp installation (works only with Apache).
What plugins do you use to ensure the security of your wp blog?