Friday, January 08, 2010

WordPress Blog Tutorial - 6 Easy Steps to Secure WordPress

If you're one of the millions of people using WordPress you'll probably be targeted by a hacker at least once in your blogging career. Don't take it personally, hackers simply target the most popular platforms. Thankfully, there are six easy steps you can take to secure your WordPress installations and make difficult, if not impossible for a hacker to harm your website.

1. Pick Strong Passwords

One of the most basic security measures no matter what system you're talking about, whether it's WordPress or your banking PIN, is to use strong passwords. What makes a password a strong one? Making it hard to guess is a good start. Using words like password, god, love, qwerty, asdf as your password will make it easy for potential hackers to gain access to your website.

Instead, make your password something unique to you and preferably at least 8 characters long. Your password should also contain both lower and upper-case letters as well as at least 1 number.

Also, do NOT use the same password for all your sites. If you have one password that you use for every login everywhere, you leave yourself much more exposed if someone were to discover your password. Besides, variety is the spice of life, right?

2. Don't Use Default Admin Username

Another very simple step to securing your installation of WordPress is to change the default administrator's username. When installing WordPress, the administrator's username is always "admin." Unfortunately, that makes it easy for would-be hackers to guess the login name. By simply changing the user name, you'll make it much more difficult for hackers to gain entry.

Taking this recommendation one step further, it's also a good idea to use display name or nickname that's different from your username. If the byline of every post on your site gives away your username, you've greatly diminished any benefit you gained by changing the login name.

3. Keep WordPress Updated

Perhaps the most important step to keeping your WordPress installation safe from hackers is to keep WordPress up to date. As security gaps or potential exploits are discovered, the WordPress development team moves quickly to update the platform and close off any potential access points.

However, if you ignore the messages telling you to update, don't log in for an extended period of time, or don't keep tabs on WordPress security announcements, the dev team's efforts won't benefit you or your site. Updating can at times be a hassle, but as new exploits are found, the number of people attempting to use those exploits skyrockets.

Trust me, it's much better to take a few minutes to upgrade to the latest version than to try and recover from a successful hacking attempt.

4. Don't Display the WordPress Version

When the WordPress development team patch a security hole or fix a potential exploit, they almost immediately release a new version of WordPress. That allows hackers to know what versions of WordPress are still vulnerable to their attack.

Unfortunately, WordPress also displays the version you're running by default in the header.

Displaying an out of date version number is like posting a flashing neon-red "Hack Me" sign on top of your website.

Some themes remove this tag by default but if your theme of choice doesn't, you can drop this bit of code into the file that stores your functions (usually functions.php or custom_functions.php).

<?php remove_action('wp_head', 'wp_generator'); ?>

5. Restrict Login Attempts

Another great way to prevent unauthorized access to your WordPress site is to restrict the number of login attempts. There was recently a "brute force" attack that made its rounds across the WordPress community that basically automates the process of trying to guess your login information.

Now, having a script generating thousands of login attempts per minute isn't going to do nice things to your site, even if they don't eventually get in. But thankfully, there's the Login Lockdown plugin that limits you to 3 failed login attempts per hour before shutting off access to your IP. If someone tries to start guessing your password, they'll either be VERY lucky & get it in the first 3 tries (in which case you probably didn't follow step 1), or they'll be locked out of your site.

6. Make Regular Backups

No matter how vigilant you are with your WordPress security measures, you can't eliminate 100% of the risk of getting hacked. Maybe your site is one that the hackers discover a new exploit on, or maybe someone records your keystrokes or who knows what... the point is, you COULD still get hacked.

Backing up your Wordpress installation on a regular basis will help you recover from a hacking MUCH quicker and will a LOT less effort than if you had to start from scratch.

There are several plugins available that automate the process so you can set it and forget it (you can check out my WordPress backup system here) but having been through multiple hacks myself, I can promise you it's well worth the time it takes to set it up.

As previously stated, these six steps won't make your WordPress site 100% hacker safe but they'll take you a LONG way down that road. For a 15 to 20 minute investment, you can save yourself a lot of headaches and frustrations down the line. So what are you waiting for? Go secure your site!

Thanks To Ben Cook from for writing this fine article.
You can follow him on Twitter @skitzzo

Ben Cook provides WordPress Tutorials and free Thesis skins over at

No comments: