I wanted to share some WordPress security tips. Usually, after you first install WordPress, you configure your WP installation and installs some plugins. You should also make sure that your WP blog is secure enough otherwise you might expose yourself for being hacked.
1. Use Simple Login Lockdown
This plugin allows you to get protected against brute force attacks. If it's you that forgot your password, and so you make a failed login attempt, the lockdown count gets cleared on successful login.
How it works:
- An attacker attempts to login and fails
- Simple Login Lockdown record that failed login
- After a certain number of failed attemps (defaults to five), further attemps to access the wp-login.php page are blocked for a time (defaults to one hour)
Get the Simple Login Lockdown plugin here.
2. Hide your plugins
Usually a WordPress Installation is extended by plugins. There are millions of free plugins which enhances WP isntallations. While you can't possibly use hundreds, you might use 10-20 plugins. Plugins are often source of troubles, because of bugs and vulnerabilities that can be exploited to damage your website. You certainly do not want the hacker to spoil your hard maintained blog, do you?
If you visit the folder /wp-content/plugins/ on some blogs, you might be able to see all the plugins that are used. To avoid that, you just need to create an empty index.html file and drop it there.
3. WordPress Security Plugins
You can go even further with this plugin called Better WP Security (I haven't tested personaly) which can:
- Remove the meta “Generator” tag (you're hiding to hackers important informations on which platform your website runs)
- Change the urls for WordPress dashboard including login, admin, and more..
- Rename “admin” account
- Change the ID on the user with ID 1
- Change the WordPress database table prefix
- Change wp-content path
I would recommend to test this plugin on a blog which is not your principal blog, as it does quite a lot of stuff…
In addition, I'm using WordFence Security Plugin for WordPress, which provides you with life traffic view, scans for week passwords, and much more…
4. WordPress Folders and files permissions
Directories should have, at most, permissions of 755, where files should be should be, at most, 664. You must never ever have ANY file at permissions greater than 666 unless you are directed specifically to do so. At some shared hosts they directs you to have 777 on wp upload images directory. I would recommend checking with them directly, and if they don't want to change their policy about that, I would seek another hosting provider as having 755 on folders is really necessity.
5. Backup, Backup, Backup
You never know, better safe than sorry… If you're serious to blogging, starting to have some traffic, you would want to make sure that your work is safe. Set it and forget it are the best solutions, no? Eat your own dog food – get free account at Codeguard at least. Yes they have free accounts (on the page there is a link down there…), but they also target professionals with plans that starts at $5/months. That's what I'm using. Whenever I create new post, upload new image, update plugin – every single change is detected an it allows me to go back in time – like Time Machine…
The free accounts don't have a support. But what's $5/month … two cup of coffee?..-:) You're serious on blogging? You blog often? You'll be backed up automatically, and get your blog's data safe, with granular restore possibilities.
Also good read:
- 5 Tips for WordPress Beginners – some new tips for new version of WordPress (3.5)!
- Top 5 things to do after installing WordPress – essential things to configure after WordPress Installation
- WordFence Security Plugin for WordPress
- WordPress Backup Cloud Service – a Time Machine for your blog