Security Tips and Guidelines for Your Wordpress Blog
Posted by: Kanicen in Blog Marketing, Internet Marketing Tips, tags: guidelines, security tips, wordpress blog, wordpress hackers
Hi Guys,
Over the past 2 weeks I’ve my biggest headache where I did 3 times re-installation of my Wordpress. Why?
I’ve been hacked 3 times in a week.
Yeah! Seriously!
What really happened before I got hacked is I kept getting spamming, almost 30-40 spammers will create free accounts and blogs. I don’t really bother since I thought by having spam blockers will avoid me from any troubles. But I was wrong by doing all the spamming they or the hackers are actually doing their things. They’ve planted some virus/coding into all my index and home files.
How I figured out this is that I noticed that my main page loading taking too long and at the end of the page footer I notice some of the URL’s that wasn’t mine. So, I started to suspect few things. The first thing I did is by downloading my “index” file and found out that there are some “alien” codes planted inside. There you go I downloaded all my files and notice that all my index and home page files contain the same codes. At the same time I told my hosting provider about it and the noticed that there series of IP’s accessing my control panel and etc. Imagine doing all these 3 times…
Anyway, the first thing I did is changing my password to stronger ones. Then I started to browse looking for ways to protect so that I won’t face the same issues again and luckily I found few guys giving great tips on how to protect wordpress blog. Here are some security tips and guidelines for your wordpress blog.
We all agree that having a secure wordpress weblog should be our first priorities when keeping a successful blog. In this post I’d like you to share your knowledge and help us create the Wordpress Security guide to keep the bad guys out.
Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.
Here are a few Wordpress security tips I’ve learned over time. After reading a couple of horror stories about blogs being hacked, maimed and mutilated by crazy Russians or vindictive competitors, I’ve decided to it would be good idea to implement some security practices for my WordPress blog. After going through a bunch of sites and fixing things on my own blog, I thought it would be good to share these items with all of the other WordPress users out there.
Implementing these security measures is especially important for anyone who is currently making or trying to make money off their blogs. Once you blog is hacked or spammed without you knowing about it, you’ll be dropped from the search engines and it’s not easy getting back in. Remember, even with all the security measures, it’s essential to have a backup of your blog. The plugin I use is WordPress Database Backup. If you don’t have it installed, install it now! Seriously!
Tips to help protect yourself from WordPress security issues:
1. Stay Up-to-Date/Upgrade Wordpress
This is probably the first thing you should do! If you’re not running the most up-to-date version, you’re asking for trouble. Currently, it’s 2.2.3, but soon will be version 2.3. May as well wait till the 24th and install the newest version. There have been a few releases recently that were just security fixes (SQL Injection, etc). It may seem like a pain in the butt and sometimes it can be, but upgrading is really not that bad. I held off upgrading from version 2.0 to 2.2 for a few months because I was scared something was going to go wrong and everything deleted. Finally, I mustered the energy and went through their instructions step by step and it was fine! After you upgrade Wordpress once, it’s not all that bad!
Probably the first thing you should do! Install the Instant Upgrade Plugin or the Wordpress Automatic Upgrade Plugin. Make sure you back everything up before performing the upgrades.
Tips: Upgrade to Wordpress 2.5. If you’re using Wordpress 2.5 then its all built in. Just click and upgrade by going to your plugin menu.
2. Change default passwords
Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! That password is only 6 characters and just numbers and letters. My grandmother could probably crack it after a few weeks. Make it complex and more than 10 characters if you can. Also, try not to use words, make it a nice jumble of letters, numbers, and symbols. Also while you’re at it, go ahead and log into your hosting company’s site and change your password there for your account login and any control panel logins, like cPanel, etc.
3. Use SSH/Shell Access instead of FTP
This one is a big one! It’s not as easy to implement as the other two, but it’s probably the best tip out of all the others that I will list here. If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Just read this story! It’s actually best to disable FTP altogether if you can! Using SSH, everything is encrypted including the transfer of files, etc.
4. Install LoginLock plugin
This is a really cool plugin that will automatically block an IP address from trying to log into your Wordpress admin area after a certain number of attempts. LoginLock will prevent bots from continuously trying different combinations to crack your account. This is very similar to how Windows works if you’re in a domain environment. The default locked out time is 1 hour.
5. Create a blank index.html file in your /Plugins/ directory
By default, your Wordpress plugins folder is completely visible to anyone by going to http://www.domainname.com/wp-content/plugins. Go ahead and create a blank document in your favorite editor and save it as index.html and upload it to the plugins directory. Now when you try to access it, you only get a blank screen. This prevents hackers from finding out a security hole in one of your plugins.
You can also add this line in your .htaccess file in your root: Option All -Indexes
6. Protecting your Wordpress wp-admin folder/Block access to wp-admin folder using .htaccess
Attackers can use bots for a brute force style of attack that simply guesses the admin password until they come up with the correct one and login. There are a couple of solutions out there, we will highlight each below.
a) Limit access to wp-admin folder by IP address- This solution is to restrict which IP’s can access the wp-admin folder via .htaccess. This has one drawback is you may have to update your .htaccess folder if your internet provider assigns you a dynamic IP address, you move to another location or you have authors at other locations.
b) AskApache Password Protect- The plugin is simple, it adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. All you have to do is choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
7. Remove the Meta Tag Version string from your header.php file
Of course, if you’re running version 2.0 and the current release is 2.3 AND your blog explicitly states that it’s at 2.0 on every page, it’s not going to be very hard for someone to find your vulnerable blog and attack it. The line looks like this:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
8. Block WP- folders from the search engines - There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list:Disallow: /wp-*
9. Take regular backups of your site and Database.
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
10. Protect Your Blog With a Solid Password
Creating a strong password that is also memorable is one of the easiest defenses against being hacked. There are a lot of online password strength checker that you could check.
Also you might check lorelle’s article on blogherald called Protect Your Blog With a Solid Password, offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.
Got any more tips you want to add? Drop a comment! Thanks!
This article taken from:
http://www.online-tech-tips.com
Entries (RSS)