How to Harden Your WordPress Blog

Security padlock

WordPress is arguably the most popular platform for self-hosted blogs.

Unfortunately, that makes it prone to attack from viruses, spammers, identity thieves and hackers.

Automattic has published a great guide about ‘hardening’ WordPress – in other words, making it more difficult to hack. In this article, we’ll look at some easier routes and alternative methods.

Is Your Server Software Up to Date?

Shared hosting customers, and those on a managed server, don’t need to worry about updating server software.

Unmanaged hosting customers need to update the software themselves to protect against hacks and patch vulnerabilities.

What About WordPress and Your Plugins?

WordPress should also be regularly updated, as should any plugins you have installed. Most of the time, updating is as easy as clicking a link and waiting a few seconds for the update to complete.

If something’s out of date, you’ll be notified from the WordPress admin area.

Password and Account Etiquette

Make sure the passwords you use for WordPress are very secure. Use a mix of letters, numbers and upper/ lower case (or use a password generator).

For an extra layer of security, create a second Super Admin and delete the account with the ‘admin’ username.

Block the wp-admin Directory

If you use CPanel, you can stop anyone from accessing the wp-admin folder by adding a password. Alternatively, use the AskApache Password Protect plugin.

If you need more robust protection, limit access to the folder by IP address. Note: this could be restrictive if you administrate WordPress from different connections or locations.

Move Your Config File

The wp-config file can be moved to a directory above the WordPress install where it can’t be seen by the public.

However, you may need to keep moving the file back and forth for plugin changes and updates, so weigh up the potential inconvenience.

Change Your Folder Permissions

Check your permissions using the CHMOD command in your FTP application, or check the file list – sometimes they’re displayed there.

All folder permssions for WordPress should be 755 and all files should be 644. Theme or plugin editors require 666 permissions.

If your permissions are wrong, it could present a security problems.

Change Your Table Prefix

In pypmyadmin, you’ll notice WordPress uses a prefix of wp_ when setting up its tables. You can change the prefix to something else for added security.

Note: this isn’t an easy change.

Add Security Plugins

The easiest way to improve security is with plugins.

Both are free and worth a try.

Is it Worth Hardening WordPress?

All WordPress blogs are unfortunately vulnerable to attack. The more precautions you take, the less likely it is that you’ll be affected. But balance convenience and security too.

And remember: no website is ever entirely safe, so always back up your content.

Get Exclusive “Subscribers Only” Content

Join our newsletter & be first to hear when we publish new posts.

Get Exclusive “Subscribers Only” Content

Join our newsletter & be first to hear when we publish new posts.

Twitter Facebook

Discussion

What Do You Think?

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>