Securing WordPress Installations

I run several WordPress blogs, and they have been recently hacked. I love WordPress, so I don’t want to change platforms, but I also hate being hacked. These hacks cause a lot of extra work and also cost a lot of money. Seeing my main money-making site sink in Google ranking because it got hacked is not a fun experience.

So, I’m going to go about securing my blogs as much as possible. One great resource I found was the WordPress Whitepaper(PDF file) by BlogSecurty.net.

Based on the whitepaper, and some other tips I have found around the internet, I am going to be doing the following to try to stop the hackers:

  • Use .htaccess files to password potect the wp-admin directory. See Matt Cutt’s blog to see how to do this.
  • Use .htaccess files to block unauthorized access to files in wp-content and wp-includes directories. Public access to various files such as images and css files should be allowed in these directories. See the WordPress Whitepaper on how to do this.
  • Add an empty index.html file to the wp-content/plugins directory. This will prevent people from seeing what plug ins you run. This is another tip from Matt Cutts.
  • Remove all unused plugins and themes. Plugins and themes can be a source of security holes. If you are not using a plugin or theme, it should be deleted.
  • Changing the default WordPress table prefix. By default WordPress prefixes all table names with “wp_”. This may allow hackers to access tables by assuming the name. Changing the prefix makes things a little harder. BlogSecurity.net has a tool for changing the prefix on existing blogs.
  • Changing the “admin” username. Since “admin” is the default username in WordPress hackers can assume that this user exists and this can make it easier to guess passwords. This is another tip from the whitepaper.
  • Removing the “generator” meta tag and any other clue that lets hackers know what version of WordPress is running. If hackers know the version of WordPress they can try specific exploits for that version.
  • Installing PHPIDS for WordPress. This plugin defends against malicious code injections. This was another recomendation from the whitepaper.
  • Installing the WP Security Scan Plugin. This plugin checks installations for security vulnerabilities and suggests fixes.
  • Keeping up to date with the latest WordPress versions. In the past I have been a little lazy about updating my blogs to the latest version, but I will now update them right away. I updated my blogs to WordPress version 2.6.3 the day that they issued the release. I am going to investigate automated update tools to help with this.

If you know of any other tips I would love to hear them.

Comments are closed.