3 Tips To Protect Your WordPress Installation

Here are three easy but important ways to protect yourself if you run a WordPress blog:

  1. Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Access Control”
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist home IP address
    allow from 64.233.169.99
    # whitelist work IP address
    allow from 69.147.114.210
    allow from 199.239.136.200
    # IP while in Kentucky; delete when back
    allow from 128.163.2.27

    I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.

  2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
  3. Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.

And here’s a bonus tip: in the header.php file for your theme, you might want to check for a line like

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->

I’d just go ahead and delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.

Hat tip to Reuben Yau and Shoe.

Update: In the comments, Joshua Slive pointed out that the .htaccess file shouldn’t have a <LIMIT GET> around the IP addresses. That would have allowed IP addresses to POST, for example. Joshua, thanks for the pointer to the Apache docs on this point.

Source

Related Posts:

  • 3 Big Steps Wordpress Optimization
    Here you have general rules but I think that this guide will be very useful specially for HostGator users. If your WordPress is not correctly configured you'll need a lot of GPUs for few thousands of ...
  • Nine Top Tips to Increase Traffic To Your Site
    If you has a new website and running. How get the maximum exposure and ensure that you get a flow of traffic on it? There are a number of fairly simple things you can do that will make a big differenc...
  • WordPress Breadcrumbs Without Plugin (advanced and easy method)
    Breadcrumbs is an important element of a web site navigation and WordPress doesn't have a default way of creating breadcrumbs. You have to include the Breadcrumbs on your own themes, either by adding ...
  • Add Expires Headers to WordPress
    This article have explained how you can add expiry header to your image, javascript and css files to speed up your site when loading.Adding expires headers do not affect the site load time for a f...
  • Create Twitter Button with Counter in WP
    As seen on the title, we will discuss how to create a twitter button to your web. Twitter button is different from the kind of tweetmeme or retweet button because it is the official twitter button....

Tags: , , , ,

26.Oct.08 Security, Wordpress

«
»

You can follow any responses to this entry through the RSS 2.0 feed.
You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Comment

:)