Wordpress Security Tips & Plugins

Discussion in 'Content Management System' started by shabbir, Jan 30, 2012.

  1. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    WordPress out of the box is pretty secure still if you follow few simple security tips and install few security plugins, it can make your Wordpress lot more secure.

    Choose Secure Passwords



    Public always knows your Wordpress username because of your author profile on your blog and so this means you need to choose a password that is lot more secure. For a "secure password," use at least ten to twelve characters long passwords that contain at least one upper-case letter and one symbol, such as # or !.

    Blog From Safe System



    Don’t login to your Wordpress dashboard and admin area from public computer or computer that you think will not be secure. Those computers can have keyboard loggers and other malware that can steal your Wordpress Admin password as you login.

    Block wp-admin directory with .htaccess



    You can easily protect your Wordpress Admin panel Directory with .htaccess. This enables extra layer of security to your Wordpress admin control panel for your blog.

    [​IMG]

    CPanel provides password protecting directory option inside your control panel.

    [​IMG]

    Or if you have access to the SSH you can add the password using the .htaccess and .htpasswd file like I have for my Internet Marketing Blog

    Code:
    AuthName "IMTips Admin Area"
    AuthType Basic
    AuthUserFile /home/imtips/.htpasswd
    Require user shabbir
    
    In the htpasswd file, you place the username and password (which is encrypted) one per each line. To add password you can use the htpasswd command in Linux as well.

    Code:
    shabbir:SomeEncryptedPassword

    Move wp-config.php up one level



    wp-config.php file contains all of your database configuration information. You can make Wordpress more protected by knowing this little secret of Wordpress. You can move the wp-config.php file one level above the WordPress root. If you have your blog installed on your domains root directory it makes wp-config.php outside of the public_html folder making it safe from any scripting access and Wordpress automatically knows where to look for wp-config.php i.e. one level up.

    Remember this tip doesn’t work if you install your blog in a subdirectory (e.g. public_html/blog) because then though you have your config file one level up you are still having the file under the public_html folder and so is accessible through web browser and other scripts.

    Updated WordPress, Plugins, & Themes



    Wordpress provide frequent updates as well as security patches for any vulnerabilities as and when found and the same thing also holds true for plugins and themes and so it really make sense to be using latest Wordpress and latest plugins.

    [​IMG]

    Install Login Lock Down



    Login Lock down plugin helps protect your Wordpress blog against brute force attack (enumerating all possible passwords and checking which one is the correct one.). By default Wordpress does not lock logging into the system even if you give wrong password many times and so anybody can Brute force your admin username for various passwords and so having a Login Lock Down plugin disable the brute force attacks on your site by defining how many wrong password attempt you allow before locking the user.

    Plugin to Scan Wordpress Security Scan



    Install Wordpress Security Scan plugin to check if there is any thing more that you can do to make your Wordpress more secure by scanning through your site’s files and directories and giving you suggestions and action items on passwords, file permissions and other database security flaws.

    Automated backups



    For popular blogs you can opt for VaultPress, A premium service by the makers of WordPress to automatically backup databases and files associated with WordPress and restore them with just one click.

    I hope the tips help follow bloggers remain safe. What security measures do you take for your blog? Share your views in comments below.
     
    Last edited: Jan 21, 2017
  2. pradeep

    pradeep Team Leader

    Joined:
    Apr 4, 2005
    Messages:
    1,645
    Likes Received:
    87
    Trophy Points:
    0
    Occupation:
    Programmer
    Location:
    Kolkata, India
    Home Page:
    http://blog.pradeep.net.in
    Nice one, I would like to add a point: Securing the wp-admin directory via forcing https, you can use a self-signed certificate, this will help prevent password stealing via packet inspection.
     
  3. mathewines

    mathewines New Member

    Joined:
    Mar 2, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Thanks for this informative artical great hob done.
     
  4. KJMS-Chris

    KJMS-Chris New Member

    Joined:
    Mar 26, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    Renaming wp-admin/ is not a bad idea either because it makes you less of a target from automated attacks
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice