The word press security guide


Published on

The word press security guide

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The word press security guide

  1. 1. The WordPress Security Guide Security is a very important, but often overlooked aspect of blogging. There are many tools and plugins that can be integrated into your WordPress blog that can help harden and secure it from hackers and spammers. This guide on WordPress security will hopefully add an extra layer or two in helping to secure your online asset – your blog. Latest WordPress Version WordPress is an open source publishing platform, which means its source code is freely available for anyone to see, use, modify.. or exploit. Often developers of worms and viruses take advantage of the older, more vulnerable WordPress versions as they are more susceptible to these kinds of malicious activity. Every new WordPress release improves on its predecessor both in terms of functionality and security, so it is very important that your blog is running on the latest version of WordPress. Backing up WordPress Backup early.. backup often! It is as simple as that. When did you last backup your blog? How much would you lose if your web host’s hard drives permanently failed right now, and your blog was gone with it? Or you installed a new plugin or upgraded an existing one, which caused major conflicts resulting in data loss? You get the picture.. your website is only as safe as its last backup. 1
  2. 2. 2
  3. 3. I backup a fair bit and have made a habit out of it. It has certainly been a lifesaver on those rare occasions when I have needed to do a restore. I personally do a full backup of my blog and database after every post I publish.. as well as any progress I make on a draft post I am working on. I will also do a full site and database backup prior to installing a new plugin.. or even upgrading an existing plugin. That way if there are any conflicts I can always revert. Backup Folders I recommend creating a backup folder on your hard drive, and underneath that creating a folder with the current WordPress version.. and just put your backups in each of these folders. Everytime a new WordPress release comes out, just add a new versioned folder and continue doing the same. They don’t take up that much space and in time you can always do a cleanup and delete some of the older backups you have got. Here is an example of how my backup folders are setup, 3
  4. 4. Screenshots I think it is a good idea as well to take screenshots of any customised settings you have made to your blog such as your Permalink Settings, 4
  5. 5. I also take screenshots of all my active plugins as well as their version numbers. This can come in handy if you need to restore your blog, you can easily identify the version of the plugin needed for the restore.. as a newer plugin version may not be compatible, 5
  6. 6. Taking screenshots of various plugin settings can also be very helpful if you’ve needed to delete a plugin and reinstall it, 6
  7. 7. Likewise with your backups, just create a plugins screenshots folder and put all your screenshots here. As I already do regular full backups.. I tend to update my screenshots every month or so. Exporting your Content Exporting your WordPress data (posts, pages, comments, custom fields, categories, and tags) is sometimes necessary and useful. If you are moving to a new host or just want a backup of your blog, then exporting your blog is the answer. In the Tools section click on Export, If you select All Authors from the drop-down menu this will export all the posts, from all authors on your blog. If your blog has more than one author, you can restrict the exports to a certain author, by selecting that particular person. 7
  8. 8. Next click on <Download export file>, Click on <OK> to save the exported file, As before, just put this exported file in your backups folder. WP-Config.php The wp-config.php file is the key to the WordPress database. It is where you set the database name, username, password and location. So it is a good idea to back this up as well. Using your FTP client copy this file to your backup folder, 8
  9. 9. See also the Securing WP-Config.php section below Changing the Default Admin User When you started your blog right at the beginning, WordPress by default names the administrator account “admin“. A lot of bloggers don’t bother to change this and just choose and strong password. It is a very good idea to change the admin account this to something different. Hackers who want to gain access to your blog often employ brute-force attacks by using automated tools to guess passwords, by cycling through different combinations of letters, numbers and characters.. and if you leave this administrator account as admin, then they are 50% closer to gaining access. To change this login to your WordPress blog as normal. Under the Users section, click on Add New, Fill out the details for adding a new user. Make sure you choose a hard to guess username by using letters and numbers, and that it’s not similar to the one you publicly display on your blog . For example, the word “wordpress” could be turned into “wOrdpr3ss”. Strong Password I recommend choosing a really hard and long password as well. If you are thinking ‘not another password to remember‘, then you should checkout my post LastPass Guide to Online Password Management which shows you how to manage all your online passwords and usernames by remembering only one master password. You can generate very strong random passwords with LastPass. Also, make sure you select Administrator from the Role drop-down menu.. and when you are done click on <Add User>, 9
  10. 10. This new user has just been created. Just double-check that the Nickname isn’t the same as the secret username you have just created. If it is change it, 10
  11. 11. Now logout of WordPress. Log back in using your new username and password. Under Users, click on Authors & Users, You will see both users – admin and your newly created user. Delete the admin user by clicking on Delete, You now want to transfer all the posts that were authored using the admin account to your new account. Select Attribute all posts and links to your new username.. then click <Confirm Deletion>, Done! Your new username is setup and the old default admin account has been deleted. And all posts and links have been transferred across to your new username. Securing wp-config.php According to the official Hardening WordPress Codex, you can move the wp-config.php file to the directory above your WordPress install. 11
  12. 12. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Preventing Directory Listing In many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folders on your server. Often plugin and theme developers make mistakes in their code that allow unexpected access. This means that hackers can browse through your directories to potentially look for vulnerable files and attack your site. There are a couple ways you can prevent directory listing. Hiding Your Plugins Type your blog’s URL into the address bar, followed by /wp-content/plugins/, If a list of your plugins are displayed.. then you need to fix this asap, If your plugins are visible by the people snooping around, then they could potentially exploit a known weakness in one of the plugins. To prevent this, create either a blank index.html file or a blank index.php file, and upload it to the /wp-content/plugins/ directory. 12
  13. 13. Refresh the page and if you see either a blank page or a 404 (file not found) page then you are a lot safer than you were before. Hiding Your Theme’s Files Now type your blog’s URL into the address bar, followed by /wp-content/themes/, Just like above, if your themes are visible, then you need to hide them by creating either a blank index.html file or a blank index.php file, and upload it to the /wp-content/themes/ directory. Refresh the page and if you see either a blank page or a 404 (file not found) page then you can be assured that these folders are hidden from public view. Editing Your .htaccess File to Prevent Directory Listing The method I’ve just described by uploading a blank file into a directory doesn’t solve the problem of preventing directory listings of sub-folders (beneath).. not to mention all other folders. It is just too cumbersome uploading a blank index.php file into every folder on your server. The recommended way to prevent directory listing of all folders is it to edit your .htaccess file (in your WordPress root directory “/”), and insert the following at the bottom of the file, # Prevents directory listing Options -Indexes To do this login to your webserver.. if you are using cPanel or an FTP client, make sure that you have Force showing hidden files enabled (so you can actually see the .htaccess file), 13
  14. 14. Now navigate to WordPress’ root directory, find the .htaccess file and edit it, Add the two lines of code at the bottom of the file.. when you are done click on <Save> to save the changes, Done! This method now prevents directory listing of all your blogs directories. Changing WordPress Database Prefix By default all the tables in your WordPress database have a prefix of “wp_“. It is advisable to change this as it will bring your blog’s security to a higher level. This prefix can be changed to any combination of letters, numbers and underscores. David Potter has done a nice guide on Changing the WordPress Table Prefix. WordPress Security Plugins 14
  15. 15. There are plenty of WordPress security plugins available, so please check that the plugin’s version is compatible with your WordPress version before installing! Here is a list of some good plugins that help to harden your blog. WP Security Scan WP Security Scan is probably the most downloaded security plugin for WordPress. It scans your WordPress installation for file/directory permissions security vulnerabilities and suggests corrective actions, WP Security Scan also scans for general security vulnerabilities and lets you know of areas that can be further secured, 15
  16. 16. WP Security Scan also has a password tool and allows you to change database table prefix automatically. WP-CopyProtect Plagiarism and content theft is a serious problem for bloggers. Often people will copy and paste content from your blog and re-publish it themselves without your permission and without referencing your work. WP-CopyProtect is a simple plugin that allows you to,  Disable right-click on your blog  Disable text selection It certainly isn’t an all encompassing solution. If someone really wants your content they could always get it from your source code or RSS feed, but it does the trick in deterring the average person trying to rip-off your posts. I currently have text selection disabled on my blog and am quite happy with this plugin. Secure WordPress Secure WordPress helps to secure your WordPress installation and includes the following, 16
  17. 17. 1. removes error-information on login-page 2. adds index.html to plugin-directory (virtual) 3. removes the wp-version, except in admin-area 4. removes Really Simple Discovery 5. removes Windows Live Writer 6. remove core update information for non-admins 7. remove plugin-update information for non-admins 8. remove theme-update information for non-admins (only WP 2.8 and higher) 9. Add string for use WP Scanner WP Scanner WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level and comes bundled with the Secure WordPress plugin (see above). To run wp-scanner add <!– wpscanner –> to your current WordPress template.. I added mine in the header.php file, before the closing body tag, 17
  18. 18. Once this code has been added, head to WPSCAN and scan your blog, When the scan is finished you will be given a summary of the state of your blog and any security risks associated, When you have finished don’t forget to go back and REMOVE <!–wpscanner–>, otherwise others will be able to also scan your blog! 18
  19. 19. Login Lockdown Login Lockdown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Lockdown times can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel. 19
  20. 20. WP-DBManager WP-DBManager is a plugin that manages your WordPress database. It allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. It also allows you to schedule your backups and have them emailed to you, I have configured mine so I get a scheduled email backup everyday, 20
  21. 21. This is quite a handy plugin as you can set it and forget it. That way you can be sure you always have an up-to-date backup of your blog’s database. WordPress Security Resources Security Related Codex Articles  Changing File Permissions – WordPress Codex  Editing wp-config.php – WordPress Codex  Hardening WordPress – WordPress Codex  How to Keep WordPress Secure – WordPress Blog  htaccess for Subdirectories – WordPress Codex 21
  22. 22. 50 Other WordPress Security Resources 1. 5 WordPress Security Essentials – LGR 2. 8 Security Tips and Guidelines for your WordPress Blog – Online Tech Tips 3. 9 Best WordPress Security Plugins – Quick Online Tips 4. 9 SEO Security Tips for Wordpress – Antezeta 5. 10 Steps To Protect The Admin Area In WordPress – Smashing Magazine 6. 10 WordPress Security Tips – Lost in Search 7. 12 Essential Security Tips and Hacks for WordPress – SixRevisions 8. 14 tips to wordpress practical security [How-to] – Ruhani Rabin 9. 15 Plugins to Boost up your Wordpress Security and a Special Tip! – Smart Bloggerz 10. 16 Excellent Wordpress Security Plugins To Secure Your Blog – TutZone 11. 18 Wordpress Security Plugins & Tips To Secure Your Blog – MakeUseOf 12. 20 Wordpress Security Plug-ins And Tips To keep Hackers Away – Simple Thoughts 13. 20+ Powerful Wordpress Security Plugins and Some Tips and Tricks – SpeckBoy 14. Advanced WordPress Security Tips – Website In a Weekend 15. Basic Wordpress Security Tips – Lyle Ham 16. Best practices against hacking – Google Webmaster Central Blog 17. Current Events: Lazy Admins and WordPress Security – Monday by Noon 18. Did your WordPress site get hacked? – Ocaoimh 19. Essential WordPress Security Tips – Is Your Blog Protected? – Tips and Tricks HQ 20. Establishing A Sense Of Security On Your Blog – Steven Saunders 21. How to secure WordPress – Siteground 22. Increasing your WordPress Security – PixelPipes 23. Interview with Deutsche Welle on WordPress Security – Mark on WordPress 24. Protect Your Blog With a Solid Password – The Blog Herald 25. Protecting the Wordpress wp-admin folder – Reuben Yau 26. Regarding WordPress and Security – Daring Fireball 27. Top 5 WordPress Security Tips You Most Likely Don’t Follow – WPTavern 28. Top 10 ways to stop spam in WordPress – Cats who Code 29. Top 21 Wordpress Security Plugins for Hacker-Proof Blog – Binary Head 30. Top Ten Wordpress Security Tips – Moonlight Blog 31. Triple “P” Of Total WordPress Security – HowToSpoter 32. WordPress Security – Nercomp (PDF download) 33. WordPress Security – WPSecurity 34. Wordpress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! - Programmer Fish 35. WordPress Security and How I’m Going to Take All Your Money – Technosailor 22
  23. 23. 36. WordPress security: Hide login error messages – Blog Building 37. WordPress security plugins - Insane Security 38. WordPress Security Presentation – Brad Williams 39. WordPress Security Prevention, Reactions, and Scares - Lorelle on WordPress 40. WordPress Security Tip: Remove the Admin User - Daily Blogs Tips 41. WordPress Security Tips – Devshed 42. WordPress Security Tips – Sakin Blog 43. Wordpress Security Tips – Too Many Secrets 44. Wordpress Security Tips and Hacks – Noupe 45. WordPress Security Tips for non-geeks – YouAre 46. Wordpress Security Tips — For the untrained – TechLinkblog 47. Wordpress Security Tips How to Keep WordPress Secure – Deals n Discounts 48. Wordpress Security Tips How to Secure a Wordpress Installation – Suite 101 49. WordPress Security Whitepaper – Blogsecurity (PDF download) 50. Wordpress SEO: Wordpress Security Why it Matters to SEO – Wolf Howl 23
  24. 24. The Social Media Guide The Social Media Guide provides helpful advice and tips on connecting you to others, through the use of social media and social networks. The Social Media Guide is an authoritative source on current and emerging social media tools and platforms. The current explosion in social media technologies has made it easier than ever to connect with friends, groups, customers and networks with similar interests, from all around the world. Businesses can benefit greatly by using social media to market their product, strengthen brand recognition and attract new customers. My aim is to show you how social media can be used, to connect with more people faster, by providing clear and simple solutions. The Social Media Guide will show you how to extend your reach deeper into the social web, and connect with more people. This material may be shared with everyone, not sold for profit and not modified in any way. Regards, Matthew Tommasi www: email: twitter: @socialguide facebook: 24