Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Word Press Blog


Published on

WordPress is the most popular Blogging platform now a days. Many high profile companies are using WordPress as there Blogging platform. Have you ever thought about the security of your blog running WordPress ?? This presentation was presented On 13th Feb 2010, At Nagpur PHP Meetup by me.

Published in: Technology
  • Be the first to comment

Securing Word Press Blog

  1. 1. Securing WordPress blog Chetan Gole Tricks and guidelines for WordPress users Web : Twitter : @chetan_gole E-Mail :
  2. 2. What is WordPress ?? WordPress is an open source blog publishing application powered by PHP and MySQL which can also be used for basic content management. It has many features including a user-friendly workflow, a rich plugin architecture, and an advanced templating system. Used at almost 2% of the 10,000 biggest websites, Wordpress is the most popular blog software in use today Source : Wikipedia
  3. 3. Popular sites using WordPress <ul><ul><li>E-Bay Official Blog : </li></ul></ul><ul><ul><li>SONY Playstation official Blog : </li></ul></ul><ul><ul><li>Yahoo ! corp. Official Blog : </li></ul></ul><ul><ul><li>Ford official blog : / </li></ul></ul><ul><ul><li>The Mozilla Blog : </li></ul></ul><ul><ul><li>GE Official Blog : </li></ul></ul><ul><ul><li>CNN Blog : </li></ul></ul><ul><ul><li>the list goes on. </li></ul></ul><ul><li>And Millions and Billions of bloggers like us are using WP. </li></ul>
  4. 4. Why to secure the blog ?? <ul><li>The hacker can </li></ul><ul><ul><li>Insert his advertisements in our blog </li></ul></ul><ul><ul><li>Insert malicious codes in our blog, this may remove our blog from Search engine listings </li></ul></ul><ul><ul><li>Bring down our site, by deleting all the content !! </li></ul></ul>
  5. 5. Keep everything up to date. Keep your WordPress installation and plugins up to date, Whenever there is update make sure you have the latest version. Whenever Wordpress or any software developer releases the update for there software they usually release the notes with the reason of update. Now if its security patch then they also release the vulnerabilities that the older version have in it. (else hide the WordPress version) So It is always good to keep your softwares updated else the hackers can easily misuse the loopholes in the softwares you are using. This also applies to the Operating system and application softwares that you are using in your computer. Keep your anti-virus updated with latest virus definition, because hackers can use your computer to hack your blog.
  6. 6. Change the Login ID By Default WordPress uses the Login ID as Admin, Change it. Now hackers have to guess the Login ID and Password both. i.e. Double security. To change the Login ID of Wordpress you can direct fire the SQL queries on your database, or there is one plugin to change the Login ID directly via simple interface. [Plugin URI :] Or you can create a new administrator user and delete the original Admin user from your WordPress admin panel.
  7. 7. Use strong password Strong password means ?? Use plugin : “Login LockDown” - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
  8. 8. Use SSL for Login Use Encryption technique while login using “Secure Sockets Layer” this can be implemented using a plugin : “ Admin SSL ” Or follow the directions given by Wordpress Codex site to use the SSL in your own way. :
  9. 9. Change the Login URL The default login URL for WordPress is /wp-login/ which is known to everyone, hackers can give try of guessing attack on that URL, so best way is to change the login URL. Plugin called “Stealth Login” will help you do do so. This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login URL on your homepage, you can create a URL of your choice that can be easier to remember than wp-login.php
  10. 10. Use robots.txt file Use robots.txt file to restrict the bots access to private files like admin pages, etc People can use Google search tricks to hack into your site. So why allow Google to crawl your private pages ? Use Disallow : /wp-admin/ Disallow: /wp-include/ Disallow: /wp-content/plugins Disallow: /wp-content/themes This will restrict all search engine bots from accessing your those folders.
  11. 11. Simple things that you should follow <ul><li>Install popular plugins and from WordPress repository only. </li></ul><ul><li>Insert empty index.php file in wp-content/plugin/ </li></ul><ul><li>Use anti-comment spam plugins like Akismet. </li></ul><ul><li>Switch off the new user registration if your site don’t requite new registrations. </li></ul><ul><li>Change the WordPress table prefix. </li></ul><ul><li>Remove unused plugins, files from your WordPress directory. </li></ul><ul><li>Check proper file permissions of your files. </li></ul><ul><li>BACKUP BACKUP BACKUP. </li></ul>
  12. 12. Question ???
  13. 13. THANK YOU Chetan Gole Web : Twitter : @chetan_gole E-Mail : References used Wikipedia : Wordpress codex Blog : Wordpress plugin repository : and many other blogs including but not limited to,,, etc