Secure Your WordPress Blog. 10 Steps For A Complete Blog Lockdown.
Posted in Anatomy of a Blog, Getting Your Feet Wet, How To by DB
Should I be worried? After all, I’m using a blogging tool/platform that is used by many millions. Actually that’s precisely the reason to lockdown your WordPress blog. Remember to do the following once you’ve setup your WordPress blog. Don’t leave home without doing it.
- Change your Blog’s Admin user name.
- Backup your database and installation periodically.
- wp-dbmanager
- wp-db-backup
I like the feature where you can specify an email address and the wp-db-backup plugin will backup the database and send you the backup file to the specified email address.
- Remove your Blog version details from the header.
- Uninstall any unused plugins.
- Create a index.php file in every directory within your blog’s main directory.
- Scan you blog theme for vulnerabilities.
- Restrict access to the wp-admin folder.
- Restrict access to the wp-content and wp-include folders.
- Last but not the least, keep your WordPress and your plugins updated.
- One final one. Under “General Options” in your WordPress Admin Panel, disallow anyone from becoming a member and set the default user role to “Subscriber”.
Rename your username and always use a strong password. Login directly or use phpMyAdmin to access your blog’s mysql database and update the “Admin” username. Simply execute the following mysql update command to change your administrator username.
update wp_users set user_login=’new user name’ where user_login = ‘admin’;
Note: If you have used a different table prefix, replace “wp” in the above command with your table prefix. You should also modify your table prefix from the default.
You have a number of options to back up your blog database. Make it easier by using phpMyAdmin to connect to your database to do the backup. You can even install phpMyAdmin as a plugin to be able to easily access your blog database from within your WordPress admin panel.
Launch phpMyAdmin, select your blog database and the following options as shown in the picture below and click on the “Go” button to download your database backup file. Do this regularly and often.
Alternately you can use plugins to do the work for you. There are a number of plugins that more or less do the same job. I’ve listed a couple below.
Claims to optimize and repair your Blog database as well as backup. I cannot really comment as I have never used it personally.
All said and done, do ensure that you test your backup file. You do not want to be in a situation where from some reason your database needs to be rebuilt and you find out that your backups are corrupted.
Remove the following line from your header.php or header template in your theme.
<meta name=”generator” content=”WordPress < ?php bloginfo(’version’); ?>” />
Don’t merely deactivate unwanted plugins. Remove the unwanted plugins completely from your WordPress installation.
Open your favorite text editor. Include the line shown below and save the file as “index.php”. Upload the newly created file to every sub directory within your main WordPress installation.
< ?php die ('<h2>Directory Access Prohibited</h2>'); ?>
Read my previous post about scanning your blog theme for any vulnerabilities.
Lockdown your blog’s admin folder by ensuring only you can access your blog’s admin panel. You do this by restricting access to only the IP Addresses that you use. Simply copy and paste the block of content below, change a.b.c.d and w.x.y.z to reflect the IP Addresses you use.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
allow from a.b.c.d
allow from w.x.y.z
You can easily find out your IP Address from here. You can add as many IP Addresses you choose. Once you are done editing, save the file as “.htaccess” and finally upload the .htaccess file to your wp-admin folder under your blog installation using your favorite ftp program.
Alternately you can also use the “AskApache Password Protect” plugin to password protect your wp-admin directory.
Similar to the previous step. The .htaccess file will look like this
Order Allow,Deny
Deny from all
<Files ~ "\.(css|jpe?g|png|gif|js)$" >
Allow from all
</Files>
By doing this you are restricting access to only the image, css and javascript files. However, do note that you might run into issues with a few plugins because of this. When you do come across a problem with a particular plugin, open up access to only the plugin file by doing something like the below
<Files "NameOfThePluginFile.php">
Allow from all
</Files>
There are plugins that will help you keep WordPress updated automatically thereby saving you the effort but I wouldn’t really recommend it as I always prefer doing this activity manually (Backup first, pray a bit and then go for it.)
Table of contents for "Anatomy Of A Blog" Series.
- Anatomy Of A Blog - Why?
- Picking A Domain Name For My Blog?
- What You Really Should Be Looking For In A WordPress Theme
- Must Have Plugins For Your Wordpress Blog
- Secure Your WordPress Blog. 10 Steps For A Complete Blog Lockdown.
3 Responses
Leave a Comment
July 22nd, 2008 at 11:18 pm
Your suggestion item 10 above refers.
Would checking the both the followings contradict each other in achieving the security you advised :-
a) “Membership-Users must register and logged in to comment” box, and
b) “New User Default Role-Subscriber”
Thank you
April 7th, 2009 at 5:44 pm
Hello !!!!
I am Piter Kokoniz. Just want to tell, that I like your blog very much!
And want to ask you: is this blog your hobby?
Sorry for my bad english:)
Thank you:)
Piter.
January 7th, 2010 at 10:13 am
I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work Look forward to reading more from you in the future.