10 Easy Steps to Protect & Secure Your WordPress Blog

As of the beginning of 2009 there were approximately 133 Million blogs online. This is a pretty large market and also the perfect playground for unscrupulous persons who live for spamming, scamming and just creating malicious programs that can seriously compromise and disable unsuspecting sites. As WordPress blog owners, we need to do everything possible to ensure that our sites are never compromised.

Here are 10 very simple steps, tools and tips to ensure that your blog can withstand malicious attacks and not be overrun with spam.

1. Use Login Lockdown Plugin

Hackers can easily crack your password and other login credentials by using Brute Force Attacks (Click here for a definition).  etechrev   This plugin adds an extra security feature to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range.

2. Delete Unused Plugins

Always ensure to delete unused plugins as these can provide loop holes that can be easily exploited.

3. Secure the /wp-admin/ Directory using.htaccess

I found this one on Google’s Matt Cutts’ blog. Secure your /wp-admin/ directory by using a.htaccess file to allow access from specific IP addresses only. Create a new.htaccess file, which you can place directly in /wp-admin/.htaccess.

This is what the.htaccess file contains:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 111.111.111.111
# whitelist work IP address
allow from 111.111.111.111
allow from 111.111.111.111

Replace the 111.111.111.111 with the IPs you would like to whitelist. This file says that the IP address 111.111.111.111 (and the other IP addresses whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. The ‘#’ lines are just notes and can be changed to suit your need.

4. WordPress Security Scanner Plugin

Install this plugin to help detect any loop holes that may exist in your database and blog files. It provides a report on what needs to be done to prevent attacks.

5. Limited Blog Registration Access

If your blog accepts registration, ensure that a user cannot immediately register and receive an administrative access. To change this, go to your Settings option in the WordPress dashboard, select General. Then change the New User Default Role to Contributor. This can easily be changed as the need arise. User privileges can also be assigned using the Role-Manager plugin.

6. Change Your Login Name

The default WordPress username is admin and hackers will always try to infiltrate using this default. So make it harder for them by changing it.

In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion

7. Use a Very Strong Password

Ensure that you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case letters to form your password.

8. Always Upgrade to the Latest WordPress Version

The latest version of WordPress always contains bug fixes for any security vulnerabilities, therefore it is very important to keep your blog updated at all times. The latest version at the time of this post is 2.9.2.

9. Install the Akismet Plugin

Once installed, Akismet checks your comments against the Akismet web service to see if they look like spam or not and prevents them from being published. Spam is stored in a separate folder where you can review all that is caught. This can be downloaded from Akismet.com

10. Backup Your WordPress Database

There is a free plugin that can schedule backups of your database to reduce the risk of loss of data.

Yeah, I know its a pretty tedious To Do list list but invest the time to secure a robust WordPress blog. It will cost 100 times more to recover from a malicious attack. Think about down-time, lost revenue, loss of trust from your readers, hiring a professional to get rid of malicious code, loss of information, loss of integrity and the list goes on forever.

Are you doing what it takes to secure and protect your presence online? If not, now is the time to do so. If you have any additional ideas on how to protect a WordPress blog please leave a comment to let us know.

Robyn-Dale Samuda is a Web Developer & Entrepreneur & is CEO of Creative Engine Jamaica. He has a passion for the web and loves offering assistance and inspiration whenever possible and does so through his blog – Sam’s Web Guide at He is also an Associate Editor for the new Caribbean Blog, Geezam Tech Blog

 

Leave a comment

Your email address will not be published. Required fields are marked *