Security: bulletproof your WordPress blog
Blogging is a fun thing to do, and just as for other things we like to do, we do it a lot and produce a lot of content. Unfortunately, this hard work can easily be destroyed by some hackers, and we don’t want that to happen. That’s why you should be very careful with the security of your blog even if you don’t do it professionaly. I am no expert in blog security, but while I was trying to protect my own blogs I was documenting myself and thought it would be nice to share it with you guys (you know I love you all).
If you are serious about your blog’s security, I strongly suggest that you subscribe to blogsecurity’s feed. It’s the best resource I’ve came across on that topic so far.
- Upgrade your WordPress installation to the latest stable release available.
- Upgrade your plugins.
- Backup your files and database regularly.
- Drop the WordPress version tag, don’t make it too easy by letting hackers know what bugs they might exploit.
- Change the wordpress table prefix, it’s easier to do when installing wordpress, but there is a good plugin to do it easily afterwards.
- Change your admin’s username.
- Limit or forbid self-registration of users.
- Create an unprivileged user for posting.
- Make sure files permissions are set correctly.
- Restrict access to the wp-content, wp-includes & wp-admin directories.
- Protect your wp-config file.
- Disallow crawling of some folders and files with robot.txt.
- Fight comment spam, see WordPress codex for advice on that.
- Implement ModSecurity.
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
WordPress Scanner although in its infant phase, supports the following security checks:
- WordPress Version Check (currently supports 7 version checks). Future releases will include a file existence version check, for those blogs that have removed their version details.
- Tests the WordPress theme template for basic XSS vulnerabilities
- Enumerates WordPress Plugins. Future releases will perform additional tests in this area.
AskApache Password Protect
It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
WPIDS – WordPress Intruder Detection System
WPIDS is the WP port of PHPIDS, an Intrusion Detection system for PHP. With PHPIDS it’s possible to check all delivered user-generated content for malicious code, like SQL Injection/XSS/CSRF, and so on.
WP Prefix Table Changer
If your WordPress installation has errors turned off, it may be difficult for an attacker to exploit an SQL Injection vulnerability as he/she may not be able to guess your WordPress table prefix. This is security through obscurity but may certainly help mitigate zero-day (vulnerabilities that aren’t known) vulnerabilities.
The Akismet plugin is a must-have for any blog that doesn’t want to be annoyed by spammers.
Related articles – documentation
- Blogsecurity whitepaper on wordpress security
- ModSecurity and WordPress
- WordPress Codex, hardening WordPress
- 5 ways to secure your blog
- Common WordPress theme vulnerabilities
- Are Hackers Exploiting WordPress Themes?
- Protecting your WordPress blog
Of course if you have some tips to share on blog security or if I missed anything too obvious, please add it in the comments and I’ll update this post.