Welcome to my blog, please feel free to subscribe to my RSS feed, join me on Twitter or leave a comment.

Running a WordPress website is one of the easiest ways to run a high quality, free web site content management engine but since there are millions of other websites running the same software, there are lots of bad guys out there who would like nothing more than to break into your website. So how do you stop them? In this article I’ll examine some processes your blog should implement to ensure it’s more secure than the ‘out of the box’ version of WordPress.

Basic Security

Plugin Directory

Step One of any WordPress security installation is to hide the contents of the plugin directory. By default, WordPress ships with the directory exposed (it can be found by typing http://[yourwebsite]/wp-content/plugins/) but this allows the bad guys to see what plugins you’re running and possibly take advantage of them. To solve this, simply upload an empty file named index.html or index.php into the base plugin directory.  Another very easy way to do this for your entire WordPress site is to simply add Options -indexes to your .htaccess file. This tells your web server to never list directory contents.

Quick Note: .htaccess files are funny things, they don’t have a filename in the traditional sense so when you download them, all you download is the extension (filename.extension). This can make working with them tough. What I like to do is rename the file -.htaccess or something similar before downloading it, which allows Windows computers to properly interact with the file.

Limit Access to the Admin

Step Two of the basic plan of attack is to limit access to your administration tool. An .htaccess file is a server level control file, meaning that it interacts with the web server before it interacts with a web browser, what we want to do is limit the IP addresses of computers to your wp-admin directory. Need a more basic explanation? Each computer on the internet has a unique Internet Protocol (IP) address made up of four numbers ranging from 0 to 256 for example, 123.456.123.456 this number reflects your unique signature on the Internet. What we want to do is control which computers can access your account.

To do this, first we need to know what your IP address is. Luckily there’s a website for that at http://whatismyipaddress.com/ which will tell you what your current IP address is. After you have that, create a new file called .htaccess on your desktop and add the following code to it:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
allow from [paste your IP address here]

Once you upload that code to your wp-admin directory only computers from the IP address you specified will be able to access your WordPress admin directory. You can add multiple allow from lines to ensure you can access your site from work or home. If you ever need to access your admin panel from outside the IP range, simply comment (place a # symbol) before the deny from all line and you’ll be able to access it normally.

One final note here, since many people have dynamic IP addresses (they change whenever you reboot your internet connection) you might want to check with your Internet Service Provider to determine their IP range. For example, once you know that your IP address is always 142.167.66.[0- 255] you can use the allow from address of 142.167.66.* so anybody in your local subnet group (the last octal) can access your admin directory. A little less secure but still better than allowing the whole world to access it.

An Extra Level of Password Control

Just like the .htaccess file can be used to limit access from specific IP addresses it can also be used to force a server level username and password check before prompting you to input your WordPress username and password. You can do this fairly easily if you’re hosting with BlueHost or if you’re using another hosting company you can create a secure login using an .htaccess file and .htpasswd files or the AskApache Password Protect plugin. This process is a little more complex but a great extra layer of security.

Change Your Admin Account

By default the most powerful account on your WordPress website is called admin, since everybody in the world knows this they only need to guess your password but if you change the admin account name, you make guessing both your username and password infinitely harder. One other point here, since your password is case sensitive (A and a are different letters) you should always use long, complex passwords that mix uppercase and lowercase letters, at least one number and if possible a symbol such as an ampersand (&) or dollar sign. The more complex you make your password, the less chance somebody will guess it.

WordPress Version

Some WordPress themes include a line such as <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />  in the header.php file. While this is great for WordPress it’s a security blunder since you’re announcing to the world which version of WordPress your using and if it’s not the most recent … which security holes your website is vulnerable to. Simply remove this line from your header and you’ll be more secure.

WordPress displaying security issues

The next step when it comes to security with regards to versions is to always upgrade to the most recent version promptly. I recommend upgrading your website (and your plugins) as quickly as possible after a new release has been updated.  You’ll see from the graphic to the right that my hotel web design company Getaway Graphics hasn’t had some of it’s plugins or base code upgraded in weeks, this is a major security flaw which could lead to hackers gaining access to my files. Luckily, I did this to demonstrate the potential flaws and the site is actually perfectly safe.

Always upgrade your website and your plugins to the most recent version after you have done a backup of your site files and data. As a bit of shameless self promotion, let me pipe in here that for a fairly reasonable fee, I can do this for you on a monthly schedule or train you how to maintain and monitor your website.

Secure Your .htaccess file

I think we’re now all aware how powerful the .htaccess file is correct? Great, so let’s secure it simply by adding the following code to the very bottom of the file:

<Files wp-config.php>
Order Deny,Allow
Deny from All
</Files>

This simple piece of code makes it impossible for people to see all the security customizations you’ve done to your blog.

Report Issues

WordPress is, at it’s heart a community project. If there’s something wrong and you discover it, send a bug report immediately so the team can fix security holes. This will make the software more secure both for you and the rest of the WordPress users.

Security Plugins for WordPress

Beyond the common sense security steps outlined above, there are several plugins related to security which every WordPress website should be running:

• Login Lockdown – records failed attempts to access your WordPress admin panel. Frankly, if you don’t know people are knocking on your door … how do you know to protect it?
• WP Security Scan – tests your website for common security holes.
• WP Database Backup – backs up the content of your database regularly. Not really a security tool but it will allow you to restore to a previous version if you ever need to.
• AskApache Password Protect – add a password to your wp-admin directory.

Other Great Sources

While I was putting together this article, I had help from some other sources on the net including:

• Matt Cutts
• Velvet Blues
• Make Tech Easier
• Wordpress Security Whitepaper
• Ross McKillop
• Christopher Heng
• WordPress Codex

One Final Note …

The steps I’ve outlined in the above article are all fairly straight forward and necessary to ensure a strong, safe WordPress blog but I appreciate some people simply lack the technical confidence to perform the steps effectively. I’m available as a WordPress consultant and can generally perform all the necessary upgrades to your WordPress website quickly, effectively and easily so why not give me a call?