What happens when your blog is hacked by some douchebag?
- You can’t log in to make new posts because the hacker changed your password.
- Hours of work time is wasted trying to restore your backup(if you have one) or contacting your slow ass support team.
- Pissed blog readers are sending you hatred emails disrespecting you for giving them computer viruses that you’ve never heard of.
- Or even worst…you found out all of your contents or designs are gone-bye-bye because you forgot to back up the blog for a year… It sucks, ain’t it…
….So don’t let yourself be that miserable SUCKER. Especially if you use wordpress platform which is one of the easiest targets for hackers to intrude.
If you’re not very technical like me, but you still want to improve the security on your wordpress blog, you’re in luck. Because I’m about to show you 13 security wordpress plugins and tweaks you can implement today to bullet-proof your blog.
1. Delete Admin
When you install your wordpress, it automatically assigns you a user with administration permission called ”admin.” I recommend you to remove this user so you can make it harder for hackers to use brute-force-attacks to guess your username and password.
If you’re currently using the “admin” username, wordpress won’t let you create a new user with admin-permission under the same email address. But all you have to do is to create a new user with a different email address, delete “admin” username, then you can change that new user’s email address to your preferred email address.
This is one of the simplest things you can do to add an extra protection over your wordpress blog.
2. Upgrade Your WordPress Blog To The Newest Version
This is a no-brainer. Every time when wordpress has a new version, you should upgrade your blog ASAP. Hackers generally love outdated versions of wordpress, because they’re much vulnerable to attacks. If you don’t know how to upgrade your wordpress, you can install this plugin called “WordPress Automatic Upgrade.” It’s an easy-to-use plugin. Just follow the step-by-step instructions. I personally love this plugin. It only takes like literally 15 seconds to upgrade your blog.
3. Install Secure WordPress Plugin
I cannot say enough positive things about this plugin. It’s hands down one of the best wordpress security plugins in the WORLD. Plus the author updates this plugin very often, so the you don’t have to worry bugs or compatibility problems with the new wordpress version. What this plugin does is to make some simple tweaks to your blog automatically to improve its security against hackers.
- It removes the wp-version except in the admin area.
- It adds index.php plugin-directory. So if anyone is trying access your plugin directory, a blank page will be shown to them.
- It removes error information on the login page so hackers will have a harder time to brute-force their way into your blog.
- It blocks bad queries
And much more…so you should install this free plugin NOW.
4. Install WP Security Scan
This plugin is kind of complementary to the Secure WordPress plugin. It will scan your wordpress blog for vulnerabilities and suggest corrective actions. The best thing about this plugin is it makes changing the table prefix wp+ much easier. It checks for file permission, database security, removes WP version, and also removes WP Generator META tag from core code. In my opinion, this is also a must-install.
5. Install Semisecure Login Reimagined
6. Install Stealth Login
It doesn’t take hacking knowledge to know that your login page is yourblogname.com/wp-login.php. How secure is that? So this plugin allows you to create your own custom login url. For example, domain.com/login or domain.com/letmein. Let’s make those hackers guess where our loging pages are.
You could even enable “stealth mode,” so no one can directly access your wp-login.php page. It will prevent malicious bots to access your loging page.
7. Install WP DBmanager
You think you’ll forget to back up your blog?
This awesome plugin allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up and optimizing of database.
Set up this plugin and it will take care of the rest. You can even set it to send you backup files to your email address. Your blog can’t do without it. Trust me.
8. Protect wp-config.php
Your wp-config.php file contains sensitive information such as your database name and password. It’s very important that you protect it from prying eyes. Here’s how to do it.
- Create a .htaccess file using notepad or whatever plain text editor you have. Save and name this file htaccess.txt.
- Put this line code into the text area.
<files wp-config.php> Order deny,allow deny from all </files>
- Save it.
- Upload it to your root directory where your wordpress is installed.
If you don’t understand, you can read this other article for detailed instructions. http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/
Or….You can install BulletProof Security plugin to help you do that automatically. Next…
Basically this plugin is similar to Secure WordPress Plugin but with extra features.
- Creates htaccess file to protect your wp-config.php file.
- Protects your website from ALL XSS & SQL Injection hacking attempts.
- One-click website under maintenance mode activation
- Checks file and fold persmission
- Removes wp generator meta tags
- And more…
I especially like that one-click website maintenance mode feature because in case your website is attacked and injected with viruses. You can press just one button to stop the spread of the viruses to your blog visitors by shutting down your blog to maintenance mode.
10. Don’t Give Strangers Your Password Including Your Host
Giving password to people you don’t know well can give you a lot of troubles, no matter if he’s trying you help you solve some technical problems. At least, after the problems were solved, you should change your password. The best way to do it is to have two sets of passwords. Before you need to hand your password to your host support team, change it to something else, and change it back afterwards.
I believe most people are good people, but what if you have a 6 figure blog? Do you want to risk getting your adsense account changed to someone else’s?
11. Use a STRONG Password
Obvious right? If you want to improve your blog security, then use a strong password. Don’t use your name, blogname, or just all numbers. Here’s are some very useful resources that you can use to create your own strong password. http://strongpasswordgenerator.com/ and http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/
12. Limit Access To Your wp-admin Folder By IP
Ok…this highly effective tip only applies to people using a static IP which means your IP address is constant unlike dynamic IP. This method will limit your wp-admin access to only your own IP. So basically you have to white list all the IPs you might be using to access your blog.
- Create a htaccess file as I taught you earlier in this post.
- Put this line of code in it:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Example Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xx.xx.xx.xx allow from xx.xx.xxx.xx </LIMIT>
- xx.xx.xx.xx is the ip address that you want to white list.
- Upload this file to your WP-ADMIN folder NOT the root folder.
13. Install Akismet
You MUST have this plugin installed on your blog!!! This is a pretty standard anti-spam filter. Spam comments on your blog will be greatly reduced by this plugin.
Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.
Bonus tip: You can use this link to see if Google considers your site harmful or safe. Just replace www.yahoo.com with your domain name. You know what to do .
I hope you can spread this blog post to your friends or co-workers so they know how to protect their precious blog from hackers and prying eyes. They will thank you and love you more.
Last 5 posts by Eric Su
- Just jumped out of a plane hahahaha - August 14th, 2011
- Storage War Special Edition - August 11th, 2011
- Altocumulus cloud - August 10th, 2011
- "Google Instant" Launched With Bob Dylan - September 8th, 2010
- Stop Being A Piece Of Floating Wood - I'm Back - August 18th, 2010