13 Dead-Simple WordPress Security Tips And Plugins – Hack-proof Your Blog

Wordpress Security

Secure Your WordPress Blog

What happens when your blog is hacked by some douchebag?

  • You can’t log in to make new posts because the hacker changed your password.
  • Hours of work time is wasted trying to restore your backup(if you have one) or contacting your slow ass support team.
  • Pissed blog readers are sending you hatred emails disrespecting you for giving them computer viruses that you’ve never heard of.
  • Or even worst…you found out all of your contents or designs are gone-bye-bye because you forgot to back up the blog for a year… It sucks, ain’t it…

….So don’t let yourself be that miserable SUCKER.  Especially if you use wordpress platform which is one of the easiest targets for hackers to intrude.

If you’re not very technical like me, but you still want to improve the security on your wordpress blog, you’re in luck. Because I’m about to show you 13 security wordpress plugins and tweaks you can implement today to bullet-proof your blog.

1. Delete Admin

When you install your wordpress, it automatically assigns you a user with administration permission called ”admin.” I recommend you to remove this user so you can make it harder for hackers to use brute-force-attacks to guess your username and password.

If you’re currently using the “admin” username, wordpress won’t let you create a new user with admin-permission under the same email address. But all you have to do is to create a new user with a different email address, delete “admin” username, then you can change that new user’s email address to your preferred email address.

This is one of the simplest things you can do to add an extra protection over your wordpress blog.

2. Upgrade Your WordPress Blog To The Newest Version

wordpress--upgrade

This is a no-brainer. Every time when wordpress has a new version, you should upgrade your blog ASAP. Hackers generally love outdated versions of wordpress, because they’re much vulnerable to attacks. If you don’t know how to upgrade your wordpress, you can install this plugin called “WordPress Automatic Upgrade.” It’s an easy-to-use plugin. Just follow the step-by-step instructions. I personally love this plugin. It only takes like literally 15 seconds to upgrade your blog.

3. Install Secure WordPress Plugin


I cannot say enough positive things about this plugin. It’s hands down one of the best wordpress security plugins in the WORLD. Plus the author updates this plugin very often, so the you don’t have to worry bugs or compatibility problems with the new wordpress version. What this plugin does is to make some simple tweaks to your blog automatically to improve its security against hackers.

  1. It removes the wp-version except in the admin area.
  2. It adds index.php plugin-directory. So if anyone is trying access your plugin directory, a blank page will be shown to them.
  3. It removes error information on the login page so hackers will have a harder time to brute-force their way into your blog.
  4. It blocks bad queries

And much more…so you should install this free plugin NOW.

4. Install WP Security Scan

This plugin is kind of complementary to the Secure WordPress plugin. It will scan your wordpress blog for vulnerabilities and suggest corrective actions. The best thing about this plugin is it makes changing the table prefix wp+ much easier. It checks for file permission, database security, removes WP version, and also removes WP Generator META tag from core code. In my opinion, this is also a must-install.

5. Install Semisecure Login Reimagined

semisecure login reimagine

Most of us don’t have SSL certificate on our hosting plans so this is the plugin you can substitute to encrypt the login information transmitted through the web without the need to spend your bucks on SSL. By using a combination of public and secret key encryption, it will increase the security of the login process. You should install it if SSL available to you. By the way JavaScript is required though.

6. Install Stealth Login

It doesn’t take hacking knowledge to know that your login page is yourblogname.com/wp-login.php. How secure is that? So this plugin allows you to create your own custom login url. For example, domain.com/login or domain.com/letmein. Let’s make those hackers guess where our loging pages are.

You could even enable “stealth mode,” so no one can directly access your wp-login.php page.  It will prevent malicious bots to access your loging page.

7. Install WP DBmanager

You think you’ll forget to back up your blog?

This awesome plugin allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up and optimizing of database.

Set up this plugin and it will take care of the rest. You can even set it to send you backup files to your email address. Your blog can’t do without it. Trust me.

8. Protect wp-config.php

Your wp-config.php file contains sensitive information such as your database name and password. It’s very important that you protect it from prying eyes. Here’s how to do it.

  • Create a .htaccess file using notepad or whatever plain text editor you have. Save and name this file htaccess.txt.
  • Put this line code into the text area.

<files wp-config.php>
  Order deny,allow
  deny from all
</files>
  • Save it.
  • Upload it to your root directory where your wordpress is installed.

If you don’t understand, you can read this other article for detailed instructions. http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/

or http://www.devlounge.net/code/protect-your-wordpress-wp-config-so-you-dont-get-hacked

Or….You can install BulletProof Security plugin to help you do that automatically. Next…

9. Install BulletProof Security

bulletproof-security

Basically this plugin is similar to Secure WordPress Plugin but with extra features.

  • Creates htaccess file to protect your wp-config.php file.
  • Protects your website from ALL XSS & SQL Injection hacking attempts.
  • One-click website under maintenance mode activation
  • Checks file and fold persmission
  • Removes wp generator meta tags
  • And more…

I especially like that one-click website maintenance mode feature because in case your website is attacked and injected with viruses. You can press just one button to stop the spread of the viruses to your blog visitors by shutting down your blog to maintenance mode.

10. Don’t Give Strangers Your Password Including Your Host

Giving password to people you don’t know well can give you a lot of troubles, no matter if he’s trying you help you solve some technical problems. At least, after the problems were solved, you should change your password. The best way to do it is to have two sets of passwords. Before you need to hand your password to your host support team, change it to something else, and change it back afterwards.

I believe most people are good people, but what if you have a 6 figure blog? Do you want to risk getting your adsense account changed to someone else’s?

11. Use a STRONG Password

Obvious right? If you want to improve your blog security, then use a strong password. Don’t use your name, blogname, or just all numbers. Here’s are some very useful resources that you can use to create your own strong password. http://strongpasswordgenerator.com/ and http://www.makeuseof.com/tag/how-to-create-strong-password-that-you-can-remember-easily/

12. Limit Access To Your wp-admin Folder By IP

Ok…this highly effective tip only applies to people using a static IP which means your IP address is constant unlike dynamic IP. This method will limit your wp-admin access to only your own IP. So basically you have to white list all the IPs you might be using to access your blog.

  • Create a htaccess file as I taught you earlier in this post.
  • Put this line of code in it:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
</LIMIT>

Read more here: http://www.reubenyau.com/protecting-the-wordpress-wp-admin-folder/

  • xx.xx.xx.xx is the ip address that you want to white list.
  • Upload this file to your WP-ADMIN folder NOT the root folder.

13. Install Akismet

akimet

You MUST have this plugin installed on your blog!!! This is a pretty standard anti-spam filter. Spam comments on your blog will be greatly reduced by this plugin.

Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.

Bonus tip: You can use this link to see if Google considers your site harmful or safe. Just replace www.yahoo.com with your domain name. You know what to do :) .

http://www.google.com/safebrowsing/diagnostic?site=http://www.yahoo.com

I hope you can spread this blog post to your friends or co-workers so they know how to protect their precious blog from hackers and prying eyes. They will thank you and love you more. :)

Comments on this entry are closed.

  • Anonymous

    Hi Eric,

    Wow! I had never heard of most of these. I’m very glad I found this article.

    Alan

  • Anonymous

    Did you test these 13 security wordpress plugins and tweaks on 1 installation?
    If so which version?

    Why do i ask?
    http://wordpress.org/extend/plugins/stealth-login/
    Does not seem to work with 3.01

    Thanks, Erik

  • Bill Marks

    Eric,
    Wonderful post and well documented. Securing your blog or site is something people only think about after it is too late. The steps outlined here should be standard operating procedure on Day One of any new blog.
    To paraphrase the old Fram Oil Filter commercial… you can pay me now or you can pay me later.
    Take time to do these things now; it will save time and frustration later.
    Bill

  • AskBillMarks

    RT @eric_su: RT&Cmmnt > 13 Dead-Simple WordPress Security Tips And Plugins – Hack-proof Your Blog http://ericsu.com/blog/13-deadsimple-wor

  • Anonymous

    Hey Eric,

    Thanks for the excellent post man, I never stopped to think about the security of my blog until you brought it to my attention. Losing the blog that you work so hard to build to hackers would be TERRIBLE! Thanks again!