Wordpress blogs can be targets for hackers looking to take over for SEO, traffic-redirection and other purposes. Most bloggers aren’t aware of the threat posed by hackers and the blog owner may not even know that a successful attack has taken place.
I had an experience some months ago on one of my blogs, where my server had been flooded with hundreds of pages relating to adult material. I only realized this when Google stopped sending me traffic to that blog.
There are some simple security measures that any blogger can implement today to make a blog more secure.
Create a new user account
It is harder for a hacker to break into your blog when both the username and the password have to be cracked. That is why you should create a new user and delete the WordPress default “admin”.
You create a user by going into “Users” then “Add New” in the WordPress menu. When creating the new user, make sure to give it the role as an “Administrator”. That will make sure that you have the full authority over your blog.
Now simply logout from your default “admin” account and log in with the new user details. In “Users” you can delete the default admin username. Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account.
Use strong password
Do not use simple passwords when creating the new user account. It might be simple for you to remember it, but it is also easier for a hacker to crack it. Your password should be at least eight characters long and should include numbers mixed with characters in uppercase and lowercase.
Set a new nickname
You do not want your new username to be the author name that is shown on all posts. Set the nickname WordPress uses as author name to something different than your username. You do this in “Users” under “Your Profile” in the Nickname field. Choose a new nickname and set “Display name publicly as” to your new nickname.
Use Login Lockdown plugin
Login LockDown plugin records the IP address and timestamp of every failed login attempt to your WordPress blog. If more than a certain number of login attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.
Do not allow guest user registrations
If you do not have a membership blog, then there is no reason to allow visitors to register for a guest account on your blog. To check that you’ve got registration turned off, click “Settings” and make sure that “Anyone can register” option is not checked.
Always upgrade
Always upgrade to the latest version of WordPress, latest version of your WordPress theme and latest version of plugins you use. One of the reasons for new versions of software and plugins, is the security vulnerability found in older versions. With WordPress 2.7+ all of these upgrades are simple, automated, one-click processes within the WordPress interface.
Backup regularly
Taking regular backups is important. In case if something happens, use can always use the backup to recover your blog files. WordPress Database Backup plugin makes it simple to backup your files. Activate the plugin and set it to automatically take backups and send them in a file to your email address.
Conclusion
These 7 simple steps can be executed quickly and should make your blog harder to break down. Do you care about your blog security? Did you have any experience with hackers breaking in? What steps did you take to make your blog more secure?
Image by AMagill
Join thousands of bloggers and get all my blogging tips for FREE! Subscribe to HowToMakeMyBlog via RSS or via e-mail.
{ 21 comments… read them below or add one }
Thank you for a very helpful article!
Good tips.
A few more would be to ensure that you do not broadcast your wordpress theme version in your footer. It might also be a good idea to delete the automatic insertion of the wordpress version into your header, though it might be a bit too paranoid.
As usual Marco, you are an example to us all as bloggers with great, functional, timely content and easy to follow instructions.
Thanks!
As Bart said, timely and useful content. I didn’t even know about “lock down login plugin. Might have to give that one a go, it never hurts to play it safe. Better to be safe than sorry.
-Mig
Thanks for the post. I always knew I should change the username but didn’t know how. Already done and hopefully no hacks coming my way. Thanks!
Thanks for all comments, glad my post was useful!
@Adam Pieniazek – Thanks for other suggestions. It is something to think about, you never know when you’re secure enough.
Thanks for the good articles you have, Mr. Marko! That’s really simple things to do to secure up Wordpress blog.
Btw, how about the WP Security Scan plugin? A plugin that can do a few security tasks on the list above.
Try to use that plugin and I thinks its simply useful, too!
@Gilang Ramadhan and @Eric Barb – thanks for pointing out WP Security Scan plugin. Looks useful.
Great article. Being in IT and less design oriented, I can truly appreciate these ideas. I use the login lockdown plugin as well. Many of these security points can be used across the IT worldl, not just wordpress. Another plugin that I like is WP Security Scan. It recommends changing the prefix on your sql database table as well to mitigate zero-day SQL Injection attacks. Don’t know if this is being overly paranoid or not though. Keep up the good work.
Stumbled!
Keep it up Marko. I recently changed my login. Being safer is the way to go.
-Mig
Good article. thanks for the useful advice.
Very valuable information. We just went through your 7 steps to make our blog more secure and will also look into the WP Security Scan plugin suggested by others as well. Since following you on Twitter we’ve gotten very useful and helpful information from you to help with our blog . Thanks greatly for the tips and advice!
Thank you for sharing a great tips. Will implemented soon as well
Thanks for the great advice. It doesn’t hurt to secure your WP as much as poss. Will do as you suggest and sleep better at night
One thing I like is that you can install the rcaptcha.com plugin, works great and isn’t too troublesome to visitors, plus it helps make OCR better.
I also understand that it isn’t to hard to set an password on your ADMIN folder for those that built there own site.
My Zen-Cart installation makes it easy for me to actually change the name of the ‘admin’ folder, is that possible/recommended for wp installs?
@Brad in Dallas – Hmm I am not really sure. I have never went that far with my WordPress protection. There must be more details on the WordPress site.
Thank you very much for those tips. Going to implement them now.
Thanks a lot for this very-very useful tip.
I’m going to be following these steps to my blog now, thanks a lot for sharing!
I too back up my database using the wp database backup. really simple and nice tool to backup ur database.
Some of the tips but are really very important. Taking these already can protect you from future threats.
Thanks for sharing.