Security Tips for WordPress Blog Owners

Those who own and run a WordPress blog are aware of the dangers associated with the security of such websites. A skilled hacker can manage to sweep your website completely off the web. This can cost you months of traffic, earnings and can also seriously affect your site’s overall performance. So there are certain cautionary measures that you should follow in order to save your site from any such attack. We are writing here these security tips enhance the defense of your WordPress blog.

 

Always login using your email address

When you first install the WordPress blog, the user is called admin. Create a different user to control your blog. You may even remove admin and replace it with subscriber, guest or any other username that is not easy to guess. Then you use your email to login to your WordPress blog.

Never advertise the WordPress version you use in the world

WordPress sites always display the version number they have which makes it very easy for a hacker to decide if you are using an outdated version of WordPress thus helping them to plan their attack. Always remember to remove the WordPress version from your blog.You should also remove the readme.html file from the WordPress installation directory because that also displays your WordPress version to the world.

Prohibit others from altering your WordPress directory

Login to your WordPress Linux shell and then execute the command listed below. This gives you a list of all directories that might be opened. Such directories can be altered by anyone.
find . -type d -perm -o=w
Execute the two commands given below in order to set correct permissions for all of your WordPress files and folders

find /your/wordpress/folder/ -type d -exec chmod 755 {} \;

find /your/wordpress/folder/ -type f -exec chmod 644 {} \;

This sets your directories to parameters where only the owner can write permissions and the others can read and execute those permissions. For files, only owners have the read and write permissions and the others can just read files.

Security Tips for WordPress Blog Owners

Rename WordPress Tables Prefix

You might have installed the WordPress using default options. Thus your WordPress tables have names as wp_posts or even wp_users. It is advisable that you change the prefix (wp_) of these tables to any random value.

Stop users from exploring WordPress directories

This is very necessary on your part. Just open .htaccess file in the WordPress root directory and attach the line given below to the code

Options-Indexes

This bars the guest users from the viewership of the listing of files available in your directories in the event of your index.html or index.php files missing from those directories.

Keep a record of your WordPress PHP and database errors

Keeping a log of your errors offers clues about what variety of invalid database queries and file requests are being encountered by your WordPress installation. Utilities as error log monitor constantly update you with these errors through emails.

To activate error logging in WordPress add the following code to the wp-config.php file and take care to ‘/path/to/error.log’ with whatever be the actual path of your log file. Also, the error.log file is placed in a folder which cannot be accessed from the browser.

define(‘WP_DEBUG’, true);

if (WP_DEBUG) {

define(‘WP_DEBUG_DISPLAY’, false);

@ini_set(‘log_errors’, ‘On’);

@ini_set(‘display_errors’, ‘Off’);

@ini_set(‘error_log’, ‘/path/to/error.log’);

}

Put a Password For WordPress Admin Dashboard

A very simple but important step to guarantee the safety of your blog. Make your dashboard password protected. This not only restricts guests from entering your dashboard but even the authorized users need to enter two passwords to log into their admin dashboards.

Track the login activity on your WordPress server

The “last-i” command of Linux can be used to list all users who have logged into your WordPress server. This also lets you know their IP addresses. If you find an IP address which logged into your server for the first time then it is obvious that you need to change your password. The following command will show the user login activity for a longer period of time along with a grouping of IP addresses. Just take care to replace with “USERNAME” with your actual username.

last -if /var/log/wtmp.1 | grep USERNAME | awk ‘{print $3}’ | sort | uniq -c

Use WordPress Plugins to improve Website Security

wordpress.org contains a variety of plugins to choose from that can help boost security of blog. Here are a few ones that can be looked into –

Exploit scan

It quickly scans all your WordPress files, blog posts and then separates the ones which have malicious codes. Spam links hidden inside your posts can also be detected by this plugin.

Wordfence security

This is an effective plugin that compares WordPress core files with original files. This brings any alteration to light. It also locks a user if it is unsuccessful in logging in after a specified number of attempts.

WordPress Sentinel

This plugin monitors the WordPress files and brings to your notice any alteration that has been made in the files (addition, removal or edition).

VIP scanner

It scans your WordPress templates for any advertising code that might have been inserted. It also checks your  WordPress themes for any glitches.

(ix) Command to know about any file that has been altered in the last few days –

Use the following command to know about any file that might have been altered in the last 3 days. Just change mtime to mmin to see the files altered “m” minutes ago.

Protect WordPress Login Page

The WordPress login is the gateway to your blog. Securing it can help establish a strong first line of defense. In order to prevent non authorized users from entering WordPress, you have a few alternatives –

Password protection

Protect your wp-admin folder with a username and password along with your other WordPress information.

Google Authenticator

This plugin provides Google’s effective two step verification to your WordPress blog. If someone tries to sneak in your blog, they will have to enter not only the password but also the code that Google sends to your phone.

Login Dongle

This plugin has a unique way of protecting your WordPress  It generates a bookmarklet along with a secret question that you can add to the bookmarks. On your login page enter your username, password, other information and then click on this bookmarklet to enter your WordPress by answering the secret question.

           

Leave a Reply

Your email address will not be published. Required fields are marked *