WordPress Security Best Practices and Plug-ins
13Keeping your WordPress blog safe and secured are things to be done right away but often gets delayed. Building readership and monetizing the site are daily tasks that produce tangible results.
Often checking of the security needs doesn’t reveal its true importance until the site is compromised by a hacker or a natural disaster like user error. Here are a few of the best methods of protecting your blog from these kinds of disasters.
Related posts:
- Outstanding Slider Plugins for WordPress Design Blogs
- Clean and Minimal WordPress Themes
- High Quality Portfolio Showcase Free WordPress Themes
- 20 WordPress Plugins That Every Design Blog Should Have
- Tips to Choose the Best WordPress Theme for Your Blog
- 12 Amazing WordPress Plugins For Google AdSense
WordPress Code Modifications
Since WordPress is an open source, the code itself can be modified by the user to create a unique and totally customized experience. In some cases, simply adding to the WordPress code can considerably add to the overall security of your blog. While this may seem to be done only by an advanced user or attempted by a programmer, actually, it is very easy to do.
If you are worried about the adverse effects to your blog, backup your blog before implementing any of these suggestions. If something does go wrong, or you simply don’t like the results, you can restore the backup and your blog can continue to run just as it always has. Even if you are fully confident in your ability to modify the WordPress code, it is a good idea to make a backup first.
Remove the WordPress Version Number
By default, the WordPress version is displayed in the head of the blog files and the RSS feed. If you are not using the latest version of WordPress, a hacker can use this information to launch an attack on your blog that exploits a known vulnerability in the version you are running. Adding a single line of code can prevent the version number from being displayed.
- Go to your Theme folder and open the functions.php file.
- Enter the code:remove_action(‘wp_head’, ‘wp_generator’);
- Save the functions.php file and refresh the page.
By just adding this simple line of code, your WordPress version stops being displayed where hackers can easily find it.
Change the Default Admin Name
If you have been using WordPress for a while, you probably still have the default username “admin.” Beginning with version 3.0, you could choose your own admin name. If you are still using “admin” to log in, it is time to change it. When hackers are trying to crack a password, it is more difficult if they also have to crack the username.
- Login to the phpMyAdmin panel.
- Choose your WordPress database.
- Click on the SQL tab.
- In the SQL Query Box enter:UPDATE wp_users SET user_login = ‘New Username’ WHERE user_login = ‘Admin’;
Now, you will be able to use your new username to login to your admin page.
WordPress Plug-ins
There are quite a few plug-ins for WordPress that will help increase the security of your blog. The ones presented here are among the highest rated plug-ins by WordPress users. All of these are easy to install and use.
Block Bad Queries
Block Bad Queries is a plug-in that works in the background and deals with malicious queries. Malicious queries or malicious URL requests are how hackers identify vulnerabilities. These scripts send URL requests that start out with your site’s URL and change the ending. A couple simple examples:
- http://myblog.net/subdirectory/attempt1.php
- http://myblog.net/subdirectory/attempt2.php
These will not have much impact but, queries that are more than 255 characters long can use a lot of resources and slow your site down for legitimate users. If the URL string includes “eval” or “base64,” it is looking for a way to inject script on your site that could create a backdoor, launch spam or some other malicious activity. Block Bad Queries returns a 414 error to this type of activity and prevents it from occupying resources.
Block Bad Queries requires WordPress version 2.3 or higher. Block Bad Queries was last updated on March 5, 2010.
BackupWordPress
BackupWordPress is the best way to maintain and manage backups of your WordPress powered blogs. It can be automated to run backups on a daily schedule if you desire. Scheduling the backups, means there is no danger of forgetting to complete this task. It will back up the entire database including all tables and files or you can specify only certain tables to be backed up. The backups can be stored on the server, your hard drive or sent to your email account.
BackupWordPress requires WordPress version 3.0 or higher. BackupWordPress is updated regularly.
Stealth Login
Stealth Login provides an extra line of defense for your admin page by allowing you to customize the URL for your admin login page. Should your admin password become compromised, hackers will then need to locate the actual WordPress login page because the admin page can no longer be accessed through the default URL. It also protects the WP-login.php file by preventing it from being accessed directly.
Stealth Login requires WordPress version 2.3 or higher. Stealth Login was last update on July 15, 2010.
Akismet
Akismet automates the task of identifying spam and backlinks in the comments and deleting them. While spam bots, and automated comment posting programs are easy to spot and stop, human spammers are a bit more difficult. Akismet keeps an extensive library that is constantly being updated with the latest methods spammers are using get comments and backlinks approved while disguised as legitimate comments.
Akismet requires WordPress 2.0 or higher. Akismet is updated regularly.
AskApache Password Protect
AskApache Password Protect is designed to fend off brute force attempts to access your admin page. Bots are programmed to make repeated attempts in rapid succession to guess the password. AskApache Password Protect plug-in adds a second layer to the password process so these attempts never actually get rolling. It also provides protection to all of your database folders, not just the wp-admin folder.
AskApache Password Protect requires WordPress 2.6 or higher. AskApache Password Protect is updated regularly.
Theme Authenticity Checker
Theme Authenticity Checker scans all your themes for unwanted code. Some 3rd party sites that offer themes for download will insert dangerous JavaScript or advertising into the regular code. This added code is often encrypted. Theme Authenticity Checker will highlight any code it finds that may not be part of the theme itself. You can contact the author of the theme with the code and they will let you know if the code is supposed to be there or not. This plug in cleans up the code in themes much easier.
Theme Authenticity Checker requires WordPress 2.9 or higher. Theme Authenticity Checker was last updated on December 18, 2009.
Final Thoughts…
All of these tips and plug-ins are quite easy to add to your WordPress blog and the improved security is definitely worth the time and effort.
Better WP Security (http://wordpress.org/extend/plugins/better-wp-security/) will do all of this (minus backup) and more in a single plugin. One additional tip is that no matter how many plugins you use, unless you’re keeping up on security updates none of it will do any good.
Thanks for sharing these useful WordPress security plugins
Chris, you’re totally right with the regular security updates. Great point that I should really spell out in the article. You’re a big fan of Better WP Security, eh. I’m definitely in reading more about it. Can you link me to one of your favorite explanations of it?
Thanks,
Brian
Hi there…Thanks for the info. Lots of stuff to pick up from, thanks. However, I basically work in Photoshop with psd. I want to choose the best way to generate psd to WordPress…The best functional way to publish templates to wordpress??
Hi there…Thanks for the info. However, I basically work in Photoshop with psd files. Trying to pick up the most functional tool to publish psd to WordPress. Anybody familiar with?
Generally, I use Dreamweaver to convert PSD to HTML and CSS template for the WordPress
@daniel breg. If you are not a coder and quite far from the industry (so as myself, indeed), you’ll be getting troubled in buiding up wordpress website. I personally would recommend a plug in http://elemente. divine-project.com/ for Photoshop to automatically convert PSD to WordPress themes.
I have installed some plugins to protect my wp blog, just now saw the plugin Better WP Security. Its features are amazing, One plugin with all the functionalitys. Thank you Chris.
Thank you for sharing these plugins for wordpress security
Its true.
Hi,
This is a very nice tutorial you wrote there,
I tried to copy command from this site and there is a read more link added. This is a realy nice way to protect your blog.
I would be real glad if you could tell us what is the name of this plugin?
This is a great list of things to do to secure your WordPress site…
I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…
I have now written up my experiences in a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.
My checklist has a few more items and detailed steps for how to get the job done.
Hopefully the checklist can help other people securing their WordPress sites…
[…] WordPress Security Best Practices and Plug-ins […]