9 easy ways to secure your WordPress blog

by Ross McKillop on September 10, 2007

Blogging Security

This article outlines 9 different ways you can secure your WordPress blog/site. Security is often an overlooked aspect of blogging, but a few minutes making sure things are secure can save you hours and hours of ‘fixing’ if someone decides to mess with your site.

  1. Download and install the wp-scanner plugin. It performs he following security checks:
    1. WordPress Version Check (currently supports 7 version checks). Future releases will include a file existence version check, for those blogs that have removed their version details.
    2. Tests the WordPress theme template for basic XSS vulnerabilities
    3. Enumerates WordPress Plugins. Future releases will perform additional tests in this area.
  2. Another plugin to install is Login LockDown. It records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. It’s very straight forward and easy to use – I give it a big thumbs up.
  3. Arguably my favorite WordPress security plugin is AskApache Password Protect. It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. And it does that by automatically creating and picking all the right settings for the .htpasswd and .htaccess files (including the save locations), but you can easily change those settings to anything you want, right from your WordPress Admin Panel.
  4. From Matt Cutts presentation – remove the tag in your header.php that displays the current version of WordPress. It’s:

    <meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” />

    Or, you can just modify it so that the version number isn’t displayed, to something like

    <meta name=”generator” content=”Powered by WordPress” />

  5. Again, from Matt Cutts – put a blank index.html file in your /wp-content/plugins/ directory. By default, you can actually view the contents of this folder, so everyone in the world knows which plugins you have installed.
  6. I won’t bother with the “always use the latest version of WordPress” tip, because that’s just too obvious. However, I will mention that the Automatic Upgrade Plugin can keep your version of WordPress current, and you don’t have to do anything other than install it. I happen to prefer to upgrade WP manually, so I don’t use this one, but I’ve heard nothing but good things about it.
  7. If you have a ‘contact me’ page, make sure it’s a secure one. No one likes spam. Secure Form Mailer is great.
  8. Keep your web server updated. Though this isn’t WordPress specific, no matter how secure WordPress is, if there’s a vulnerability in your actual web server, it won’t matter. So keep an eye out for updates to your web server (ie. litespeed, Apache etc).
  9. Consider bookmarking http://blogsecurity.net (or subscribing to their RSS feed) – they have some great posts and provide info on insecure plugins etc as soon as they find out about them.