Recently I posted about a hole in a very popular caching plugin for WordPress that could make some sensitive bits of your site ‘gettable’ by naughty people (not something you want!).
That got me thinking about WordPress security in general and how I keep my sites secure. I thought it would also be interesting, and very useful, to find out how other people also look after their sites.
So let’s get into some security.
WordPress Security Plugins
The first plugins I ever install on a new WP site are two security ones!
Secure WordPress does a number of nice things in one plugin like:
- Removes error-information on login-page
- Adds index.php plugin-directory (virtual)
- Removes the wp-version, except in admin-area
- Removes Really Simple Discovery
- Removes Windows Live Writer
- Removes core update information for non-admins
- Removes plugin-update information for non-admins
- Removes theme-update information for non-admins (only WP 2.8 and higher)
- Hides wp-version in backend-dashboard for non-admins
- Removes version on URLs from scripts and stylesheets only on frontend
- Blocks any bad queries that could be harmful to your WordPress website
Limit Login Attempts limits the number of times an IP address can attempt to login to the admin section. This stops ‘brute force’ password hacking attempts.
Keep Things Up To Date
One of the ways that bad guys like to get in and plant nasties on a site is via old and out of date programs, themes and especially plugins. So make sure you keep themes and plugins up to date. It’s also worth updating WordPress itself when new versions become available (but with big changes make sure it won’t break any plugins or themes you’re using!).
Here on ChurchMag we recently explained that too many plugins can really slow a site down – and they can! So if you’ve lots of old plugins and themes, it’s best to delete them, rather than having them lying around – this not only makes your site more secure, but also saves you some hosting space!
Disable Directory Indexes
The Secure WordPress plugin adds a virtual ‘index’ page to the plugin folder, so bots and other nasties can’t crawl it to find vulnerabilities. For extra security, you can disable ‘directory indexes’ to stop things poking around in other areas! This is especially useful in the themes folder.
The settings in CPanel (the most common web control panel) are the ‘Index Manager’ in the ‘Advanced’ section. Here’s a tutorial video showing how to use it:
[tentblogger-youtube m5DcQavgOoc]
Making WordPress More Secure When It’s Installed
You can make an installation of WordPress much more secure simply by the way you initially install it. The great John Sadlington had already written a great post on how to install WordPress securely, it’s well worth a read.
So that’s some basic and simple ways to help make your WordPress site more secure.
Have you got anymore tips we can learn from?
How do you keep your WordPress site(s) secure?
Jason Delgado says
Very helpful, thanks,… I’ve been the victim of several WP security flaws
James Cooper says
I hope they help Jason – want to keep those badies out!
Daniel Berman says
I have been using http://www.spambotsecurity.com/zbblock.php on a several PHP websites including WordPress installs and I have been impressed with the effectiveness, security methodology and developer attentiveness to user’s needs.
I first discovered them as I have a community advocacy forum that was having issues with spam registrations and hacking attempts, despite multiple security plugins including Bad Behaviour. After installing ZB Block I have been able to pull all of the security plugins out, and just use ZB Block exclusively.
James Cooper says
Thanks for the tip Daniel. Looks a very interesting way of securing things.