WordPress is in my opinion the best choice for your blog. It is powerful and highly extensible. I have created a list of things that anyone can do to add layers of protection to his blog. Blogging means spending time to write and no one wants to see this time and effort wasted due to some hacker. In addition, it is not a good practice to be worrying all the time about hackers and system errors. This list will help you relax and forget about security and focus on writing.
Steps to secure your WordPress blog:
- Hide your WordPress version. Most hackers take advantage of the security holes and vulnerabilities of specific versions and it is a good practice to hide that number. You should hide WordPress version especially if you don’t update to the latest version. I have posted how to do it here but a good hacker can find that information from other sources. After I wrote that post, I started digging WordPress files and I found that there is a readme.html file in the WordPress installation folder, that shows with big letters the version number on the very top of the page. Also, if you see the generated html code there are several places that the version number is added. If you hide the version from the generator information and by deleting or make invisible the readme file, you will make it (at least) time consuming for someone to find that information.
- Keep WordPress up to date. For the reason we said earlier about security holes found in previous versions, it is very important that you update your WordPress to the latest version. You are more secure because they fix the vulnerabilities found and in addition you get all the juicy stuff each version has. Updating is your best weapon against hackers.
- Encrypt your login process. If your blog is not encrypted with HTTPS then the information you pass to the blog, including username and password is visible for someone that is watching. If you have no idea what I just said then you should know that there are several methods for hackers to see what you do and all information you send and receive while online. It is not as easy as it sounds and in most cases hackers must be in the same network with you, but it is possible. There are plugins that help you encrypt your login without having HTTPS. I use Chap Secure Login, you just install it from your WordPress, you activate it and you are ready to go.
- Use strong password. If you have a weak password all other security measures don’t matter. If a hacker manages to log into your WordPress with your credentials then he has full access to mess with your blog/website. The last paragraph of the Wi-Fi Security post is explaining what a strong password is and how to generate one. Some argue that by creating a password that is a small sentence easy to remember is better than a complex password. This is true in most cases but not in some others. Some examples, “MarkRules” can be cracked very fast with dictionary attack but “AWhiteHorseInAField” is very easy to remember and very hard to be cracked. I suggest that you read, if you don’t already know, about brute force attack and dictionary attack.
- Change/Remove admin user. For the same reason with the strong password step, you are advised to remove the admin user. Most attackers will try to find the password of the admin user because that account has the most privileges to your blog by default. Don’t forget, you should always have an administrator user, but he should not has “admin” as username. It is another step to add a layer of protection to your WordPress.
- Limit login attempts. This is one of the must-do steps. You should limit the login attempts so attackers will not be able to use brute force attacks to guess your password. There are many plugins that you can use for that. I use Limit Login Attempts, it has options you can set like how many attempts per IP, for how long to block the IP , log the IP that failed to login and more. The process is easy, search it from your WordPress, install and activate. Another good plugin is Login Lockdown, you can see several plugins and choose which one is best for you.
- Make backups. For me this is the most important step. Even if you create the most secure blog, you can not be sure that you will not loose your data. I have read, and you most probably, about hosting providers get hacked. If your hosting provider or hosting server gets hacked there is nothing you can do, your secured blog is vulnerable and you can loose everything. It is like you secure your PC with firewalls, anti-virus, anti-spyware and any kind of protection you can imagine and some crazy man comes to your house with an axe and smashes your PC. The chances for your hosting server to be hacked are more than the crazy man. By having a backup you can restore your blog in no time. I advise you not to only backup the database because it is only a part of your blog, you should also backup your plugins, your photos and basically all the files that are included to your blog. A very good plugin doing that exactly is BackWPUp. This plugin let you backup everything, it has an option to compress them with zip and send the backup files to almost anywhere. You can send a copy to your email, send a copy to your Dropbox folder and many more options. You can also set it to make scheduled backups, daily, weekly, choose the day and time and which files you want or don’t want to backup.
- Change file permissions. This is a very important step but you should be very careful while messing with file permissions. Changing the permissions to read only for everyone except you is very good because you make sure that only you can change them. There are some files that should not be locked because you want WordPress and plugins changing those. I will not say anything specific or how to change permissions because the post is for anyone and this step is not. You can always search for it.
- Filter comment spam. Previous steps are for secure your WordPress blog from hackers and loss of data. This step is to prevent spammers comment to your blog. You don’t want junk comments to your blog. Even if you don’t allow comments to automatically appear and you must approve them, I don’t believe that you want more work to filter manually those spam comments. There are plugins that filter spam comments by adding some CAPTCHA to prevent auto commenting but I find them annoying. In some cases I can not recognize the letters and I hate trying 3-4 times to post a comment. The best choice I have found to filter auto comments is by let users solve a very easy math equation like 3+5. I prefer the Math Comment Spam Protection plugin.
Those steps are enough to protect your WordPress blog and almost all of them can be done through your WordPress and by anyone. This is my biggest post but security is very critical and for a serious blogger his blog is one on the most valuable things he has. I wish you found this post helpful.