Wordpress Security

Deny Access to wp-config.php

David Turnbull — Mon, 05 Oct 2009 04:48:29 +0000

Just like we can deny access to readme.html, it’s possible to deny public access to wp-config.php using the .htaccess file. But, before doing this, ask yourself this question:

Is your blog installed in the /public_html folder?

If it is, then instead of using .htaccess to prevent public access to the file, it’d probably be better to move the wp-config.php file.

For everyone else, add the following code to the .htaccess file thats in the same directory as your wp-config.php file.

# protect wp-config.php

Order deny,allow
deny from all

You might also want to read...

How to Secure WordPress, a Quick Start Guide

David Turnbull — Mon, 05 Oct 2009 04:34:06 +0000

In a rush? Here are 5 quick ways to secure your WordPress blog. At the very least follow these steps.

1. Delete the default administrator

Create a new administrator with a complex username, login with that account and delete the default administrator. Leaving the administrator’s username as “admin” makes cracking your login details 100% faster.

Why you need to delete the default administrator (and how to actually do it).

2. Create a really strong password

Passwords can never be too complex. Use a password manager to make remembering passwords easier, and consider using strongpasswordgenerator.com to generate the password itself.

3. Install all the plugins listed in our Plugins section

But the most important 3 to install are:

Antivirus for WordPress, which scans your WordPress blog for malware and worms.
Login Lockdown, which helps fight against brute force attacks.
WP-DB-Backup, to backup your WordPress database via email.

4. Move wp-config.php

Login to your server via FTP and move the wp-config.php file to the parent directory. If it currently resides in /public-html/blog then move it to /public_html/. But if it’s in /public_html/ then move it to the top level directory, /.

5. Stay aware

Subscribe to the WordPress Development Blog and wpsecure.org feeds to remain up to date on all the latest security exploits that may affect you and your blog. Awareness is half the battle.

You might also want to read...

Credits

David Turnbull — Mon, 05 Oct 2009 03:38:01 +0000

There are thousands of people who have indirectly contributed to this project but here are the people who have directly contributed content or inspiration:

Peter Cooper of RailsInside.com
Joel Williams of BlogTechGuy.com
Dan Schulz, a SitePoint advisor and SEO.com administrator
John of WPBlogHost.com
Syed Balkhi of WPBeginner.com

You might also want to read...

WordPress Backup

David Turnbull — Mon, 05 Oct 2009 03:26:22 +0000

Wordpress Backup isn’t a plugin I use these days because it doesn’t scale well for large blogs and I figure it’s best to just stick with tools that have continuity. But what it basically does is backup your blogs files (plugins, themes etc) and then send them via email just like the WP DB Backup plugin.

If you aren’t interested in paying for Amazon S3 then this is a suitable alternative, but just be mindful of the fact that it’ll probably stop working if your blog gets too large.

Click here to read more about email backups.

You might also want to read...

WP DB Backup

David Turnbull — Mon, 05 Oct 2009 03:25:15 +0000

WP DB Backup is the premier database backup plugin for Wordpress. Simply install the plugin and then enter the email address you want the backups sent to.

Choose the backup frequency based on your blogs activity. I backup once per day, because I receive a moderate amount of comments. If you receive a greater number of comments throughout the day, or simply post more frequently, then increasing the backup frequency to twice per day is probably a good time.

Click here to read more about email backups.

You might also want to read...

Secure WordPress

David Turnbull — Mon, 05 Oct 2009 03:22:22 +0000

Note: This plugin is not officially associated with this project. The name is simply a coincidence.

Secure WordPress automates a few simple security tasks:

Removes error-information on login-page
Adds index.html to plugin-directory (virtual)
Removes the wp-version, except in admin-area
Removes Really Simple Discovery
Removes Windows Live Writer
Remove core update information for non-admins
Remove plugin-update information for non-admins
Remove theme-update informationfor non-admins (only WP 2.8 and higher)
Add string for use WP Scanner

There is some duplication with other plugins (Login Lockdown removes error information on the login page for example) but features like hiding the version number make it a worthy install.

You might also want to read...

Stealth Login

David Turnbull — Mon, 05 Oct 2009 03:10:56 +0000

Stealth Login makes it easy to change the login address for the WordPress administration area, and prevent users form logging in via wp-login.php (just activate Stealth Mode). Even if someone cracks your username and password they’ll become stuck because there won’t be anywhere to login.

While it may not stop seasoned hackers from getting into your system, it takes just a few seconds to setup and is a worthy precaution to take.

You might also want to read...

Local Backups

David Turnbull — Mon, 05 Oct 2009 00:26:53 +0000

This may be overkill and is the only part of the system that you don’t really need to put into place, but if you like the idea of having your backups stored locally (which has the convenience of being able to restore them easily) then you’ll like this idea.

Basically, setup the email backup system described previously but use a desktop mail program such as Mail.app for Mac or Outlook for Windows to download the emails to your computer. *BAM* all your backups are now on your system.

If you’re a Mac user buying a Time Capsule will allow you to backup your local computer (including all the website backups) and because it’s wireless you can just shove it in a cupboard, out of sight and never think about it again. That’s some extreme blog backing up right there. Tad overkill, but the Time Capsule is a very nice device.

You might also want to read...

Web Host Backups

David Turnbull — Mon, 05 Oct 2009 00:23:04 +0000

If you’re not using a web host that performs its own daily backups then switch (I personally use thiswebhost.com and they’ve been fantastic so far). But never rely on the backups from your web host.

It may be relatively uncommon for web hosts to lose your data but they’re not immune to the possibility and even if they claim to perform regular backups you can never really know how comprehensive their systems are.

Use a web host that performs their own backups because it gives you just 1 more layer of protection, but don’t use them as a replacement for your own system. Think of them as a bonus.

You might also want to read...

What is the Secure WordPress project?

David Turnbull — Sun, 04 Oct 2009 23:22:35 +0000

Secure WordPress is a resource I wanted to have myself, a compete checklist and walkthrough of all the security topics relating to self-hosted installations of WordPress. But since there was so little talk online about these topics (beyond the basics, which we do cover still) I decided to make it myself.

The History

The idea for Secure WordPress first came to me in about June of 2009. I’d been thinking of things I could write an eBook about to sell, and WordPress security just seemed like a great topic to cover.

I soon decided that it’d feel wrong to sell information that is so critical to WordPress bloggers, so the plan was to compile a nice looking PDF file and then distribute it for free as a way to gain recognition from a blog I’d yet to launch (but is going strongly now), Adventures of a Barefoot Geek.

But even the idea of using a PDF seemed sort of archaic, especially since I wanted this to be an evolving resource. Then at 10pm one night I registered wpsecure.org and got to work, setting up this blog, adding all the content from the Pages document I’d been working on. And that’s how this project came about.