How to Make WordPress More Secure from Hackers & Robots

Jun 8, 2009   //   by Gerald Weber   //   SEO Blog  //  57 Comments

Bad Robot

WordPress is one of the most popular open source blogging platforms. Unfortunately, this also seems to make it a popular target for hackers. While keeping your WordPress installation up to date can prevent a lot of potential security breaches, that’s not a guaranteed way to stay safe. Today, I’m going to cover a few steps you can take to give yourself extra layers of protection against hackers and evil robots.

Although these first steps may seem extremely basic, it’s always good to be reminded of the fundamentals. A great example of this was the Twitter happiness fiasco that occurred a couple of months ago. While it did have some entertainment value, it also served as a reminder that even the most basic security measures can be overlooked if you aren’t proactively taking steps to be more secure. Here are a few lessons that can be learned from that fiasco:

Don’t use words from the dictionary for your password

For example, passwords like password or happiness.

Most brute force attacks attempt to gain access by trying a prearranged list of dictionary words. If you choose a password that is not a word from the dictionary, you won’t leave yourself open to this type of attack.

Don’t use passwords that aren’t strong

For example, all lowers case with no numbers or other characters.

What exactly makes a password strong? Strong passwords have the following characteristics:

  • Lengthy: Each time you add a character, your password becomes exponentially more difficult to guess.
  • A combination of letters numbers and symbols: The more characters the better
  • Uses both upper case and lower case letters
  • Use a password that is easy for you to remember but difficult for others to guess

Microsoft has some more detailed tips on how to create strong passwords that are easy to remember but difficult for others to guess.

Whatever you do, don’t allow UNLIMITED login attempts!

In the case of the Twitter fiasco, the hacker actually launched an automated brute force attack which ran overnight while he was sleeping. The WordPress Limit Login Attempts Plugin is an ideal way for WordPress users to protect themselves from such brute force attacks. It works using both IP addresses and cookies. It can be set to notify you via email when someone has been locked out due to four failed login attempts. The first time four failed attempts occur the user or potential hacker is locked out for twenty minutes. After the next four failed attempts, the lockout last for twenty-four hours. These are the default settings, but they are fully customizable.

Robots Behaving Badly

There are all kinds of robots that roam the web. While some of them are friendly (Googlebot), others have malicious intentions (like harvesting your email address so they can spam you to death, or spamming the comments section of your blog).

Bad Behavior is a very cool WordPress plugin that stops these robots dead in their tracks. This plugin actually stops them from ever even visiting your website. The unique way Bad Behavior works is by analyzing the http request to see if it looks spammy or malicious. Besides the obvious benefits of having less spam on your site and in your email inbox, this plugin also keeps robots from using up your bandwidth and ensuring that your analytics stats more accurately reflect actual human visitors.

While this plugin is intended mainly as a spam prevention tool, I have also discovered that it may also prevent others from being able to view your site through a proxy server. This is a nice benefit since many hackers attempt to conceal their identity by hiding behind a proxy. Here is the message that usually will be presented when someone attempts to access the site from behind a proxy:

bad behavior
Click image for larger view

Secure WordPress Is another wordpress plugin that does many things in an effort to make WordPress more secure. Here are a few of the benefits of the plugin:

  • removes error-information on login-page
  • adds index.html to plugin-directory (virtual)
  • removes the wp-version, except in admin-area
  • removes plugin-update information for non-admins

Limit WP-Admin folder to One IP Address

Chad Bean from SEO Hosting explains how and why to do this.

Most of the vulnerabilities found in WordPress, affect files in the wp-admin directory. By IP restricting this directory, and the WordPress login page, you’re adding an extra security layer on top of your WordPress installation.

You can IP restrict this folder, by creating an “.htaccess” file in your wp-admin/ directory, with the following contents:

IP Limit

Of course, if you have a dynamic IP, this .htaccess file needs to be updated to reflect your current IP address. Multiple IP’s can be added by adding extra “allow from IP” lines, in case you want to access the admin from say your home, and office, or if you have mutliple blog authors.

Note: where it says (allow from 000.0.0.0) actually put your IP address there. If you are not sure what your IP address is you can find out by visiting http://www.whatismyip.com

Note x 2: If you use this method to IP restrict the wp-admin directory, there is no need to use the Limit Login Attempts Plugin. The reason is because anyone who does not have their IP included will not even be able to view the admin login page; instead, it will simply go to a 404 page.

Always Have a Backup Plan

Even after implementing the security measures we discussed today, there is still the possibility of a worst case scenario where you are hacked and everything is lost. Fortunately, as long as you have a backup, you will be able to easily restore your data and files. The WP-Database Manager will backup and email a database backup to you on a daily, weekly or monthly basis.

While this is great to have in the event of a database meltdown, it only backs up data and not files. So, what if all of your files were also to disappear?

cPanel Backups

Well, if you use a host like HostGator (which I do), they perform automatic weekly backups on all of their shared hosting plans. This can add a certain comfort level in knowing that you can always retrieve and restore a full backup. However, I still like to occasionally make a full backup myself, and most hosts give you a simple way to do this with only a few clicks. The best thing to do is to check with your host and inquire as to their simple procedure for manually creating a full backup.

Recieve new weekly articles by email:

Similar Posts:

Gerald Weber

I founded Search Engine Marketing Group in December 2005. More recently I co-founded viralcontentbuzz.com. which is the free platform that helps bloggers generate REAL "social buzz" on their best content. Feel free to follow me on Google+

More Posts - Website

Follow Me:
TwitterFacebookLinkedInPinterestGoogle PlusStumbleUponDelicious

"Newsletter" Our weekly newsletter features some of the best curated SEO content from around the web!



Comment Policy

  • Chad Bean says:

    Don't forget about staying on top of WordPress upgrades.

  • Chad Bean says:

    Don’t forget about staying on top of WordPress upgrades.

  • Tracy says:

    Thanks for the plug in tips, I didn't know about a couple of them. Regular back ups are a must, I find it's one of those jobs I should automate so I don't have to rely on myself to remember. Of course, before I make major changes to my site I'll do a manual back up.

    <abbr>Tracy’s last blog post..People who need pupa are the pluckiest people</abbr>

  • Tracy says:

    Thanks for the plug in tips, I didn't know about a couple of them. Regular back ups are a must, I find it's one of those jobs I should automate so I don't have to rely on myself to remember. Of course, before I make major changes to my site I'll do a manual back up.

    <abbr>Tracy’s last blog post..People who need pupa are the pluckiest people</abbr>

  • Great information, you can never have too many security tips.

  • Great information, you can never have too many security tips.

  • Dicky says:

    Maybe you should try "Administration Over SSL", which you can read from WordPress Codex site.

    <abbr>Dicky’s last blog post..14 Javascript Resources And Plugins For Creating A Stylish Chart</abbr>

  • Dicky says:

    Maybe you should try "Administration Over SSL", which you can read from WordPress Codex site.

    <abbr>Dicky’s last blog post..14 Javascript Resources And Plugins For Creating A Stylish Chart</abbr>

  • Hi Gerald,

    Nice tips. Personally, I've password protected my wp-admin folder through CPanel (as my IP address isn't static).

    However, while I think it's worth doing much of this, I suspect that the vast majority of cases where sites are hacked actually happen at the host level.

    All the above (well except for the backups) won't help at all if an attacker can FTP into your host and edit your .htaccess file.

    <abbr>Stephen Cronin’s last blog post..New Greasemonkey Script To Number Bing Search Results</abbr>

    • Gerald Weber
      Twitter:
      says:

      True if someone can hack into your FTP account you might be in trouble. Hopefully the strong password will help prevent this from happening.

  • Stephen Cronin says:

    Hi Gerald,

    Nice tips. Personally, I've password protected my wp-admin folder through CPanel (as my IP address isn't static).

    However, while I think it's worth doing much of this, I suspect that the vast majority of cases where sites are hacked actually happen at the host level.

    All the above (well except for the backups) won't help at all if an attacker can FTP into your host and edit your .htaccess file.

    <abbr>Stephen Cronin’s last blog post..New Greasemonkey Script To Number Bing Search Results</abbr>

    • Gerald Weber
      Twitter:
      says:

      True if someone can hack into your FTP account you might be in trouble. Hopefully the strong password will help prevent this from happening.

  • Jason says:

    Another good plugin is wp-security. Among other things it checks your file & directory permissions, a thing which is regularly screwed up by people installing WordPress.

    http://wordpress.org/extend/plugins/wp-security-s

  • Jason says:

    Another good plugin is wp-security. Among other things it checks your file & directory permissions, a thing which is regularly screwed up by people installing WordPress.

    http://wordpress.org/extend/plugins/wp-security-s

  • Jomer Gregorio says:

    nice! I don`t really know that hackers can actually infiltrate in your worpdress blog back office.

    I really appreciate this info.

    thanks.

    <abbr>Jomer Gregorio’s last blog post..MLM Success Story (Jerry Ricablanca)</abbr>

  • Jomer Gregorio says:

    nice! I don`t really know that hackers can actually infiltrate in your worpdress blog back office.

    I really appreciate this info.

    thanks.

    <abbr>Jomer Gregorio’s last blog post..MLM Success Story (Jerry Ricablanca)</abbr>

  • Another effectively plugin for more blog security: http://wpantivirus.com

  • Another effectively plugin for more blog security: http://wpantivirus.com

  • Thanks for the useful suggestions, Gerald.

    As someone noted earlier in the comments, I upgraded to WP 2.8 to make my site less vulnerable to hackers. Also, I attended a WP meetup earlier this week in which the presenter cautioned against installing too many widgets, especially those that have a lot of downloads as those may be vulnerable. I was wondering if you had any thoughts on that.

  • Thanks for the useful suggestions, Gerald.

    As someone noted earlier in the comments, I upgraded to WP 2.8 to make my site less vulnerable to hackers. Also, I attended a WP meetup earlier this week in which the presenter cautioned against installing too many widgets, especially those that have a lot of downloads as those may be vulnerable. I was wondering if you had any thoughts on that.

  • Károly Domony says:

    Hi,

    Your site is one of my favorites seen around blog explosion. Keep up the good work.

    I enjoy reading your blog. It is great to find someone who can find the fun things in life!

    I wish you all the best in all years. I look forward to developing a friendship and networking with you.

    Take a look at my websites AriesTrade Network in Europe.

    With Regards,

    Karoly Domonyi
    http://www.twitter.com/aries_hu

  • Károly Domony says:

    Hi,

    Your site is one of my favorites seen around blog explosion. Keep up the good work.

    I enjoy reading your blog. It is great to find someone who can find the fun things in life!

    I wish you all the best in all years. I look forward to developing a friendship and networking with you.

    Take a look at my websites AriesTrade Network in Europe.

    With Regards,

    Karoly Domonyi
    http://www.twitter.com/aries_hu

  • Les says:

    And remove readme.html from your public_html directory. This will prevent malicious people from determining your version of WordPress.

    IE: http://www.sem-group.net/readme.html

    ;-)

    Great list. Thanks for sharing!

  • Les says:

    And remove readme.html from your public_html directory. This will prevent malicious people from determining your version of WordPress.

    IE: http://www.sem-group.net/readme.html

    ;-)

    Great list. Thanks for sharing!

  • sohail ahmad says:

    Yes. I agree with you!!!

    Check out: Bulk Email Addresses

  • sohail ahmad says:

    Yes. I agree with you!!!

    Check out: Bulk Email Addresses

  • Jerry says:

    What a useful post! I had my wordpress website account hacked and they caused total mayhem and nearly destroyed my site! The hackers cost a large % of my traffic! They need to be stopped!

  • Jerry says:

    What a useful post! I had my wordpress website account hacked and they caused total mayhem and nearly destroyed my site! The hackers cost a large % of my traffic! They need to be stopped!

  • Aj Patel says:

    Sound interesting but i have some confusion about this plugin

  • Aj Patel says:

    Sound interesting but i have some confusion about this plugin

  • hermes kelly bag says:

    What a useful post! I had my wordpress website account hacked and they caused total mayhem and nearly destroyed my site! The hackers cost a large % of my traffic! They need to be stopped

    Read more: http://sem-group.net/search-engine-optimization-b

  • hermes kelly bag says:

    What a useful post! I had my wordpress website account hacked and they caused total mayhem and nearly destroyed my site! The hackers cost a large % of my traffic! They need to be stopped

    Read more: http://sem-group.net/search-engine-optimization-blog/how-to-make-wordpress-more-secure-from-hackers-robots/#ixzz0tA56WK9O

  • thanks for your seo tips, it helps my seo job.

  • thanks for your seo tips, it helps my seo job.

  • Free Installation says:

    Let me share something here. There's a Free WP blog installation service. Good work and awesome plugin list too! Your only obligation is to refer 5 visitors. Check it out http://bit.ly/wpfreeinstall

  • […] How to Make WordPress More Secure from Hackers & Robots We have over 50,000 products and services represented on LinkedIn Company Pages today and that number is growing at a pretty rapid clip. […]