How to Make WordPress More Secure from Hackers & Robots
Thanks for being a return reader! If you haven't already, you may subscribe to our articles by email alerts or via RSS feed . Also you can follow us on Twitter !
WordPress is one of the most popular open source blogging platforms. Unfortunately, this also seems to make it a popular target for hackers. While keeping your WordPress installation up to date can prevent a lot of potential security breaches, that’s not a guaranteed way to stay safe. Today, I’m going to cover a few steps you can take to give yourself extra layers of protection against hackers and evil robots.
Although these first steps may seem extremely basic, it’s always good to be reminded of the fundamentals. A great example of this was the Twitter happiness fiasco that occurred a couple of months ago. While it did have some entertainment value, it also served as a reminder that even the most basic security measures can be overlooked if you aren’t proactively taking steps to be more secure. Here are a few lessons that can be learned from that fiasco:
Don’t use words from the dictionary for your password
For example, passwords like password or happiness.
Most brute force attacks attempt to gain access by trying a prearranged list of dictionary words. If you choose a password that is not a word from the dictionary, you won’t leave yourself open to this type of attack.
Don’t use passwords that aren’t strong
For example, all lowers case with no numbers or other characters.
What exactly makes a password strong? Strong passwords have the following characteristics:
- Lengthy: Each time you add a character, your password becomes exponentially more difficult to guess.
- A combination of letters numbers and symbols: The more characters the better
- Uses both upper case and lower case letters
- Use a password that is easy for you to remember but difficult for others to guess
Microsoft has some more detailed tips on how to create strong passwords that are easy to remember but difficult for others to guess.
Whatever you do, don’t allow UNLIMITED login attempts!
In the case of the Twitter fiasco, the hacker actually launched an automated brute force attack which ran overnight while he was sleeping. The WordPress Limit Login Attempts Plugin is an ideal way for WordPress users to protect themselves from such brute force attacks. It works using both IP addresses and cookies. It can be set to notify you via email when someone has been locked out due to four failed login attempts. The first time four failed attempts occur the user or potential hacker is locked out for twenty minutes. After the next four failed attempts, the lockout last for twenty-four hours. These are the default settings, but they are fully customizable.
Robots Behaving Badly
There are all kinds of robots that roam the web. While some of them are friendly (Googlebot), others have malicious intentions (like harvesting your email address so they can spam you to death, or spamming the comments section of your blog).
Bad Behavior is a very cool WordPress plugin that stops these robots dead in their tracks. This plugin actually stops them from ever even visiting your website. The unique way Bad Behavior works is by analyzing the http request to see if it looks spammy or malicious. Besides the obvious benefits of having less spam on your site and in your email inbox, this plugin also keeps robots from using up your bandwidth and ensuring that your analytics stats more accurately reflect actual human visitors.
While this plugin is intended mainly as a spam prevention tool, I have also discovered that it may also prevent others from being able to view your site through a proxy server. This is a nice benefit since many hackers attempt to conceal their identity by hiding behind a proxy. Here is the message that usually will be presented when someone attempts to access the site from behind a proxy:
Click image for larger view
Secure WordPress Is another wordpress plugin that does many things in an effort to make WordPress more secure. Here are a few of the benefits of the plugin:
- removes error-information on login-page
- adds index.html to plugin-directory (virtual)
- removes the wp-version, except in admin-area
- removes plugin-update information for non-admins
Limit WP-Admin folder to One IP Address
Chad Bean from SEO Hosting explains how and why to do this.
“Most of the vulnerabilities found in WordPress, affect files in the wp-admin directory. By IP restricting this directory, and the WordPress login page, you’re adding an extra security layer on top of your WordPress installation.
You can IP restrict this folder, by creating an “.htaccess” file in your wp-admin/ directory, with the following contents:
Of course, if you have a dynamic IP, this .htaccess file needs to be updated to reflect your current IP address. Multiple IP’s can be added by adding extra “allow from IP” lines, in case you want to access the admin from say your home, and office, or if you have mutliple blog authors.“
Note: where it says (allow from 000.0.0.0) actually put your IP address there. If you are not sure what your IP address is you can find out by visiting http://www.whatismyip.com
Note x 2: If you use this method to IP restrict the wp-admin directory, there is no need to use the Limit Login Attempts Plugin. The reason is because anyone who does not have their IP included will not even be able to view the admin login page; instead, it will simply go to a 404 page.
Always Have a Backup Plan
Even after implementing the security measures we discussed today, there is still the possibility of a worst case scenario where you are hacked and everything is lost. Fortunately, as long as you have a backup, you will be able to easily restore your data and files. The WP-Database Manager will backup and email a database backup to you on a daily, weekly or monthly basis.
While this is great to have in the event of a database meltdown, it only backs up data and not files. So, what if all of your files were also to disappear?
Well, if you use a host like HostGator (which I do), they perform automatic weekly backups on all of their shared hosting plans. This can add a certain comfort level in knowing that you can always retrieve and restore a full backup. However, I still like to occasionally make a full backup myself, and most hosts give you a simple way to do this with only a few clicks. The best thing to do is to check with your host and inquire as to their simple procedure for manually creating a full backup.
Similar Posts:
- 15 WordPress Plugins That I Can’t Live Without
- 5 Free SEO Tools You’re Probably Not Using Yet
- Automatically Perfect Your Blog’s SEO
- 10 Ways to Speed Up Your Blog
- 15 Ways To Get Your Blog Comments Noticed
About The Author
johnmcelborough
Kristi Hines
Gloson
Onibalusi Bamidele
Dev - Technshare.com
"Gerald handles all of my SEO and web marketing needs. I seriously think he might work at his computer 24-7 because it never takes more than 30 seconds for him to respond to any question I might have. Within weeks of hiring him, he quadrupled my web traffic. He seems to be virtual friends with just about everyone on the Internet, and he knows how things work. If you have a website that you need optimized, he s your man." - Alisa Bowman 
"Gerald has deep knowledge of Search Marketing and a unique ability to understand the needs of each specific business. Gerald has helped my business and the businesses of my clients successfully!" - Craig Klein 
"I am impressed with the results of Gerald's SEO work he did for my website, with some keyword research and link building magic he moved me up to the first page in Google using a couple of keyword seaches in only 2 months. I also really like the tracking system that is sent to me weekly. Thank you Gerald!" - Elicia Woodford - 
"Since hiring Gerald to handle my SEO and link building needs, my website has taken a drastic leap upward in the search rankings. I'm now enjoying first page rankings for many of the most desirable keywords, and my website is getting more quality traffic and more conversions. I look forward to continuing the use of Search Engine Marketing Group's services!" - Eric Brantner 
I'm very impressed with how Gerald has increased my rankings in a short period of time. I have been stuck at the same spot for over a year until Gerald stepped in and helped me out. I'm excited to see what he can do for my other businesses! - Barbara Aquino