Securing Wordpress

Hi

Lots of word press sites have been hacked recently. A few ISP's have sent out emails to customers hosting with them, requesting they update their Word Press version if not already done so.

A few tips on what you can do to secure your Wordpress site. If anyone else has any more, please share

Backup your site and database before making any changes.

1) From time to time, Wordpress release new versions/updates of their software which may include bug fixes or patches to prevent hacking. Keep your version up to date, new updates are released for a reason.

2) Keep your plugins up to date, including the ones you have deactivated

3) Change the default admin username to something different

4) Change your password to a strong one with a mix of uppercase and numeric.

5) Move your wp-config to above your web root folder. Yes, it still works.

6) Ensure your directories are secure and with the correct permissions as recommended by Wordpress - visit http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

7) There are lots of free plugins available which help secure word press sites. A few also hide your version number which hackers may scan for before hacking a site.

8) You could also use a spam captcha plugin which allows you to add the feature to your admin login page. Can be a headache as you will be required to enter a spam captcha code each time you login but helps with those hacking via bot attacks.

9) Use plugins which limit logins or locks out the users for a number of minutes. Example: Limit Login Attempts

If you have anymore tips, please add

Thanks

 

This is a great plugin which will make some changes to the WP tables etc to help protect the website - http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/.

It's free and easy to use and understand.

 

Thanks for sharing this. It seems like the biggest thing is always going to be to update your plugins and your versions. It's amazing how many people just refuse to do this or don't see the value. I would also recommend limiting the number of log-in attempts and using an IP whitelist for WP-admin. This post gets a little more in-depth into some of the precautions you can take - http://blog.nexcess.net/2013/06/05/more-tips-to-keep-your-wordpress-site-secure/ I hope this complements your post.

 

Yep, that is always something that you want to do as well....especially if you are setting up a WP site for a client and then letting them log in to make changes. Protect the site, because they may have malware or something on their PC that can lead to vulnerability. I can see where people forget to update plugins and WP at times - depending on how many sites they manage. I oversee around 50 websites and it can be time consuming. But I make a list and update them the day WP updates. The plugins is more tricky though because some sites have a variety of different plugins.

 

Hey.. this plugin seems great. But do you have any idea about Better WP Security& wordfence security plugins?
I used both before, but now uninstalled it, as Better WP Security is more boring than it really work (for me). It crash the site if banned list's log become too large.

 

I have started using WP All in One Security and Firewall plugin which you can find here:
http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
It has some very useful features and even better you get a little points pie chart for every security measure you use, and I know we humans all love little achievements. It also categorises each measure as basic medium or advanced and warns about certain measures to make sure you dont mess things up. Covers the standard WP security plugin bases and a few that I have never seen before.

 

i think guys you can follow also this article : Secure Your Wordpress Website
in fact there is a lot of things you can do to secure the wordpress blogs but you never have to touch the worpdress core files... i think the most important thing is to hide and secure the important files and directories...

 

@atsad - is there a way to clear the logs?

 

Yea, you can mark tick to which you want to clear. Then click on Clear.

 

So you're saying the Better WP Security plugin crashed your website? Or the all-in-one security/firewall?