Tuesday, June 15, 2010

WordPress Security Tips to protect your WordPress Blog

SkyHi @ Tuesday, June 15, 2010

While WordPress in general is pretty secure grounds up, it is still vulnerable to the many kinds of security exploits out there.

WordPress Security Tip # 1: Upgrade your WordPress Blog

Keeping your WordPress blog up to date by installing the latest version of WordPress. You may think it is pain to update every time, but in terms of security and if you don’t want your blog to be hacked, this is very very crucial.

WordPress has detailed and simple instructions on how to update your blog. Check them out and keep your blog up-to-date. You can subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ which will keep you up-to-date on the latest WordPress patches or the latest WordPress releases.

WordPress Security Tip # 2: Remove the version string in your header.php file of your WordPress theme

Again, if you don’t keep your WordPress blog up-to-date with the latest version, WordPress is kind enough to let potential hackers know that you did not update your blog. Say, you want to find a list of WordPress blogs still running WordPress 2.2, a simple google search would generate a list.

Every WordPress theme, in its header.php file has a line that goes

<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> <!-– leave this for stats please –>

Make sure that you remove this line from the header.php file of your WordPress theme and prevent any attackers from exploiting an older version of WordPress.

WordPress Security Tip # 3: Secure your /wp-admin/ folder

a. .htaccess file:

After editing your .htaccess file, any attempts to access your wp-admin folder will be shown a Forbidden error message. Note: For this method, you need to create a new .htaccess file in your wp-admin folder and not simply replace/edit the .htaccess file in the root folder of your WordPress blog.

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Root777 Access Control”

AuthType Basic


order deny,allow

deny from all

# whitelist home IP address

allow from

# whitelist work IP address

allow from


This method is very good for those with a static IP address. You can find out your IP address here and replace the IP address shown above with your IP address. If you have multiple authors to your blog, you can add their IP addresses too to this whitelist.

b. Use Login Lockdown plugin:

If you have a dynamic IP address though, locking down access to your /wp-admin/ folder will not work by allowing access only from certain IP address. In such a situation, use Login Lockdown plugin which will help in preventing attackers trying to brute force their login.

Any failed login attempts will be recorded. You can also set the number or threshold for failed logins where an IP range can be blocked (an hour by default)

login lockout

c. Use robots.txt

Ryan lists an excellent SEO Optimized robots.txt file for a WordPress blog. Simply copy the robots.txt file below which also includes a Disallow /wp-* which will prevent any of your WordPress files from being indexed by Google or any other search engines. Note: The robots.txt file below includes exceptions which allows the google image bot, adsense bot and any other bots to index the content.

User-agent: *

# disallow all files in these WordPress directories

Disallow: /wp-content/

Disallow: /wp-admin/

Disallow: /wp-includes/

Disallow: /wp-

# disallow all files in these directories

Disallow: /tag/

Disallow: /cgi-bin/

# disallow robots from parsing individual post feeds and trackbacks

Disallow: /feed/

Disallow: /trackback/

Disallow: */trackback*

# disallow any files that are stats related

Disallow: /stats*

Disallow: /about/legal-notice/

Disallow: /about/copyright-policy/

Disallow: /about/terms-and-conditions/

Disallow: /tag

Disallow: /docs*

Disallow: /manual*

Disallow: /category/uncategorized*

# disallow files ending with the following extensions

User-agent: Googlebot

Disallow: /*.php$

Disallow: /*.js$

Disallow: /*.inc$

Disallow: /*.css$

Disallow: /*.gz$

Disallow: /*.cgi$

Disallow: /*.wmv$

Disallow: /*.php*

Disallow: /*.gz$

Allow: /wp-content/uploads/

#disallow WayBack archiving site

User-agent: ia_archiver

Disallow: /

# allow google image bot to search all images

User-agent: Googlebot-Image


Allow: /*

# allow adsense bot on entire site

User-agent: Mediapartners-Google*

Disallow: /*?*

Allow: /*

WordPress Security Tip # 4: Change default password to your WordPress blog

When you create your WordPress blog for the first time, WordPress generates a simple 6 character password with just numbers and letters. You not only need to change the default password, but create a strong password. Learn more on how you can create a strong password.

WordPress Security Tip # 5: Put a blank index.html in your WordPress Plugins Folder

If you type in yourwordpressblog.com/wp-content/plugins/, you can see a list of all your installed WordPress plugins. If someone wanted to hack your blog, they can run exploits on any out-of-date plugin on your blog.

To solve this problem, add a blank index.html to your WordPress plugins folder. This will show a blank page whenever someone attempts to view the list of plugins on your blog.

Thanks to Matt Cutts for inspiring this article. Hopefully these tips will allow for more secure and safe blogging.