question: how to best secure WP from any attacks, hack attempts etc?

Portal Home > Knowledgebase > Articles Database > question: how to best secure WP from any attacks, hack attempts etc?

Posted by QU4RTZ, 03-16-2008, 05:39 PM
How to best secure WP from any attacks, hack attempts and others?
Posted by LoganNZ, 03-16-2008, 08:30 PM
Apache - Mod_security - certain anti-RFI rules, encoding rules mod_evasive Ensure your admin/config files permissions/ownership are correct. Cut down all non-required mods/addons. Just keep the server PHP backend secure, and you should be fine. Also keep up with the WP updates. I assume you are talking about wordpress - PHP blog? Regards, Logan
Posted by QU4RTZ, 03-16-2008, 09:25 PM
Yes, that's the one. WP = WordPRess. Normally I don't abbreviate. Thanks.
Posted by applicurearun, 03-17-2008, 09:43 AM
3 Wordpress security tips:: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Drop version string in header.php The tag in your header.php that displays your current version of wordpress. Since everyone knows your wordpress version this way, your blog is prone to hackers if you have not upgraded to the new version. Hide your wordpress version by deleting it or simply changing it to 2. Put a blank index.html in /plugins/ directory. In a normal wordpress installation, anyone can access your Wordpress plugin folder to see which plugins you have installed. The path is http://www.yourdomain.com/wp-content/plugins/ Try it for your blog and your entire directory structure is revealed. Just create a blank file in notepad and name it index.html and drop it in your plugins folder and the folder details will no longer be visible to the public and prevent hackers from cracking a plugin security hole. 3. Put .htaccess in /wp-admin/ He points to this article of Protecting the Wordpress wp-admin folder. This will limit access to this folder by IP address and attempts at accessing any file within this folder will be greeted with a Forbidden error message. He warns that you need to place this file in the /wp-admin folder and not replace or delete the .htaccess file in the root folder of your blog. Though he says the security issue was fixed in recent wordpress version, this is a security idea which can help you further protect your wp-admin folder. Tip: It is easy to block search engines from crawling your wp-admin folder by blocking access via robots.txt file. I added this line Disallow: /wp-admin/
Posted by brianoz, 03-18-2008, 09:55 AM
Applicure - a thoughtful and helpful post. Protecting the admin directory via IP range is a neat idea. There's a well known spam script that will catch most spam attempts, you should definitely install it - akismet. Apparently renaming the post script (both renaming the file, and the reference to it in the WordPress templates) stops 99% of spam. This is because the spammers google for the submit script and if they can't find it you won't be attacked anywhere near as much. Keep your Wordpress current. Use good passwords within it. Research plugins to see if there are any other good security related plugins available that are well known and well trusted and install them. If you're running on a large shared server, ensure they're running PHP in suphp or phpsuexec modes - a little slower, but much better security. This isn't as helpful for high-volume blogs (it slows the server down, which is noticeable for high volume sites); but without it you better be on a server with only well trusted users as it's trivial to obtain your database passwords. Probably a good thing to run some sort of intrusion detection - BFD or the more recent CSF. This detects password guessing attempts and many other attempts to hack the server and firewalls off the varmints' IP. If mod_security is installed it also detects many other nasty URLs and hacking attempts.

Add to Favourites Print this Article