Discovered at: http://www.antezeta.com/blog/top-wordpress-security-tips
In theory, this is a marketing blog, focusing on search engine optimization, web analytics and other web marketing topics. So what does Wordpress security have to do with Google and SEO?
Well one downside of the extended web ecosystem is that the same idiots who jump the queue in the supermarket will try to exploit your good blog as a way to jump their way to the top of Google’s search results.
One thing is certain, you won’t be feeling very groovy if you have the misadventure of being de-listed by Google as has happened to several of my fellow blogger friends.
I’m not a Wordpress security expert, and I don’t play one on TV. That said, there are a few Wordpress security best practices worth considering for your Wordpress installation.
Many of the techniques are part of a security approach called obfuscation which is simply a fancy way to say we hide things in order to make the lives of hackers slightly more complicated.
A word to the wise: before applying any of the suggestions which follow, ensure you have a working backup copy of your blog. Any of the suggestions below can seriously ruin your blog as you know it; use at your own risk. I like to keep a local copy on my PC I can use for testing and verification.
1. Know your plugins
Third party plugins have significant access to your blog, making it imperative that you trust the author of any plugin you install – or upgrade. Several plugins are discussed below – I cannot vouch for the trustworthiness of the current versions: use at your own risk.
2. Use a recent version of WordPress
Almost all software has errors, or bugs, which are corrected as time goes on. In general, keeping your Wordpress installation up to date is a great way to avoid known problems. Do note that the lastest version, especially in the case of major upgrades, may cause more problems then it resolves. So keep up-to-date, but wait for a few others to do it first! The Wordpress development feed in your Wordpress Admin dashboard announces official releases; you can add it to your RSS feed reader as well.
3. Change the default Admin Account user from “admin”
Every hacker knows Wordpress has a user “admin” with god-like administration privileges. Slow the hackers down by removing the “admin” user. Create a Wordpress user with admin privileges using the administration interface. Log out of Wordpress and log back in with the new user. Delete the admin user. The new admin user should be different than your normal post author.
4. Password protect your Wordpress admin interface at the server level
Our goal is to add an extra layer of security to Wordpress administration area. Apache users should look at the Authentication documentation or consider a Wordpress plugin. IIS users might find these instructions useful.
5. Rename your Wordpress database tables
Hacker exploits which attack your database generally require knowledge of the database table names. Wordpress allows for alternative database table names. There are several table prefix plugins which will do this for you, or you can follow manual instructions. Do note you may have problems with badly written plugins if they have hard-coded the table prefix somewhere.
6. Hide your plugin directory from prying eyes
In many Wordpress installations it is possible to view a list of installed plugins by navigating to the /wp-content/plugins/ directory. This is not a good idea as known plugin vulnerabilities can than be easily exploited. Add an empty default index file, such as index.html, to the directory. You can also protect it using an .htaccess file assuming you’re using Apache.
7. Remove the Wordpress version number from your blog and any active plugins
By announcing to the world the version of Wordpress you are running, you greatly simplify the work of a hacker. Peter Westwood’s post documents how to suppress output of the Wordpress version number in feeds and blog posts. I’ve packaged his code in a very rudimentary Wordpress plugin to hide the version number in blog and rss feeds. You may still need to remove any hard coded version number in your theme. Look for a line like this:
and remove it.
8. PHP error reporting
If something goes pear shaped as the Brits so nicely put it, Wordpress and its plugins have a tendency to output php error code. This should be suppressed in a production environment. See the php error reporting documentation for a detailed discussion.
9. Wordpress Security Scan
The WP Security Scan plugin attempts to both to audit your blog security and to implement many of the suggestions mentioned above. Blogsecurity.net offers an alternative scan plugin.
Tuesday, May 5, 2009
Subscribe to:
Post Comments (Atom)
RSS Feed (xml)
No comments:
Post a Comment