5 Ways To Increase The Security of Your WordPress Blog
Security isn’t really an issue for most bloggers. Well, at least not until it is. And when that happens, you kind of get a quick education on the topic of keeping assholes off your blog’s administrative pages. In the interest of pooling resources, I thought I’d share some of the hard-won education I’ve received over the past week on the topic of increasing the security of your website. Blogs are fairly unstable programs, apparently, and the bottom line is that if somebody who really knows what they are doing really really wants to get on your site, it’s going to be tough to keep them off. That said, imple implementing a few of these tips might go a long way towards safeguarding your blog, even if you don’t anticipate ever being the target of a hack attack.
By the way, it’s not just people who like to stir the pot who need to worry about this stuff. Merely advancing beyond a certain degree of success with your blog marks you as a potential target for hackers. Also, the vast majority of hacking incidents are perpetrated not by rival bloggers or enemies, but by mass spammers who just want to use your web space and IP information to mail out thousands of spam links. So even if you cnsider yourself to be a fairly uncontroversial blogger, you might just find you have a need for WordPress security in the near future.
- Install Stealth Login, a WordPress plugin that alters the names of common wordpress admin files. One common problem with WordPress security is the fact that all of the administrative files are named according to the same pattern in every installation of WordPress. Therefore, anyone wanting to get into your site already knows that your login page is wp-login.php. This is a major advantage for the hacker because it takes another step out of a multifaceted process of gaining control of your blog.
You can use The Stealth Login Plugin to make it more difficult for troublemakers to locate your admin files by changing their default prefix. After you install this plugin, you will be able to define custom URLs for the admin pages of your blog, and then a potential hacker will have a harder time finding the files he or she needs to gain access to your site.
- Install WP Security Scan, a WordPress plugin that prevents SQL injection attacks. What the hell is a SQL injection attack? Well, let’s hope you never find out on first-hand, but basically people put malicious script into your SQL database. This will be set to delete information or tables, or replace it with god knows what. Basically, you don’t want anyone in your SQL database if you can avoid it, and WP Security Scan can help you with this.
It works by changing your default WordPress database table prefix and can protect you even when you forget to assign a new custom prefix when installing WordPress. Other benefits of WP Secuirty Scan is that it flags dangerous file permissions–basically, if your security is more lax on certain files than it should be, it will catch these permission settings for you. But the best feature of WP Security Scan in my own estimation is that it checks for the appropriate .htaccess files where you need them. The .htaccess file is the one that controls whether or not people can get onto your site, something that you hopefully won’t ever have to learn any more about after today.
- Install Drain Hole for increased security on downloadable content. Drain Hole is a plugin that allows you to set up your download archive outside your web directory. This means that if you are in the habit of providing downloads on your site, you can make them available in a location that is not directly accessible to your web server. It also allows you to monitor the traffic to this “drain hole,” which means that if someone tries to use this as an “in” to your site, you will be able to see who is doing it.
- Install Login Lockdown to protect against mass “breakthrough” password attacks. Login Lockdown is a plugin for WordPress that records the IP address and time stamp of every failed WordPress login attempt. So, say you find out that something is messed up on your site, say after you post a kinda inflammatory post–hypotetically. You could then go back and see if anyone tried to login to your WordPress installation around the time that site started screwing up. And you could find out that, yes, someone did try to login around that time, and that person tried a bunch of times, from the same IP range. You might even be able to find out who it was that did it, because you might have their IP address. And if you have their IP address, not only can you prove that they did it, but you also can ban them from your site so that you don’t ever have to put up will their bullshit again.
But the best part is that Login Lockdown will keep you from people doing damage directly through the wp-admin panel because after a few incorrect guesses at the password, the login function is disabled. This will protect you from some kinds of password discovery, though not all. You can switch how long the lockout lasts for, the defaults are usually to lockout after three attempts and last for one hour.
- Use the Redirection plugin to its fullest potential. Previously, I suggested to you that you install the Redirection plugin to your WordPress blog to help with 404 errors. What I did not note then were the security features boasted by Redirection, which allows you to monitor your HTTP 404 Error logs. Why do you want to do this? Well, the HTTP 404 Error occurs when a web server cannot find a page asked for by a browser. This is something that comes up with hacking because this is how the hackers get in–there are certain error types that come up when common attacks have been tried, and these are logged in the 404 Error logs. For a listing of common attacks and what they look like on Error logs, you can visit this site.