I read an interesting article on Wordpress security today on a new site that Jack Humphrey pointed out:
A lot of attention is quite rightly focused on securing your Wordpress installation itself. But, however secure your WP installation is counts for nothing if you’re leaving other doors open.
It’s worth being aware that a determined hacker is going to be able to get in to pretty much any site they want. But you can protect your WP installation from the mass bot hackers with a few common sense precautions.
I’ve changed my login name from admin to something else (long and complex), made sure my password is as strong as I can make it, put an extra layer of security around the wp-admin directory, created a blank index.html file to hide the plugins I’m using, and a few other bits and bobs.
There are Wordpress Security plugins that will do all that for you and keep monitoring your installation for vulnerabilities.
The more users you allow to update your blog the more risk there is. I don’t have guest bloggers but, if I did, I’d get them to send me the posts and let me put them up rather than give out user access rights. I also don’t allow registration.
But there are some areas that people often overlook, and which allow hackers to get access to your Wordpress installation via your FTP details.
If you’re not using SFTP (or Secure Shell Access if your hosting provider doesn’t support SFTP) then your FTP login details are being transmitted across the Internet in clear every time you log on and upload/download stuff.
I back up my blog system files each week by copying everything back to my PC. This takes around an hour currently, so anyone who wanted to pick up my FTP login details would have plenty of time to do so.
Also, of course, you could have spyware on your machine which would pick up your FTP logins from there. (Along with all your other logins!).
So it pays to consider your entire PC environment and the tools you’re using, and make sure that everything is secure – not just your WP installation.
In addition to all those WP specific precautions, make sure your PC is absolutely clean (use a good anti-spyware application and scan it regularly) and use SFTP or Secure Shell Access to upload/download stuff from your server.
Feel free to point out other security steps that I’ve missed – there will definitely be some!
Other Articles You Might Like:
{ 2 trackbacks }
{ 9 comments… read them below or add one }
Totally agree… you can never be to safe.
It’s been five or six years back now… but my “hacker’ nephew told me to go to a web site he had set up – wanted to show me something.
Within 2 minutes he had logged into my computer. Never took control of it, be said he could have. He did tell me the software I had installed, some files, etc.
He never would tell me how he did it.
Later he went into the Air Force… did computer stuff for them.
Crazy stuff going on out here.
Andrew
Andrew´s last blog post..Lose Weight ~ Weight Loss Club & Communities
Thanks Andrew,
I have a friend who used to be a hacker – he’s also very non-committal. Strange, that..!
But what your nephew did is scary. Hopefully he also told you how to protect yourself!
Cheers,
Martin.
Andrew – Was it the visit the website that made you vulnerable? Are you saying that we could unknowingly visit a website that was run by a hacker and loose all that way?
Wealthy Dragon – I like the idea of backing up blogs regularly. Thanks.
Sarah Cook´s last blog post..She Works Hard for Her Money
Hi Sarah,
Yes – definitely worth backing up both your database and blog system files regularly. I do it once a week, and in fact I have a mirror image on my PC of what’s on my server. That way if anything happens to any of my sites I can be back up and running again without any hassles.
Cheers,
Martin.
Hi,
Need some advice. On the new wordpress if you want to upload plugins with a zip file you have to make the wp-content folder writable. So i do that now but leave it like that. Is that a good/bad practice or the other way to upload if via ftp would be better.
You also mention making a blank index file. Is that the one that is in the plugin folder.
Finally is there maybe a blog or site that mentions all plugins that is a security risk as that would be nice to have such a resource.
Came to your site via a warriorforum post
Greetings
Johan´s last blog ..
Johan, hi,
A site that highlighted all plugins that had security holes would be a great resource – unfortunately I’ve never found one like that, but it may be worth Googling for it.
Yes – the blank index.html file is in the plugin folder and I don’t upload the zip files when uploading plugins. I unzip them and then upload the extracted folder via SFTP.
Cheers,
Martin.
Hi Martin, stupid of me as i see it was a post of yours on WF
Greetings
Johan´s last blog ..
More things to think about and learn when we talk. Thanks!
CorrieHowe´s last blog ..100th Post Celebration
You’re welcome!
Cheers,
Martin.