WordPress is the most popular Blogging platform now a days. Many high profile companies are using WordPress as there Blogging platform. Have you ever thought about the security of your blog running WordPress ?? This presentation was presented On 13th Feb 2010, At Nagpur PHP Meetup by me.
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Securing Word Press Blog
1. Securing WordPress blog Chetan Gole Tricks and guidelines for WordPress users Web : chetangole.com Twitter : @chetan_gole E-Mail : chetangole@gmail.com
2. What is WordPress ?? WordPress is an open source blog publishing application powered by PHP and MySQL which can also be used for basic content management. It has many features including a user-friendly workflow, a rich plugin architecture, and an advanced templating system. Used at almost 2% of the 10,000 biggest websites, Wordpress is the most popular blog software in use today Source : Wikipedia
3.
4.
5. Keep everything up to date. Keep your WordPress installation and plugins up to date, Whenever there is update make sure you have the latest version. Whenever Wordpress or any software developer releases the update for there software they usually release the notes with the reason of update. Now if its security patch then they also release the vulnerabilities that the older version have in it. (else hide the WordPress version) So It is always good to keep your softwares updated else the hackers can easily misuse the loopholes in the softwares you are using. This also applies to the Operating system and application softwares that you are using in your computer. Keep your anti-virus updated with latest virus definition, because hackers can use your computer to hack your blog.
6. Change the Login ID By Default WordPress uses the Login ID as Admin, Change it. Now hackers have to guess the Login ID and Password both. i.e. Double security. To change the Login ID of Wordpress you can direct fire the SQL queries on your database, or there is one plugin to change the Login ID directly via simple interface. [Plugin URI : http://tr.im/NUd5] Or you can create a new administrator user and delete the original Admin user from your WordPress admin panel.
7. Use strong password Strong password means ?? Use plugin : “Login LockDown” - http://wordpress.org/extend/plugins/login-lockdown/ Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
8. Use SSL for Login Use Encryption technique while login using “Secure Sockets Layer” this can be implemented using a plugin : “ Admin SSL ” http://wordpress.org/extend/plugins/admin-ssl-secure-admin/ Or follow the directions given by Wordpress Codex site to use the SSL in your own way. : http://codex.wordpress.org/Administration_Over_SSL
9. Change the Login URL The default login URL for WordPress is /wp-login/ which is known to everyone, hackers can give try of guessing attack on that URL, so best way is to change the login URL. Plugin called “Stealth Login” will help you do do so. http://wordpress.org/extend/plugins/stealth-login/ This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login URL on your homepage, you can create a URL of your choice that can be easier to remember than wp-login.php
10. Use robots.txt file Use robots.txt file to restrict the bots access to private files like admin pages, etc People can use Google search tricks to hack into your site. So why allow Google to crawl your private pages ? Use Disallow : /wp-admin/ Disallow: /wp-include/ Disallow: /wp-content/plugins Disallow: /wp-content/themes This will restrict all search engine bots from accessing your those folders.
13. THANK YOU Chetan Gole Web : chetangole.com Twitter : @chetan_gole E-Mail : chetangole@gmail.com References used Wikipedia : http://www.wikipedia.org/ Wordpress codex Blog : http://codex.wordpress.org Wordpress plugin repository : http://wordpress.org/extend/plugins/ and many other blogs including but not limited to QuickOnlineTools.com, WebToolsCollection.com, alexking.org, etc