Thread: wordpress tip: secure your wordpress blogs
View Single Post
Old 01-12-2009, 07:52 AM  
AtlantisCash
Confirmed User
 
Join Date: Dec 2005
Location: Istanbul - Turkiye
Posts: 3,169
Quote:
Originally Posted by fris View Post
Hackers are people too.

Unfortunately, they're the wrong type of people; the ones who'll look for
ways to break a site and suck all your hard work into oblivion, all
because their imaginary girlfriend dumped them for a PlayStation 3 while
they were busy zapping goblins with their level 32 Warlock.

If you're using the latest version of WordPress, you're already more
secure than many, but there are still ways to be safer.

Use these 5 tips to keep your self-hosted WordPress site safe. Note: most
of these tips apply to general web development too.

1. Protect your plugin directory

Showing which plugins you have installed can expose an exploit in an
outdated plugin, and is an easy target for hackers to gain access to your
site or even worse your server.

Solution:

Create an index.html file and upload it to your /wp-content/plugins/
directory.

2. Don't expose your wordpress version

Its best to remove your wordpress version string from your theme.

If you let people know what version you are running, you can be an easy
target if you are running an older version of wordpress.

Solution:

Look for and remove this line from your themes header.php file.

Code:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
3. Protect your wordpress files from search engines.

Its best if you don't have any of your core wordpress files indexed by
search engines.

Solution: add the following to your robots.txt

Code:
Disallow: /wp-*
4. Protect your wordpress admin folder.

Limiting you wordpress admin by ip address will give anyone but you or
any staff members access to your admin.

If any unauthorized people try and access your admin will be sent a
forbidden 403 error.

solution: add a .htaccess to your /wp-admin directory (not your root)

Code:
order deny,allow
deny from all
allow from 216.17.172.11 (by ip address)
allow from .fris.sprint.ca (by domain)
5. Permissions, Permissions, Permissions.

Using the correct permissions on your wordpress install is a must,
especially if you are on a shared server.

All your folder permissions should be set to 755, and files should be set
to 644.

Alternatively if you want to edit your theme in the wordpress editor, use
666.

Never use 777 for wordpress permissions, if you do, you're letting all
users on the server do what they want with the site.

On a shared or badly configured server this can mean chaos.

---

On another note I found this password manager that is free and I use it
daily. It has been mentioned on NBC, and PC Magazine.

They have a desktop version and a web version

http://www.passpack.com/en/home/



Sorry if it was long, but its important.


fris!,

Since afew days i was thinkin to contact You for something,

May i get Your icq?
AtlantisCash is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote