wordpress tip: secure your wordpress blogs

[fris]

Hackers are people too.

Unfortunately, they're the wrong type of people; the ones who'll look for
ways to break a site and suck all your hard work into oblivion, all
because their imaginary girlfriend dumped them for a PlayStation 3 while
they were busy zapping goblins with their level 32 Warlock.

If you're using the latest version of WordPress, you're already more
secure than many, but there are still ways to be safer.

Use these 5 tips to keep your self-hosted WordPress site safe. Note: most
of these tips apply to general web development too.

1. Protect your plugin directory

Showing which plugins you have installed can expose an exploit in an
outdated plugin, and is an easy target for hackers to gain access to your
site or even worse your server.

Solution:

Create an index.html file and upload it to your /wp-content/plugins/
directory.

2. Don't expose your wordpress version

Its best to remove your wordpress version string from your theme.

If you let people know what version you are running, you can be an easy
target if you are running an older version of wordpress.

Solution:

Look for and remove this line from your themes header.php file.

Code:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

3. Protect your wordpress files from search engines.

Its best if you don't have any of your core wordpress files indexed by
search engines.

Solution: add the following to your robots.txt

Code:

Disallow: /wp-*

4. Protect your wordpress admin folder.

Limiting you wordpress admin by ip address will give anyone but you or
any staff members access to your admin.

If any unauthorized people try and access your admin will be sent a
forbidden 403 error.

solution: add a .htaccess to your /wp-admin directory (not your root)

Code:

order deny,allow
deny from all
allow from 216.17.172.11 (by ip address)
allow from .fris.sprint.ca (by domain)

5. Permissions, Permissions, Permissions.

Using the correct permissions on your wordpress install is a must,
especially if you are on a shared server.

All your folder permissions should be set to 755, and files should be set
to 644.

Alternatively if you want to edit your theme in the wordpress editor, use
666.

Never use 777 for wordpress permissions, if you do, you're letting all
users on the server do what they want with the site.

On a shared or badly configured server this can mean chaos.

---

On another note I found this password manager that is free and I use it
daily. It has been mentioned on NBC, and PC Magazine.

They have a desktop version and a web version

http://www.passpack.com/en/home/



Sorry if it was long, but its important.

[Libertine]

Great post!

[StaceyJo]

Very nice post. Thanks. I bookmark this.

[Nicky]

Good stuff as always Fris

[tranza]

Great tip man!

[CIVMatt]

Thanks Fris, good info

[LiveDose]

Bump for good info.

[alias]

ninja tips

[Sosa]

good stuff fris

[AtlantisCash]

Quote:

Originally Posted by fris

Hackers are people too.

Unfortunately, they're the wrong type of people; the ones who'll look for
ways to break a site and suck all your hard work into oblivion, all
because their imaginary girlfriend dumped them for a PlayStation 3 while
they were busy zapping goblins with their level 32 Warlock.

If you're using the latest version of WordPress, you're already more
secure than many, but there are still ways to be safer.

Use these 5 tips to keep your self-hosted WordPress site safe. Note: most
of these tips apply to general web development too.

1. Protect your plugin directory

Showing which plugins you have installed can expose an exploit in an
outdated plugin, and is an easy target for hackers to gain access to your
site or even worse your server.

Solution:

Create an index.html file and upload it to your /wp-content/plugins/
directory.

2. Don't expose your wordpress version

Its best to remove your wordpress version string from your theme.

If you let people know what version you are running, you can be an easy
target if you are running an older version of wordpress.

Solution:

Look for and remove this line from your themes header.php file.

Code:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

3. Protect your wordpress files from search engines.

Its best if you don't have any of your core wordpress files indexed by
search engines.

Solution: add the following to your robots.txt

Code:

Disallow: /wp-*

4. Protect your wordpress admin folder.

Limiting you wordpress admin by ip address will give anyone but you or
any staff members access to your admin.

If any unauthorized people try and access your admin will be sent a
forbidden 403 error.

solution: add a .htaccess to your /wp-admin directory (not your root)

Code:

order deny,allow
deny from all
allow from 216.17.172.11 (by ip address)
allow from .fris.sprint.ca (by domain)

5. Permissions, Permissions, Permissions.

Using the correct permissions on your wordpress install is a must,
especially if you are on a shared server.

All your folder permissions should be set to 755, and files should be set
to 644.

Alternatively if you want to edit your theme in the wordpress editor, use
666.

Never use 777 for wordpress permissions, if you do, you're letting all
users on the server do what they want with the site.

On a shared or badly configured server this can mean chaos.

---

On another note I found this password manager that is free and I use it
daily. It has been mentioned on NBC, and PC Magazine.

They have a desktop version and a web version

http://www.passpack.com/en/home/



Sorry if it was long, but its important.

fris!,

Since afew days i was thinkin to contact You for something,

May i get Your icq?

[fris]

icq: 704-299

[Ethersync]

Great advice. I wish I could set this to auto-subscribe to all threads you start

[qxm]

u deserve rep for this ...lol ... good post m8

[Sarah_Jayne]

a nice one once again

[Axel XXX]

Great post

[kmanrox]

hey frissy, stop plagiarizing and start posting reference links to the places you're scraping content from


http://wordprezzie.com/wordpress-security-tips/

[dav3]

thank you wordpress ninja!

[TyroneGoldberg]

good tips and will use...

thanks

[DutchTeenCash]

great post thanks

[fris]

Quote:

Originally Posted by kmanrox

hey frissy, stop plagiarizing and start posting reference links to the places you're scraping content from


http://wordprezzie.com/wordpress-security-tips/

I never said i wrote it, im just gathering informaiton for people to use.

but thanks for pointing out that I should have linked that article.

[seeric]

thanks man.

didn't have the dissallow wp- part

now i do.

good lookin out.

[kush]

Great tips to implement!

[Itchy]

I know im changeing things up on my blogs thans for the great tips

[Altheon]

I'd go with RoboForm in lieu of PassPack. With Roboform you keep the passwords on your local machine. I think people are way too trusting of these web apps.

[HomerSimpson]

finally a useful post!

[Supz]

This is an awesome post.

[wizzart]

very good tips

[JTCash]

That is useful! Thank you!

[Toni_N]

great tips

[TyroneGoldberg]

bump as i found out i fucked up on a certain part....

[Nookster]

Good post for those whom do not know.

[gimme-website]

Important yet so simple. Thank you for excellent tips!

[V_RocKs]

Where you reading my source code again?

[Altheon]

Just a warning!!!

If you use .htaccess to restrict access to the WordPress directory and you are running Super Cache or one of the other cache plugins your site will be messed up. So you may want to skip that step.