There are a few simple things you can do to make your WordPress install more secure, and a few that are pretty much hardcore. The first and foremost one, however, is to keep WordPress up to date. Each new version removes a bunch of security holes, bugs, and other possible exploits that can make your install vulnerable, and not updating regularly means you won’t get these fixes. This brings us to the first tip. Check your theme’s header.php file to see if the following code is there (it almost always is):
<?php remove_action('wp_head', 'wp_generator'); ?>
Then remove it! What it does is output what version of WordPress you’re using, and while that may be a nice thing for bots and spiders looking for statistics, it’s not worth the additional risk it brings. After all, if a certain version is known to have an open security hole, and people are looking for installs of that version to exploit, why make it easier on them and tell them outright?
You should also make sure that your wp-config.php file has the Secret Keys. Those make the install more secure. If you have an old version of WordPress and haven’t bothered with the wp-config.php file in a while, you should at the very least add the four Secret Key lines to your file. You can get them from here: api.wordpress.org/secret-key/1.1/. You’ll remember the Secret Keys from the installation instructions earlier in this article: just add them in the same way as you do when doing a brand-new install.
The first thing I do after having installed WordPress is to create a new user with admin privileges, log in with that user, and delete the default “admin” one. Why? Because everyone knows that if there is a user named admin, then that account has full admin capabilities. So if you wanted to hack your way into a WordPress install, you’d start by looking for the admin user to try to brute force a login. Once you’re in via this method, you can do anything you want. So it’s worth getting rid of the admin user, after you have logged in for the first time and created a proper account, because it has fulfilled its purpose.
That being said, deleting the admin user won’t guarantee that hackers won’t find another user to build their attempts on. If you have user archives on your weblog, those will give you away. One solution would be to not display these, nor any links to an author page (other than ones you’ve created outside of WordPress’s own functionality), but what do you do if you feel you need them?
The solution is to keep account credentials sparse. There is no need to have an administrator account for writing or editing posts and pages; an editor’s credentials are more than enough. Granted, should an account with editor status be hacked then it will be bad for your site because the editor can do a lot of things, but at least it is not an administrator account and that will keep the worst things at bay. And besides, you keep backups, right? Besides questioning the types of accounts you and your fellow users have, passwords are another obvious security risk.
You’ve probably been told to use a strong password, to make it long and to use letters, numbers, special characters, and so on. Do that: the more complicated the password is, the harder will it be to crack.
Our website is not responsible for the information contained by this article. Webworldarticles.com is a free articles resource thus practically any visitor can submit an article. However if you notice any copyrighted material, please contact us and we will remove the article(s) in discussion right away.
This article was sent to us by:
Benjamin Huffrey at
05152010
1. Developing Plugins for WordPress MU
All articles in this directory are property of their respective authors. Additionally, read our Privacy Policy
© 2010 WebWorldarticles.com - All Rights Reserved.