One of the utmost concerns among those of us running web applications on the web that are always available should be security. Whether or not you have personal data in your blog is immaterial. A compromised site can be used as a jumping off point for many other types of malicious behavior. Very few hackers will overlook a free lunch no matter how insignificant you may feel like your blog might be. An easy target is an easy target and although your site might be obscure, like anything else on the web, that isn’t protection against intrusion. Proactive security is the only thing that will keep your content safe. This becomes especially important if you’re using WordPress for commercial purposes as a hacked site that generates a lot of spam or otherwise hostile activity is going to be delisted from the major search engines and possibly included on spam blacklists. Here a are a few tips for getting started and some plugins that can help ease the burden a little.
1. Keep your version of WordPress current. Whenever you see the notification that there is a new version of WordPress available it is your best interest to download and install it. Keeping your software current is a minimum requirement for security. Unlike most other things in life, software does not age gracefully and you can save yourself a lot of hassle by staying current with releases. WordPress Instant Upgrade can help out with that if you’ve not done large numbers of modifications of the original files. You can find out which version of WordPress you’re currently using by looking near the bottom of your admin page. It should say something like Version 2.x.x on the bottom most line. If it says something like Version 1.x then you need to take action immediately.
2. Make backups. Whether you do this manually with an FTP client and the output of PHPMyAdmin for database tables or with an automated solution like the WP-DB-Backup plugin. Try to do them weekly if possible and keep a copy on your computer if possible. The WP-DB-Backup plugin gives the option to do both of those as well as deliver the backups to an email address. Offsite is always best but your home or work computer is better than no backup at all. You could always grab a Gmail address specifically for this plugin which shouldn’t give you trouble with capacity given the large quotas that Gmail gives us to work with.
3. Work with robots.txt and .htacess to limit access. Familiarity with the Robots Exclusion Standard is a worthy investment in any case as it allows you to specify which areas of your web server robots are allowed to index. It is never a bad idea to include a directive like the one below:
in your robots.txt to keep search engines from indexing WordPress files as part of their normal activity as it is useless for any real use and a potential security hole as well.
.htaccess (note the period at the beginning of the word that makes it an invisible file in a Linux/Unix environment) is a more direct tool (robots.txt effectiveness depends on the robot’s respect of the Robot Exclusion Standard which is the case for the larger search engines but not for all crawlers) that uses methods built in to the Apache web server to control access to content in web directories. The most effective use of .htaccess for WordPress is to place (credit here is due to Wincent for this particular tip) a filematch statement in the .htaccess file of the highest level where your WordPress files are located. which renders the wp-config file that contains your username and password for the database unreadable. This should normally be the case but this is just an additional layer of security between your and your would-be attackers.
4. Login Lockdown is a plugin developed to limit the effectiveness of brute force password attacks on the login script for WP. It tracks IP addresses and will disallow additional attempts from that address after a set number of failed login attempts. The lock remains in place for the amount of time you’ve specified. This is not by any means a bulletproof solution but will discourage those trying to bludgeon their way in by making them wait long periods between attempts.
5. Change your password frequently. This is more common sense than anything else but you should rotate your passwords periodically and use strong passwords to begin with. Don’t use any part of your domain name as part of the password and don’t forget to reset the admin password that your WordPress created when it was first installed.