Wordpress blog security top tips – Some things you MUST do!
WordPress is an excellent blogging platform, but as it is so popular it's also a constant target for those wanting to find and exploit its vulnerabilities. You should note that as with other web platforms, keeping WordPress secure is a constant job of updating and keeping up with the latest news and exploits.
Below are some key security tips, if you are installing a WordPress blog, or you want to make your existing blog more secure. This is a live article, and I will be adding more as I go along, or those suggested to me that make sense.
Make sure you back everything up before you start, and please read this article through to ensure you feel comfortable with the technical level required. Like any sever and installation changes, it will require some problem-solving and technical common-sense along the way, as no two systems are alike (and no two geeks are alike either). Any changes you make are at your own risk.
Top WordPress security tips:
1. When you install WordPress, it might be a good idea not to use the default directory that WordPress installs in (root/wordpress/), and instead either use the root directory or a directory with a different name. This means that automated scripts looking for the WP directory will not identify it on your site. There are, of course, other ways to identify a WP installation, but anything that makes your installation different to the standard steps a bot will follow to crack it is a good start.
Instructions on how to move the WP installation directory can be found here.
Note: there is also another (non security) reason to install WP in a root directory - it is more likely to rate higher on search engines if it is in the root. Depending on the popularity of your site this might be crucial.
Another note: if you are already running WP, you can simply move your directory, using the same instructions in the link above.
2. Make sure your WordPress installation is the latest version, and upgrade whenever a new version is released. These releases often fix security bugs and issues, and the longer you are behind the latest upgrade, the more likely you are to be exposed to attacks based on old vulnerabilities that you haven't patched yet.
3. Install the WordPress Security Scan plug-in. This is an excellent way to track some of the more common security risks on your installation. Conversely, if your server does have some robust access settings, the plug-in will not have access to do things like changing database table names, so I've detailed some of the manual steps below. Make sure you use the plug-in's scanner function to ensure your folders have the correct security permissions.
4. Change the database table prefix of your WP installation from "WP_" (the default) to something else that's hard to guess (e.g. something like this: "gh786Hg_"). If an attacker knows the database structure and table names, it makes attacking it easier. Instructions on how to make this change can be found here. You may also be able to achieve this through the WP Security scanner (see 3. above) but some environments will not allow it, and you'll have to make the changes manually. If you aren’t familiar with SQL, be careful and make sure you bac-up your database and know how to restore it if it all goes wrong.
5. Make sure you remove the user "admin" and replace it with a name that is less easy to guess. Leaving it there, opens you up to a dictionary attack whereby the hacker tries to crack your password using a script that tries lots of different passwords. If successful, they will gain full control of your blog.
6. Install the "Login-Lockdown" plug-in. This will also stop dictionary attacks in general, by limiting the number of failed logins allowed into your blog.
7. Hide your WordPress version. Again, revealing as little as possible to the potential attacker. This can be achieved through the Secure WordPress plug-in.
8. Hide your plug-in directory to stop hackers from accessing it and seeing its content. To be honest, if your server is set up well, this should not be a problem, but just in case: Create an empty file called index.htm, and place it in the wp-content/plugins directory. Or, if you can access your .htaccess file in your root directory, then even better: add the following lines to it:
# Prevents directory listing
Options -Indexes
9. Make sure you have an .htaccess file in your wp-admin directory. This protects your key WP admin files. The file should contain the following:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
10. Now we need to have a word about Plug-ins - you have to be aware that plugins are inherently a security risk; even some of the more popular ones. They are created by (usually) great coders, but some coders are less great, and miss the obvious flaws in their plug-in. In a recent WordPress installation, I discovered two popular plugins that were wide open to hijack through SQL injections. There is no easy way to avert this, but take the following precautions:
- Ensure you follow good security precautions on everything else. Ensure your servers, databases and PHP installations are set to be as secure as possible.
- If you don't know how to do the above, and are running a corporate site with much credibility at stake, get professionals to do it for you.
- Update plugins regularly to the newest version - to ensure any flaws the owner discovered and fixed are also fixed on your installation.
If you have the knowledge, give your plugins a once-over or scan them for injection risk using scanning software.
11. I mentioned the need for the environment (servers, databases, PHP etc.) to be as secure as you can make it. If you don't control these variables (for example because your hosting company does), check their security credentials and find out if they have a good record for security. There's no point in having a great secure WordPress installation running, if the server it is hosted on is vulnerable. And while we're on the subject, if you have access to your PHP settings, and you're not a PHP guru, you might want to run your PHP installation on "safe mode" and also set "register globals" to "off", and expose_php to "Off".
12. And finally, trivial but true: make sure your admin password is a good one. I know it sounds silly, but use a long un-guessable, non-dictionary password, that combines upper/lower case letters, numbers and symbols. No really.
Happy (and safe) blogging!
How to Embed JavaScript into Wordpress Posts (The Easy Way)
I've been embedding JavaScript into my WordPress posts the hard way for ages. It means creating a separate file to define a function (that is the JS script) and then calling it into the post itself, as explained by the WordPress guys here.
Then, today, I discovered that there is actually a very easy way to integrate JavaScript into WP posts: using Andrew's JavaScript in WordPress Posts Plugin.
You download the plugin, install and activate it the usual way - and... That's it. JavaScript will start working in your posts.
According to some comments on Andrew's blog it doesn't work for everyone, but it worked a treat for me. The little things that make life so much easier. Thanks Andrew, you're an absolute lifesaver!
-- Geeky entry over --
What’s a “NO FOLLOW” tag?
What is a no follow tag?
A no follow tag, or "nofollow" (if you want to be one of those hip new-speak people with "nospaces" between words), is a tag that websites and blogs sometimes add to stop search engine "spiders" or "bots" from following some of their links to external sites.
For example, when someone leaves a comment on your blog, they will often include a link to their homepage with their comment. If you have a "no follow" tag, then search engines like Google will ignore this link.
A "no follow" tag has two effects:
1. It stops spammers from leaving comments on your blog or wiki. Spammers will use any opportunity they have to propagate links to their sites - to fool search engines into thinking that their spam page is very popular thus increasing its visibility on search engine results. A "no follow" tag stops this sort of behaviour, because it removes the incentive for spammers to leave comments on your site.
2. It means your website does not "leak" links. This is a search engine optimisation (SEO) concept. Every time you link to a site, you are effectively "voting" for it, and your "vote" increases its popularity in search engine rankings. Every additional link on a page dilutes the "voting power" of all the other links on that page. This is especially important because internal links in a website (links to your own pages) also count. By diluting your page's votes, you are diluting your ability to make your own pages popular or those of genuine websites you like.
I noticed that your site is a "NoFollow free" site. What does that mean?
Although "no follow" is a great deterrent for spammers, it also stops genuine users who want to comment on your blog or site, but also want the credit to seep through and back to their own site.
I think it is fair to allow contributors to enjoy the reputational vote, and therefore I have removed all "no follow" tags from ThatDanny's comment areas. I feel that the benefit outweighs the risk. This does however mean I'll have to be more ruthless with comments that are solely self-serving, or contain too many links.
If you have a Wordpress blog, you can do the same, and install the NoFollow Free Plugin on your site. It automatically removes no follow tags, and gives you several option on how to control them.
UPDATE ON 24 July 08: Noble as the nofollow initiative was, I found the number of spammers wanting to use it simply as a link-exchange was becoming too much of a time commitment - and this grew the more popular my blog became. I still think new blogs should use it when they start up to encourage comments and engagement, but at a later stage you may find you have to pull the plug. I did.
SEO articles in this series:
How do I get my site into Google? - SEO Article #1
How to Write for Google - SEO Article #2
How do I get my site into Microsoft Live Search? - SEO Article #3
What’s a “NO FOLLOW” tag?