8 Security Tips to Secure your WordPress Blog

Written by: Sandeep Challa

Updated: July, 12, 2011

WordPress security is a major concern for every writer who uses WordPress as a blogging platform. Self hosted WordPress blogs are more vulnerable than third party hosted services like blogger.
WordPress is one of the most used websites CMSs; this information-rich database is therefore a main target for website attacks. If your website generates a lot of traffic, then hackers will aim at these sites to steal sensitive personal information. So WordPress’s security must be a priority for a blog owner.
So as an Administrator or Editor-in-Chief of your WordPress blog it is very essential to use these WordPress security tips and keep the hackers away. If you are wary of plugins then you may take a look at the Top 10 WordPress Plugins I use on DailyBlogging and select the plugins accordingly.
There are some tips you can use to protect your blog from potential hackers. These tips are not 100% hacker-proof, but they can go a long way in deterring a hacker and making it harder for them to breach the borders of your privacy.
Take these easy preventive measures to secure your site and your data from attacks.

WordPress Security
Secure your WordPress Blog

1. Update to the Latest WordPress Version

As soon as an upgraded version is released, try to upgrade your blog. You can use the WordPress Automatic Upgrade plugin to upgrade to the latest version. Any major security issues will be likely to be fixed in the upgrade.

2. Update your Plugins after checking the change-log

The plugins that you use are all developed by third party programmers; thus they are more vulnerable to hackers than WordPress itself. It is recommended that before you start using a plugin, check the profile carefully and read the comments and stats. Also, update your plugins regularly.

3. Take regular Database as well as Full Site Backups

This is perhaps the most important tip. Take back up of your site on a regular basis and store that back up in a secure place. This will ensure that even if you are compromised, you will be up and running. Without back up, you will lose everything.
I have written a tutorial which uses Cron Jobs for taking Nightly Database Backups.

4. Delete/Rename the Default admin User

By default, all WordPress installations come with an admin user. This will be the first thing that a potential hacker will look for when targeting your site. You will have to delete this user. First create a new user with a unique username. Then login using this new user name and then delete the admin user. The hacker now has to crack both your username and password.

5. Use a Secure Password

This is a fundamental security tip: do not use your name or birthday as passwords. These can be easily cracked. Try to use a combination of capital letters, small letters, numbers and punctuation in the password and ensure that it is a unique one.

6. Install WordPress Security Plugins

There are many WordPress security plugins that you can install to keep your site secure, like WP Security Scan and WP Exploit Scanner. You can use WP Firewall or WP Antivirus also.
With WordPress 3.1 onwards the Login Lockdown plugin comes in by default. So you don’t need to worry about users who are trying to somehow get into your Admin panel using exploits or password guessing techniques.

7. Check and Update your Themes

If you are building your own theme, try to check for the common security flaws and the PHP security holes before using the template. For this you can use WP Theme Scanner. Update your Themes, specially the free one’s as soon as an update is made available by the developer.

8. Protect your WP Admin folder

You may add a .htaccess file to your WP admin folder; this restricts access by blocking all IP addresses except the ones you use. Below is the .htaccess code to do so. Make sure that you place this .htaccess file in the WP-Admin folder. If you place it in the root directory of your WordPress blog then only you’ll be able to access your site. So be cautious when dealing with such htaccess commands.

Allow WP Admin Folder Access only to a specific IP

order deny,allow
deny from all
allow from 1.1.1.1

Change 1.1.1.1 to your own IP Address. If your blog is multi-authored or has multiple owners then add another allow command with your partner’s or guest blogger’s IP. Now, I know many people have Dynamic IP. So if you allow your current Static IP then you will be blocked when you reconnect and try to access your blog.
To avoid such a situation you need to allow Dynamic IPs. But that would mean, that some people apart from you can also access the WP Admin folder. Here is the code for blocking Dynamic IP.

Allow Access to a Dynamic IP

order deny,allow
deny from all
allow from 1.1.1.*

We use the Wildcard character (*) here. This means anyone with the IP 1.1.1.0 to 1.1.1.255 can access your WP Admin folder.
Another way to protect your WP Admin folder is to password protect that directory itself. Popular web hosts like HostGator and Bluehost provide the facility to ‘Password Protect Directories‘ within the CPanel itself.
These tips require little time and effort to set up. But if you can implement a few of these, then they will go a long way to ensure the security of your WordPress blog.
So, which security tip do your employ to protect your WordPress Blog ?

by