9 SEO Security Tips for WordPress

In theory, this is a marketing blog, focusing on search engine optimization, web analytics and other topics. So what does have to do with Google and SEO?

Well one downside of the extended web ecosystem is that the same idiots who jump the queue in the supermarket will try to exploit your good as a way to jump their way to the top of Google’s search results.

One thing is certain, you won’t be feeling very groovy if you have the misadventure of being de-listed by Google as has happened to several of my fellow blogger friends.

I’m not a WordPress security expert, and I don’t play one on TV. That said, there are a few WordPress security best practices worth considering for your WordPress installation.

Many of the techniques are part of a security approach called obfuscation which is simply a fancy way to say we hide things in order to make the lives of hackers slightly more complicated.

A word to the wise: before applying any of the suggestions which follow, ensure you have a working backup copy of your blog. Any of the suggestions below can seriously ruin your blog as you know it; use at your own risk. I like to keep a local copy on my PC I can use for testing and verification.

1. Know your plugins

Third party plugins have significant access to your blog, making it imperative that you trust the author of any plugin you install – or upgrade. Several plugins are discussed below – I cannot vouch for the trustworthiness of the current versions: use at your own risk.

2. Use a recent version of WordPress

Almost all software has errors, or bugs, which are corrected as time goes on. In general, keeping your WordPress installation up to date is a great way to avoid known problems. Do note that the lastest version, especially in the case of major upgrades, may cause more problems then it resolves. So keep up-to-date, but wait for a few others to do it first! The WordPress development feed in your WordPress Admin dashboard announces official releases; you can add it to your feed reader as well.

3. Change the default Admin Account user from “admin”

Every hacker knows WordPress has a user “admin” with god-like administration privileges. Slow the hackers down by removing the “admin” user. Create a WordPress user with admin privileges using the administration interface. Log out of WordPress and log back in with the new user. Delete the admin user. The new admin user should be different than your normal post author.

4. Password protect your WordPress admin interface at the server level

Our goal is to add an extra layer of security to WordPress administration area. Apache users should look at the Authentication documentation or consider a WordPress plugin. IIS users might find these instructions useful.

5. Rename your WordPress database tables

Hacker exploits which attack your database generally require knowledge of the database table names. WordPress allows for alternative database table names. There are several table prefix plugins which will do this for you, or you can follow manual instructions. Do note you may have problems with badly written plugins if they have hard-coded the table prefix somewhere.

6. Hide your plugin from prying eyes

In many WordPress installations it is possible to view a list of installed plugins by navigating to the /wp-content/plugins/ directory. This is not a good idea as known plugin vulnerabilities can than be easily exploited. Add an empty default index file, such as index.html, to the directory. You can also protect it using an .htaccess file assuming you’re using Apache.

7. Remove the WordPress version number from your blog and any active plugins

By announcing to the world the version of WordPress you are running, you greatly simplify the work of a hacker. Peter Westwood’s post documents how to suppress output of the WordPress version number in feeds and blog posts. I’ve packaged his code in a very rudimentary WordPress plugin to hide the version number in blog and rss feeds. You may still need to remove any hard coded version number in your theme. Look for a line like this:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats -->

and remove it.

8. PHP error reporting

If something goes pear shaped as the Brits so nicely put it, WordPress and its plugins have a tendency to output php error code. This should be suppressed in a production environment. See the php error reporting documentation for a detailed discussion.

9. WordPress Security Scan

The WP Security Scan plugin attempts to both to audit your blog security and to implement many of the suggestions mentioned above. Blogsecurity.net offers an alternative scan plugin.

WordPress Security Checklist

1.Know your plugins
2.Use a recent version of WordPress
3.Change the default Admin Account user from “admin”
4.Password protect your WordPress admin interface at the server
5.Rename your WordPress database tables
6.Hide your plugin directory from prying eyes
7.Remove the WordPress version number from your blog and any
active plugins
8.PHP error reporting
9.WordPress Security Scan

Did you get banned from Google?

If you got banned from Google, the main issue is to clean up your act. Identify the problem which triggered Google’s wrath and make sure you remove it. Avoid the temptation to blindly update your plugins, WordPress, or your themes. The problem may persist!

Once your blog is again a good citizen, you could consider signing up for a Google Webmaster Tools account and file a re-inclusion request – short and sweet: what happened and that it has been fixed. If your problem was a widespread one not of your own making, and your blog had a good history, I’m willing to bet that Google will automatically restore your rankings even without a specific request.

Anything else we should be doing?

Have your say by adding a comment.

Similar Posts:

Registration is now open for the next SEO Course and Google Analytics Course in Milan. Don’t miss the opportunity!

About Sean Carlos

Sean Carlos is a digital marketing consultant & teacher, assisting companies with their Search (SEO + SEA = SEM), Social Media & Digital Media Analytics strategies. Sean first worked with text indexing in 1990 in a project for the Los Angeles County Museum of Art. Since then he worked for Hewlett-Packard Consulting and later as IT Manager of a real estate website before founding Antezeta in 2006. Sean is an official instructor of the Digital Analytics Association and collaborates with the Bocconi University. He is Chairman of the SMX Search and Social Media Conference, 12 & 13 November in Milan. He is also a co-author of the Treccani encyclopedic dictionary of computer science, ICT & digital media. Born in Providence, RI, USA, Sean received Honors in Physics from Bates College, Maine. He speaks English, Italian and German.

16 Responses to "9 SEO Security Tips for WordPress"