Well one downside of the extended web ecosystem is that the same idiots who jump the queue in the supermarket will try to exploit your good blog as a way to jump their way to the top of Google’s search results.
I’m not a WordPress security expert, and I don’t play one on TV. That said, there are a few WordPress security best practices worth considering for your WordPress installation.
Many of the techniques are part of a security approach called obfuscation which is simply a fancy way to say we hide things in order to make the lives of hackers slightly more complicated.
A word to the wise: before applying any of the suggestions which follow, ensure you have a working backup copy of your blog. Any of the suggestions below can seriously ruin your blog as you know it; use at your own risk. I like to keep a local copy on my PC I can use for testing and verification.
1. Know your plugins
Third party plugins have significant access to your blog, making it imperative that you trust the author of any plugin you install – or upgrade. Several plugins are discussed below – I cannot vouch for the trustworthiness of the current versions: use at your own risk.
2. Use a recent version of WordPress
Almost all software has errors, or bugs, which are corrected as time goes on. In general, keeping your WordPress installation up to date is a great way to avoid known problems. Do note that the lastest version, especially in the case of major upgrades, may cause more problems then it resolves. So keep up-to-date, but wait for a few others to do it first! The WordPress development feed in your WordPress Admin dashboard announces official releases; you can add it to your RSS feed reader as well.
3. Change the default Admin Account user from “admin”
Every hacker knows WordPress has a user “admin” with god-like administration privileges. Slow the hackers down by removing the “admin” user. Create a WordPress user with admin privileges using the administration interface. Log out of WordPress and log back in with the new user. Delete the admin user. The new admin user should be different than your normal post author.
4. Password protect your WordPress admin interface at the server level
Our goal is to add an extra layer of security to WordPress administration area. Apache users should look at the Authentication documentation or consider a WordPress plugin. IIS users might find these instructions useful.
5. Rename your WordPress database tables
Hacker exploits which attack your database generally require knowledge of the database table names. WordPress allows for alternative database table names. There are several table prefix plugins which will do this for you, or you can follow manual instructions. Do note you may have problems with badly written plugins if they have hard-coded the table prefix somewhere.
6. Hide your plugin directory from prying eyes
In many WordPress installations it is possible to view a list of installed plugins by navigating to the /wp-content/plugins/ directory. This is not a good idea as known plugin vulnerabilities can than be easily exploited. Add an empty default index file, such as index.html, to the directory. You can also protect it using an .htaccess file assuming you’re using Apache.
7. Remove the WordPress version number from your blog and any active plugins
By announcing to the world the version of WordPress you are running, you greatly simplify the work of a hacker. Peter Westwood’s post documents how to suppress output of the WordPress version number in feeds and blog posts. I’ve packaged his code in a very rudimentary WordPress plugin to hide the version number in blog and rss feeds. You may still need to remove any hard coded version number in your theme. Look for a line like this:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats -->
and remove it.
8. PHP error reporting
If something goes pear shaped as the Brits so nicely put it, WordPress and its plugins have a tendency to output php error code. This should be suppressed in a production environment. See the php error reporting documentation for a detailed discussion.
9. WordPress Security Scan
WordPress Security Checklist
|1.||Know your plugins|
|2.||Use a recent version of WordPress|
|3.||Change the default Admin Account user from “admin”|
|4.||Password protect your WordPress admin interface at the server|
|5.||Rename your WordPress database tables|
|6.||Hide your plugin directory from prying eyes|
|7.||Remove the WordPress version number from your blog and any|
|8.||PHP error reporting|
|9.||WordPress Security Scan|
Did you get banned from Google?
If you got banned from Google, the main issue is to clean up your act. Identify the problem which triggered Google’s wrath and make sure you remove it. Avoid the temptation to blindly update your plugins, WordPress, or your themes. The problem may persist!
Once your blog is again a good citizen, you could consider signing up for a Google Webmaster Tools account and file a re-inclusion request – short and sweet: what happened and that it has been fixed. If your problem was a widespread one not of your own making, and your blog had a good history, I’m willing to bet that Google will automatically restore your rankings even without a specific request.
Anything else we should be doing?
Have your say by adding a comment.
- Remove WordPress version information from your blog and feeds
- Comparison of Google Analytics / Urchin Tracking Scripts
- SEO for a Blog – All roads lead to RomeCamp 2008
- Yahoo Directories in Europe RIP. Did anybody notice?
- Howto – AWStats Enhancements and Extensions