Written on November 26, 2010  /  with 11 comments  /  in the Blogging, Wordpress Tips category.

10 Steps to Fortify Your WordPress Blog against Hackers

The Onion Method =The Best Method to Protect Your WordPress Blog from Hackers

Many people look to that 1 big thing to help them keep their blog safe from hackers. Well I’m here to tell you that there is no 1 thing that can save you. However there is a combination of things that when working together, actually can.

I call it the Onion Method to Protecting Your WordPress Blog. 1 layer on its own is hardly anything but multiple layers all working together to form 1 big layer is powerful.

So I urge you… instead of looking through these 10 steps and just following 1 or 2 of them, follow all of them instead. You won’t regret it. Take it from someone who has had his blog (this one) hacked 3 times. These are not just 10 steps that I did some form of research on to write some nifty little blog post. This is straight up from experience. These are the 10 Steps I had to take in order to keep hackers away from my blog for good.

Note: There are a few dependencies for keeping a WordPress blog safe that this article is assuming you already have in place. These dependencies are listed at the end of this article.

Step 1: Install the Secure WordPress Plugin

Installing the Secure WordPress plugin will establish several security measures for your blog. These include:

  • removes error-information on login-page
  • adds index.php plugin-directory (virtual)
  • removes the wp-version, except in admin-area
  • removes Really Simple Discovery
  • removes Windows Live Writer
  • remove core update information for non-admins
  • remove plugin-update information for non-admins
  • remove theme-update information for non-admins (only WP 2.8 and higher)
  • hide wp-version in backend-dashboard for non-admins
  • remove version on urls from scripts and stylesheets only on frontend
  • Block bad queries

Maybe you understand what this stuff means or maybe you don’t. But the fact is this plugin is freaking awesome and should be installed on every WordPress install.

Step 2: Delete the Admin User

Hackers know that the default username for administrative accounts on most WordPress blogs is “admin” which is the main reason why you need to make a change here. All you have to do is create a new username and assign it “administrator” privileges. Then delete the admin user and assign all posts, images etc. to your new username. This then leads me to step 3:

Step 3: Create a New Hack-Proof Password

A solid hack-proof password is a password that is a) at least 8 characters in length, b) contains at least one numerical character and c) contains at least one other character such as a ! or % symbol. Oh and of course one last thing… nobody else should know it but you! But you already knew that.

Step 4: Install the Login Lockdown Plugin

The Login Lockdown plugin will limit the number of login attempts from a given IP Address range within a certain time period. What does this mean exactly? If a hacker tries to repeatedly hack into your wp-login.php form (3 failed attempts within 5 minutes to be exact), this plugin will automatically disable the login function altogether for that IP address for the next 1 hour.

Step 5: Install the Stealth Login Plugin

In a nutshell the Stealth Login plugin will disable anyone from going to your URL + wp-admin or wp-login to directly access your login page. Stealth Login will allow you to setup your own custom login URL for example… yourdomain.com/bananapie… which will then redirect to a login page. This helps add yet another layer of protection for that login page which so many Hackers try to exploit.

Step 6: Setup Your WordPress Security Keys

Your WP-config.php file contains a section where you can input what are called WordPress Security Keys. What are these keys? Basically the WordPress Security Keys are a set of random variables that improve encryption of information stored in the user’s cookies. These keys will make it harder for hackers to crack your password.

To get your Security Keys and install them properly refer to this article from WPBeginner.com. It walks you through the entire process and actually only takes a minute or two.

Step 7: Move Your WP-Config.php File

Your Wp-config.php file is like the Title to your car! Whoever has possession of it technically can have possession of your entire blog. To further secure it you can place it 1 level above your WordPress Docroot. Here’s what I mean… currently your WP-config.php probably resides in:

/public_html/yoursite.com/wp-config.php

Instead you can actually move it up 1 level to further protect it…

/public_html/wp-config.php

This simple yet powerful change will increase the limitations a hacker has on gaining access to your WordPress Database.

Step 8: Whitelist IP Address for the WP-Admin Folder

Now it’s time to get aggressive. Like an extra set of arch towers on the Great Wall of China, blocking out all IP Addresses except your own from accessing the WP-admin folder can create an extra layer of fortification that is hard to break through.

To do this you need to create a .htaccess file and place it directly in your /wp-admin/ directory. Here is an example of the contents of that file from Google’s Matt Cutts:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27

Step 9: Install the WordPress Firewall Plugin

The WordPress Firewall plugin really has 1 task it performs, to monitor web requests and identify and stop the most obvious attacks. This plugin is pretty intelligent and does some tech-level tasks that give you some serious levels of protection. If an attack is sniffed out… WordPress Firewall will email you what’s going on and blacklist the attackers IP Address. Think of it as a Server Administrator working specifically for you. And for free too!

Step 10: Keep WordPress Updated At All Times

Keeping your blog safe starts with the keeping your WordPress Core up to date at all times. This is because it allows you to leverage the constant advancements the WordPress Community creates. These advancements include the fixing of vulnerabilities. Before you follow any of the steps mentioned above, make sure your WordPress Core is updated first. Read Matt Mullenweg’s article on Keeping WordPress Secure to learn more on why this is so important.

WordPress Blog Security Dependencies

  • A reliable Web Hosting provider
  • You are comfortable installing new plugins for WordPress
  • You are comfortable and experienced in editing files on your server
  • You have taken security measures on your actual web hosting server
  • Keep consistent backups of your WordPress Blog files and database

If You’ve Already Been Hacked…

If you’ve already been hacked first of all, don’t panic! Panic can lead you to making rash decisions which can/will hurt you (or your blog for that matter). Read this article from Codex.Wordpress.org as well as follow the steps that I mentioned here. If that still is not working for you… send me an email through Facebook and I’ll see what I can do to help. Also refer to the WordPress guide to Hardening WordPress for further information.

Good luck! Read my article on WordPress Security Plugins for more information on some of the free tools available for security.

11 responses to this article so far...

Leave a comment