WordPress Security Tips

by on 05/18/2009 in Security, WordPress

There continues to be a concern over the increase in SQL injections and brute force password attacks with WordPress 2.7.1. I know of 3 blogs that have been victims of these types of attacks. There are ways to discourage would be hackers from trying to hack your WordPress installation.

Step 1

Download the WP Security Scan plugin. This is a valuable tool that scans your WordPress installation for security vulnerabilities and suggests corrective actions.

It checks the following

  1. Scans WordPress installation for file/directory permissions vulnerabilities
  2. Recommends corrective actions
  3. Scans for general security vulnerabilities

Note: There are database changes that you have to implement manually. If you’re not familiar with database tables, please consult someone who is.

Download WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/

To view the video tutorial on how to change your database table prefix, click here.

Step 2

How to protect files and folders:

This is how you control what happens if a browser enters a folder with no index file.

You have four options:

  • Default System Setting
  • No Indexes
  • Standard Indexing (text only)
  • Fancying Indexing (graphics)

No Indexes – Disable the folder index listing. It prevents browsers from viewing the contents of this directory. The browser receives a 403 (Forbidden) error.

To change your Index Manager to “No Indexes” follow the steps below.

1. Login to your host control panel
2. In the advance tab (usually) find Index Manager

index-manager

Next select Web Root than click on Go.

index-manager2

Next select the /public_html folder.

index-manager31

Next select “No Indexing” than click on Save.

index-manager4

Your files are now hidden within folders that currently do not have an index file.

These security tips will help discourage would be hackers from trying to exploit your WordPress installation. If you have other tips to share, please leave a comment.

11 Responses to “WordPress Security Tips”

  1. Susie

    May 18th, 2009

    This is a great tool! Thanks for the tips!

  2. Kikolani

    May 18th, 2009

    Great tips, and definitely needed with all the WordPress hacks going around.

    ~ Kristi

    • Frank J

      May 18th, 2009

      Kristi,

      Thank you and thought this was perfect timing to publish.

  3. Roseli A. Bakar

    May 18th, 2009

    Thanks for the insight Frank.

  4. Colin

    May 19th, 2009

    Good tips Frank and I already had those implemented but it doesn’t stop them from trying. Last count was 1400 attempts over 6 days.
    Will add a post to my site soon and link back to your article :)

    • Frank J

      May 19th, 2009

      Colin,

      The more resistance the more likelihood they will move on.

  5. Colin

    May 19th, 2009

    Frank,
    Have posted an article and linked back to both yours and Kristi’s, so hopefully between us it may help a few others to bolster their security and thwart these attacks :)

  6. Phill Price

    May 19th, 2009

    Great help thanks! I also use login lockdown to try and stop brute force attacks from http://www.bad-neighbourhood.com/login-lockdown.html . I have to admit the amount of hits on /wp-admin/admin-ajax.php is scary.

    • Frank J

      May 19th, 2009

      Phill,

      Thank you and I am glad I could help!

  7. stratosg

    May 19th, 2009

    I would like to point out that you start your post saying about SQL injections and brute force attacks. Your suggestions though, are for general protections. The kind of problems you mention, are not detectable by the WP Security Scan. For the first threat, SQL injection, the WordPress core is not vulnerable. So, one must be very careful on what plugins he installs. For the brute force attacks, the at most measure is a secure, long, complex and often changed password.
    Don’t get me wrong here, i am not pointing a finger at you ;)

    • Frank J

      May 19th, 2009

      I appreciate the input. The post was suggesting common practices to lock down your WordPress. The harder you make it, the more likely they will move on.

      Again thank you!