WordPress Security Tips
by Frank Jovine on 05/18/2009 in Security, WordPress
There continues to be a concern over the increase in SQL injections and brute force password attacks with WordPress 2.7.1. I know of 3 blogs that have been victims of these types of attacks. There are ways to discourage would be hackers from trying to hack your WordPress installation.
Step 1
Download the WP Security Scan plugin. This is a valuable tool that scans your WordPress installation for security vulnerabilities and suggests corrective actions.
It checks the following
- Scans WordPress installation for file/directory permissions vulnerabilities
- Recommends corrective actions
- Scans for general security vulnerabilities
Note: There are database changes that you have to implement manually. If you’re not familiar with database tables, please consult someone who is.
Download WP Security Scan http://wordpress.org/extend/plugins/wp-security-scan/
To view the video tutorial on how to change your database table prefix, click here.
Step 2
How to protect files and folders:
This is how you control what happens if a browser enters a folder with no index file.
You have four options:
- Default System Setting
- No Indexes
- Standard Indexing (text only)
- Fancying Indexing (graphics)
No Indexes – Disable the folder index listing. It prevents browsers from viewing the contents of this directory. The browser receives a 403 (Forbidden) error.
To change your Index Manager to “No Indexes” follow the steps below.
1. Login to your host control panel
2. In the advance tab (usually) find Index Manager
Next select Web Root than click on Go.
Next select the /public_html folder.
Next select “No Indexing” than click on Save.
Your files are now hidden within folders that currently do not have an index file.
These security tips will help discourage would be hackers from trying to exploit your WordPress installation. If you have other tips to share, please leave a comment.
Susie
May 18th, 2009
This is a great tool! Thanks for the tips!
Kikolani
May 18th, 2009
Great tips, and definitely needed with all the WordPress hacks going around.
~ Kristi
Frank J
May 18th, 2009
Kristi,
Thank you and thought this was perfect timing to publish.
Roseli A. Bakar
May 18th, 2009
Thanks for the insight Frank.
Colin
May 19th, 2009
Good tips Frank and I already had those implemented but it doesn’t stop them from trying. Last count was 1400 attempts over 6 days.
Will add a post to my site soon and link back to your article
Frank J
May 19th, 2009
Colin,
The more resistance the more likelihood they will move on.
Colin
May 19th, 2009
Frank,
Have posted an article and linked back to both yours and Kristi’s, so hopefully between us it may help a few others to bolster their security and thwart these attacks
Phill Price
May 19th, 2009
Great help thanks! I also use login lockdown to try and stop brute force attacks from http://www.bad-neighbourhood.com/login-lockdown.html . I have to admit the amount of hits on /wp-admin/admin-ajax.php is scary.
Frank J
May 19th, 2009
Phill,
Thank you and I am glad I could help!
stratosg
May 19th, 2009
I would like to point out that you start your post saying about SQL injections and brute force attacks. Your suggestions though, are for general protections. The kind of problems you mention, are not detectable by the WP Security Scan. For the first threat, SQL injection, the WordPress core is not vulnerable. So, one must be very careful on what plugins he installs. For the brute force attacks, the at most measure is a secure, long, complex and often changed password.
Don’t get me wrong here, i am not pointing a finger at you
Frank J
May 19th, 2009
I appreciate the input. The post was suggesting common practices to lock down your WordPress. The harder you make it, the more likely they will move on.
Again thank you!