Good security measures to keep WordPress safe – How to Secure Wordpress?
What if the WordPress Blog Got Hacked ?
I have reviewed the security measures that Daniel suggested and also searched for plugins that could help.
The following are the plugins I found that can make WordPress more secure.
1. Limit Login Attempts : This plugin blocks a user for 20 minutes after he enters wrong password 4 times (default values, can be changed). It is good way to avoid Brute Force attack .
2. Sabre :If you own a WordPress powered blog where users can register freely and see a lot of fake registrations, this plugin can stop fake user registration by bots. It can add image verification or math test to registration process among other measures to make sure fake users are not created.
3. Semisecure Login : This plugin increases the security of login process by using a public key to encrypt the password on client side. The server side then decrypts the password using the private key. Requires Javascript and PHP.
4. Bad Behavior : It checks the visitor’s IP against Project Honey Pot Database to see if it’s a spammer’s. If malicious, it can block that IP from accessing your blog.
5. Secure WordPress : This plugin keeps your WordPress installation secure with the help of little functions. It hides information regarding your WordPress version from non-administrators and plugin directory from visitors by dropping a blank index.php file.
1. removes error-information on login-page
2. adds index.html to plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update informationfor non-admins (only WP 2.8 and higher)
9. Add string for use WP Scanner
Secure the /wp-admin/ directory
You probably know that most of your WordPress sensitive information is stored in the /wp-admin/ folder. Right out of the box, WordPress leaves that folder open, so people can access these files if they know what they are doing.
Matt suggests to place a .htaccess file inside the /wp-admin/ folder to block the access to all IP addresses, except yours. Here is the code you need to put in the .htaccess file:
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
Hide your plugins
Many WordPress plugins come with bugs and vulnerabilities that can be exploited to damage your website. The last thing you want, therefore, is other people being able to know what plugins you are using.
If you visit the folder /wp-content/plugins/ on most blogs, however, you will be able to see all the plugins that are being used. In order to hide that list you just need to create an empty index.html file and drop it there.
Great content, very helpfull. The web needs more great sites like this.
Fantastic web site, you have created valuable user content, the internet needs more quality sites like this one.