[HowTo] Secure Your WordPress Blog

WordPress is most widely used blogging platform around the globe. WordPress is easy to install, flexible , and tons of plug-in s  make it more powerful.

Once you have the wordpress installed, And once you get decent amount of traffic, one fine day you notice that, suddenly the blog home page has been changed! You could no longer find your old posts, All the links return 404 error, Google Webmaster Tools show huge number of errors !

Ultimately WordPress runs on PHP code, with MySQL as the Database. Anybody who knows in – out of the WordPress code, and also the plug ins you installed,  Can possibly hijack your Blog. It is irrespective of the amount of traffic you get, Your Blog has to be secure.

Common mistakes we do

–          Setting folder permission to 777 in cPanel  for the folders which actually do not need 777 permission.

–          Poor admin password for wordpress or the cPanel.

–          Installing the plug in s without reading reviews and ratings.

–          .htaccess file with  poor access permission.

–          Insecure database name and its password.

–          No hotlink protection set in cPanel.

We will explain these things , in detail and what are steps we must take to prevent your blog being hijacked

Folder Permissions

Setting the proper permission to a folder is extremely important when your Blog runs on the web. Rule of thumb is that never set the folder permission to 777 in any case. When you install wordpress, the folders have proper permissions set and you should not experiment too much on it.

If you set any folder to 777, make sure that you revert the permission back later, else anyone can see , modify the content of that folder.

Admin Passwords

Set the strong passwords for you WordPress  admin login and for cPanel. Preferably different passwords for both.  Follow these simple rules

–          Set strong password , ie with uppercase- lowercase letter combination, special character and a number are the “must” in a password.

–          Do not use your Blog name as the password, appending some digits to it.

–          Try not to disclose your password recovery email address. Make sure that the email, is protected with strong security questions.

–          Keep a strong database password. Use generate password option.

–          Never make wp-config.php file publicly visible, it would have the database username and passwords.

–          Keep a captcha for guest sign ups.

Plug-in s and themes

Plug-in s and themes play major role in blog security. Before you install any theme , or plug-in, make sure that you read the reviews. Do not install any unwanted plug in , unless you find it very useful and absolutely necessary to your blog.

.htaccess file

.htaccess files will be present in every folder of wordpress installation. Make sure that these files are not visible to the public. Any modification to the .htaccess file by the attacker, makes your Blog home page or any article specific page to be redirected to another website. Most of the cases, the attackers website

HotLink Protection

HotLinking is something where some other Blogger, or the person who searched your Blog post images on Google, copies the image source URL and uses that to load that particular image from your server in the places wherever it is used. If you have the limited bandwidth , then re using of the images can cause big damage and your account may get suspended.

If you have Unlimited bandwidth, CPU usage in the server may increase. Which may again result in account suspension.

Error Logs

Checking and analyzing error logs on the server is necessary. If a failed directory access is detected repeatedly, you can block the ip recorded in the log, in your server control panel. Note that this may not work if the visitor is assigned with the dynamic internet ip address.

Extra Tips

–           Rename admin username in WordPress.

–          Update wordpress and its plug ins.

–          Never share your passwords.

–          Install useful security related plug ins (will be covered later).

–          Keep a watch on referring websites.

–          Enable captcha for comments and logins.