hardening wordpress

I had positive feedback after posting my article about hardening Joomla!, so I will now focus on the blog-software wordpress.
Here are a couple of tips that you can use to make your wordpress a bit securer.

Change the default name of your administrator login (admin) and choose a strong password for all your accounts. It’s also a good idea to use different login- and author-names, wordpress has also a great user levels.

Hide the version of wordpress by removing the generator-meta-tag. You find it in the template code it should look something like this:
<meta name=”generator” content=”WordPress ” />
Please note it’s possible to view the version in the feed.

If your register-globals settings are on, try to disable them (php.ini or .htaccess).

Turn your Magic quotes for incoming GET/POST/Cookie data on, again SQL injections.

Restrict access with a .htaccess in your wp-admin/ folder. Take a look on an older posting https://phpsecurity.wordpress.com/2007/12/22/htaccess-tips-and-tricks/ where you find solutions for limiting by IP addresses and password protection.

Delete disabled templates and plugins that you don’t need from your webspace.

Block wordpress-folders from being indexed by search engines.
Add the following line to your robots.txt:
Disallow: /wp-*

With an online tool from blogsecurity.net, you can scan your wordpress. You need a plugin before doing that.

Disable public browsing of the plugin folder, by putting an empty index.html in wp-content/plugins/.

And last but not least, update your wordpress, your plugins and make regular backups of your site and database.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: