WordPress Security And A Plugin To Help You

There’s a lot of attention lately for WordPress security issues. Blogs get hacked quite often and on forums I see a lot of desperate cries for help. I know how it feels. This blog got hacked once and it’s a real pain in the butt.

Before I go into some WordPress security issues, let me emphasize I’m NOT an expert on this issue. Far from it. If you really want an expert to help you out with security issues, get in touch with my friend Tom Brownsword. He’s a certified security expert!

Again, I’m certainly not, but I certainly took some measures for my WordPress security. Let me share them with you.

One of the first things you absolutely MUST do is change your password into something nobody can guess. A random set of at least 10 characters, some in capitals and including at least one special character, like !, ?, and @.

The downside is that these passwords are hard to remember and you shouldn’t store them electronically. So, what I do is think of a name of a far relative consisting of at least 10 characters. Then I change one of the letters into a digit and another one into a special character. The funny thing is, that, after I’m done, I can still recognize the name, but it now makes a great password.

The second security measure you should take is place an index file in every directory that hasn’t one. I usually redirect them to the home page of my blog, but you can also redirect them to a sales page or whatever.
Since WordPress uses PHP, I always use index.php and the content is really simple:

header(‘Location: http://www.affordable-internet-marketing.com/’);

You can also use javascript to redirect:

<script language=”javascript”>

Or, if you’re familiar with the concept, you can use a .htaccess file do accomplish the same. Some control panels provide this option.

wordpress security scan

Your next WordPress security measure would be to make sure the permissions settings of your files and directories are all right.

This is a bit of technical matter, but basically you can set the rights to read (r), write (w) and execute (x) files for yourself as the owner, for the group the files belongs to and for other users.

Permission to read a file has a value of 4, write has a value of 2 and the execute value is 1. If you see a value of 7, it means that there is a permission to read, write and execute, 6 is only read and write permission.
Since permissions have to specified for all three groups, a permission setting always consists of 3 digits. 644 means that you have the rights to read and write and all others can only read. This is a safe permission setting. 777 would mean, that everyone has the rights to read, write and execute files. That’s a highly dangerous setting as you allow others to manipulate your files.

Sometimes, for instance when you install a script, you’ll be asked to set permissions to 777 in order for the install program to create and write files. Remember to always, always set permissins back to 644 when you’re done installing. Plus you should delete the install script.

You can set permissions using the CHMOD command. It’s available in the better FTP programs that allow you to upload files to your server. Almost all Control Panels also include a way to set permissions. Use these resources to check all your file permissions. The third digit should almost always be a 4!

Another WordPress security measure is to limit access to your admin area. You can do that using a htaccess file in the admin area. It should contain a deny for all and an allow for your IP address.

There’s a WordPress Security plugin that can help you detect vulnerabilities in your WordPress blog. I just installed it and found 1 minor error in my permission settings as you can see in the image above.
So it’s been useful for me already. Consider installing it.

Don’t forget to always upgrade to the latest WordPress version. I think this is included in WordPress version 2.7, so you may need this plugin only once again.

Finally, check out this great article by Aaron Wall: New WordPress Hacking Strategy.

Any other useful WordPress security suggestions?
Put them in the comment section below.

Share this post using these icons:

Related Posts


2 thoughts on “WordPress Security And A Plugin To Help You

  1. Hello Case,

    Appreciate the link!

    Great post; LOTS of good advice in it. And it’s always great when a business and marketing pro (like you) uses your position of influence to call attention to security.

    Insofar as setting permissions go: You can usually do this with your FTP software. Just select the file(s) you want to set the permissions on and right-click; there should be a “Permissions” setting (or something similar) that will allow you to set the permissions.

    NEVER set them to “777”. If you do, you might as well post your user name and password on your blog!

    Regarding the Phone Factor plugin; if you want to use it, make sure that it mitigates an actual risk. Don’t just install it because it’s “security”.

    Lots of unanswered questions:

    * Who does the calling?
    * Who pays for the call?
    * How fast do they call back (if it’s slow and you need to work on your blog NOW, you’re wasting time)?
    * What else are they going to do with your phone number?
    * What happens if you want to work on your blog while traveling?

    I think the .htaccess hack would accomplish the same thing, yet leave you in complete control.

    Tom Brownsword, CISSP, Security+, ITIL V3 Foundations

  2. Case Stevens says:

    Hi Tom,
    Thanks for chiming in and answering some questions. Always great to have the Master explain the topic himself. 🙂

Comments are closed.