What would you do if your blog was hacked?
Even the thought of it makes my skin crawl. Nobody wants to think about that, let alone experience it. That’s why I have decided to write a blog post about how to secure your WordPress Blog.
Needless to say, your blog can’t be 100% secure. But this doesn’t mean nothing can be done. There are basic things you have to do to secure your blog and prevent hackers from taking over it. In this post, I am going to show you 6 tips for securing WordPress blogs.
Avoid using Free Themes
Don’t go to Google and search for Free WordPress Themes. Most of them contain dangerous codes. I remember reading a very important blog post about this issue. The author of the post looked for free WordPress themes and checked the ones on the first page of Google. You’ll be surprised when you see what she found on them. If you want to read the blog post, check it here:
If you want to use a free theme, you can choose one from trusted companies or the one tested by WordPress. If you’re currently using one, you can do the same steps on the above post to check if your theme is clean.
Another thing you should check is the footer of your free theme. Sometimes people hide certain keywords there by giving them the same color as the blog background. If the background is grey, the keywords will be grey too. Now, in this case, you won’t be able to see them. And they’re usually nasty keywords like penis enlargement, buy Viagra, etc. To check if these aren’t in your theme, visit your blog and press Ctrl + A on your keyboard. Then any hidden text will appear. Press Ctrl + A on your keyboard and see what’s written here:
Don’t Use Free Themes!
Always Update your WordPress Blog and Plugins
As you may know, most of the WordPress updates are for security reasons. So make sure you always update your blog. The latest version as I write this post is 3.2.1.
Your must always update plugins as well. Make sure you read the details and look for warnings before you update. Sometimes plugins can break your blog. If this happens to you and you can’t access your dashboard, navigate to the plugin’s folder using FTP and delete it.
If you heavily rely on the plugin, you can get the older version that was working for you by following these steps:
Visit the plugin WordPress page
Click on Other Versions
Download the one you want
WordPress suggests that you delete any plugins you don’t use. Make sure you do that!
Hide your WordPress Folders
I previously talked about this in my other post How to Know if Someone is Stealing your Product and how to Prevent That. Hiding your blog folders is very important. Suppose your plugins folder isn’t protected. Hackers can see what plugins you’re using. If you’re using an outdated version of a plugin (because the updated version doesn’t work on your blog), hackers can exploit that hack your blog.
This is how you hide your WordPress blog folders:
I suggest that you create an empty html file and upload it to each folder.
Login to your cPanel and use File Manager to upload it to your blog folders. This is how you do that:
You need to open each folder and upload the empty html file.
Now if someone wants to check your folders through these links:
s/he will see the empty web page.
Always Backup your Blog!
If you have a backup of your blog, you’ll surely be safe. Even if something bad happens, you can always restore your blog! I know a friend who created a very good tutorial about how to back up your blog and how to restore your blog from a backup. Visit these links to learn how to do it:
Install Security Plugins
Here are some of them:
This plugins detects suspicious activities and blocks them. When something like this happens, the plugin sends an e-mail that looks like this:
This one limits brute force login attempts. This is something hackers do to guess your password. They try hundreds of passwords until they succeed. This plugin stops that by limiting the number of login attempts.
This one is important. It checks your blog for security vulnerabilities and suggests corrective actions! This is an example:
In this case, the wp-config.php isn’t protected!
Protect wp-config.php File
The WP Security Scan Plugin suggests that you change permissions to 644. When I checked WordPress, this is what they said:
“Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).”
I think we should listen to WordPress and change file permission to 400 or 440. This is how you do that:
- Login to cPanel
- Click on file Manager
- Choose the document root for your blog
- Locate the wp-content.php file and click on it
- Then click on Permissions at the top
- A pop up will open
- Change the permissions by unchecking those boxes
When you check the WP Security Scan plugin, you’ll no longer see the warning sign.
I know that I’ve missed a lot of info here. That’s why I am going to list some useful blog posts where you can learn how to protect your WordPress blog.
I know that some of you are well-versed in this topic of WordPress security. It’d be great if you could share your experience with us. If you know something that could help us secure our WordPress blog, please share that with us by writing a comment. If you have written an important post about how to secure WordPress blogs, please tell me so that I include it in this post.
If you know someone who could benefit from this post, you can always share it with him or her.
Thanks a lot in advance!