WordPress Security

As one of the most popular platforms on which to build a web site, WordPress is constantly under attack by those looking for vulnerabilities that will allow them to access and compromise sites. While your individual site may not be one of those that is currently being attacked and while WordPress release patches whenever security holes are discovered, there is still plenty of scope for interference with your site unless you implement a number of further security measures.

While there is no real security through obscurity, implementing a number of measures to make your site appear less like one that utilises WordPress will at least make your site appear a less obvious target to those who are only interested in attacking WordPress sites. Choosing a different theme from any of those most commonly used with WordPress is an obvious starting point and you will want to do that anyway so that your site does not look as if it is just one of the millions of WordPress blogs out there. In addition you should change a few of the most obvious things that could be checked for that give away that the site is built on WordPress such as removing any version information from displaying on the site, using a prefix other than wp_ for the tables in the database, and renaming the admin area to something other than wp_admin.

The next step in securing your WordPress installation is to make it harder for someone to login unless they have their own user account. First you should set up your own username that has admin access to your blog and then remove the admin user. That will mean that it will be less obvious which user is the one with admin access and any automated tasks that assume that the admin username is 'admin' will fail. You will also want to implement some sort of lockout for where the wrong password has been entered. Where too many incorrect password guesses have been made you want further attempts to be blocked. These features and more can be easily implemented by installing the Better WP Security plugin.

Another aspect of security is to ensure that only real people are allowed to have accounts on your site. Automated processes often sign up for thousands of user accounts on whatever WordPress sites that they can find so that they can then flood the site with spam comments. While the Akismet/a> plugin that most people use to detect spam comments does block most of the spam from actually appearing on the site, preventing the spambots signing up in the first place is a better alternative. To do this you need to implement a CAPTCHA plugin and the less obtrusive it is the better. Rather than any of the really obtrusive ones that display an image containing distorted text that you have to try to read, a simple Math Captcha that asks for the answer to a simple addition or subtraction is at least as effective and will be easier for most real people to interact with. I have also seen a completely unobtrusive CAPTCHA that uses JavaScript and hidden form fields to work out whether or not the form is being filled out by a real person but that CAPTCHA will also block any real people who don't have JavaScript enabled from being able to get an account and so should only be used where you can be certain that everyone using the site will have JavaScript (ie. that the site is actually about JavaScript).

So by simply installing three or four security plugins on your WordPress installation when you first set it up and by keeping your WordPress installation and all the plugins up to date you will be able to minimise the opportunity for vulnerabilities to be exploited to compromise your site.

go to top

FaceBook Follow
Twitter Follow
Donate