Keeping WordPress Secure
From Lunarpages Web Hosting Wiki
WordPress is one of the most popular blogging scripts out there and with popularity comes hackers and spammers. There are numerous things you can do to make it more secure.
- If installing manually, change the default DB table prefix (wp-) when asked. If installing via Fantastico or Softaculous, you can change the table prefix afterward with the wp-security-scan plugin. http://WordPress.org/extend/plugins/wp-security-scan/ Changing the prefix to something else helps to block scripted attacks which will be looking for the default.
- Keep WordPress and all plugins up to date. Just one old unsecure plugin can create a huge security hole. Both WordPress and most plugins can be auto-updated in Admin now.
- If you enable comments, be sure to set them to be moderated. You should also install the ReCaptcha plugin to help stop bots from submitting comments. http://recaptcha.net/plugins/wordpress/ You definitely want to install the Askimet plugin or WP-SpamFree as well to help stop spam. http://wordpress.org/extend/plugins/akismet/ or http://wordpress.org/extend/plugins/wp-spamfree/
- Change the default security keys in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY). You can generate new secure keys easily at https://api.WordPress.org/secret-key/1.1/ .
- Add the WordPress Stats plugin both for help with SEO and to monitor unusual activity. http://WordPress.org/extend/plugins/stats/
- While external post writers such as Microsoft Live Writer make it easy to create posts on your own computer and then send them to your blog, they use xmlrpc.php which is quite often exploited and if you check your access logs you will probably see quite a few requests looking for that file. It is best to disable outside posting. If you just must use external writers, change the name of xmlrpc.php to something obscure and then set your external program to look for the new filename to use. In Live Writer, you must enter the URL for posting with the new filename when first setting up the blog in it.
- To be safe you should make backups of your database and site files as it saves a lot of time & effort cleaning up after an attack and customers are responsible for their own files and keeping backups. Create new backups of files and database after making any site changes like upgrading to a new version, adding a plugin, or creating a truly brilliant post. Backup the database as often as necessary depending on the activity in your blog. The database is the one truly irreplaceable item and the one that changes most often. You can add a very nice DB backup plugin from http://ilfilosofo.com/blog/wp-db-backup/ and manually backup the database.
- While not related to hacking or spamming, another major security issue for blogs is content theft (copyright violations). This should be just as much of a concern whether your blog is about your family or business. Please see http://www.lostartofblogging.com/protect-your-blog-and-counter-copyright-thefts , http://creativecommons.org/choose/ , and http://www.codetrax.org/projects/wp-cc-configurator/files. Another possibility is https://myfreecopyright.com/
Our last 'bit of advice would be to follow the advice in our other security articles.