10 ways to secure your WordPress blog

Find out how InfoSec Institute can help you receive your CISSP Certification and become an IT professional.

As old readers know, my blog has been hacked several times. You can read about my first hack and what to do when your blog has a virus, but now it’s time to prevent hackers from injecting malware in your WordPress blog.

Follow these simple 10 steps, they aren’t ordered in any way, just a list I am writing to help you making your blog more secure

1) Don’t display your WP version: hackers know security holes and exploits of every WP version, and unfortunately in your header.php file you probably have this line:

Remove this tag or simply remove the php function returning the WP version. Your new generator tag should look something like

2) Protect your /wp-content/plugins/ directory putting a blank index.html file in it. In latest WP versions there is an empty index.php file that does the same job. This way nobody will see the plugins you installed, checking for exploitable ones.

3) Use a secure password, it shouldn’t be your girlfirend’s name or your daughter’s name. A good password is made by at least 8 characters using both uppercase and lowercase and numbers.

4) Change your login name with something different than “admin”. Most WP installations still use the default admin login to log into administrator area. If your blog is under a brute force attack, you will make hackers life a bit harder if they have to guess both the password and the login name.

5) Install Login LockDown plugin. Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

6) Choose a good hosting company or keep your web server updated. You can secure your WP blog in a million ways, but if your server has security issues, you’re doomed anyway.

7) Secure your /wp-admin/ directory. Create a file called .htaccess in such directory and place this script:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# allowed IP's
allow from xxx.xxx.xxx.xxx
allow from yyy.yyy.yyy.yyy
...
...
allow from zzz.zzz.zzz.zzz

Change xxx, yyy and zzz with IP’s you currently log in from

8) Keep your WP version (not too) updated. While old WP versions may have security bugs that aren’t fixed anymore, installing the latest release can expose you to unknown bugs during the first day. If it’s not a critical security update, my advice is to wait at least a couple of days before installing the new version.

9) Get rid of bad bots adding these lines to your main .htaccess file (the one in your WP root)

SetEnvIfNoCase User-Agent "^Libwww-perl" bad_bot

Order Allow,Deny
Allow from all
Deny from env=bad_bot

If you look in your server logs you will probably see attempts by automated scripts (bots) to hack your site. This happens to all sites, and the Libwww-perl agent is recognized to be one of thw worst of them. Check this Google search for more information.

10) When you are about to install a plugin, Google for it, to make sure nobody is reporting security issues

… and death to pirates…

Get the most popular Phaser 3 book

Through 202 pages, 32 source code examples and an Android Studio project you will learn how to build cross platform HTML5 games and create a complete game along the way.

Get the book

215 GAME PROTOTYPES EXPLAINED WITH SOURCE CODE
// 1+2=3
// 100 rounds
// 10000000
// 2 Cars
// 2048
// A Blocky Christmas
// A Jumping Block
// A Life of Logic
// Angry Birds
// Angry Birds Space
// Artillery
// Astro-PANIC!
// Avoider
// Back to Square One
// Ball Game
// Ball vs Ball
// Ball: Revamped
// Balloon Invasion
// BallPusher
// Ballz
// Bar Balance
// Bejeweled
// Biggification
// Block it
// Blockage
// Bloons
// Boids
// Bombuzal
// Boom Dots
// Bouncing Ball
// Bouncing Ball 2
// Bouncy Light
// BoxHead
// Breakout
// Bricks
// Bubble Chaos
// Bubbles 2
// Card Game
// Castle Ramble
// Chronotron
// Circle Chain
// Circle Path
// Circle Race
// Circular endless runner
// Cirplosion
// CLOCKS - The Game
// Color Hit
// Color Jump
// ColorFill
// Columns
// Concentration
// Crossy Road
// Crush the Castle
// Cube Jump
// CubesOut
// Dash N Blast
// Dashy Panda
// Deflection
// Diamond Digger Saga
// Don't touch the spikes
// Dots
// Down The Mountain
// Drag and Match
// Draw Game
// Drop Wizard
// DROP'd
// Dudeski
// Dungeon Raid
// Educational Game
// Elasticity
// Endless Runner
// Erase Box
// Eskiv
// Farm Heroes Saga
// Filler
// Flappy Bird
// Fling
// Flipping Legend
// Floaty Light
// Fuse Ballz
// GearTaker
// Gem Sweeper
// Globe
// Goat Rider
// Gold Miner
// Grindstone
// GuessNext
// Helicopter
// Hero Emblems
// Hero Slide
// Hexagonal Tiles
// HookPod
// Hop Hop Hop Underwater
// Horizontal Endless Runner
// Hundreds
// Hungry Hero
// Hurry it's Christmas
// InkTd
// Iromeku
// Jet Set Willy
// Jigsaw Game
// Knife Hit
// Knightfall
// Legends of Runeterra
// Lep's World
// Line Rider
// Lumines
// Magick
// MagOrMin
// Mass Attack
// Math Game
// Maze
// Meeblings
// Memdot
// Metro Siberia Underground
// Mike Dangers
// Mikey Hooks
// Nano War
// Nodes
// o:anquan
// One Button Game
// One Tap RPG
// Ononmin
// Pacco
// Perfect Square!
// Perfectionism
// Phyballs
// Pixel Purge
// PixelField
// Planet Revenge
// Plants Vs Zombies
// Platform
// Platform game
// Plus+Plus
// Pocket Snap
// Poker
// Pool
// Pop the Lock
// Pop to Save
// Poux
// Pudi
// Pumpkin Story
// Puppet Bird
// Pyramids of Ra
// qomp
// Quick Switch
// Racing
// Radical
// Rebuild Chile
// Renju
// Rise Above
// Risky Road
// Roguelike
// Roly Poly
// Run Around
// Rush Hour
// SameGame
// SamePhysics
// Save the Totem
// Security
// Serious Scramblers
// Shrink it
// Sling
// Slingy
// Snowflakes
// Sokoban
// Space Checkers
// Space is Key
// Spellfall
// Spinny Gun
// Splitter
// Spring Ninja
// Sproing
// Stabilize!
// Stack
// Stairs
// Stick Hero
// String Avoider
// Stringy
// Sudoku
// Super Mario Bros
// Surfingers
// Survival Horror
// Talesworth Adventure
// Tetris
// The Impossible Line
// The Moops - Combos of Joy
// The Next Arrow
// Threes
// Tic Tac Toe
// Timberman
// Tiny Wings
// Tipsy Tower
// Toony
// Totem Destroyer
// Tower Defense
// Trick Shot
// Tunnelball
// Turn
// Turnellio
// TwinSpin
// vvvvvv
// Warp Shift
// Way of an Idea
// Whack a Creep
// Wheel of Fortune
// Where's my Water
// Wish Upon a Star
// Word Game
// Wordle
// Worms
// Yanga
// Yeah Bunny
// Zhed
// zNumbers