WordPress: Security check for your Blog

Most of the bloggers ignore various security loop-holes in their WordPress installation, thinking that the chances of Crackers intruding their small and unpopular websites are slim. Never even think of this. No one is going to check your page rank or Alexa rank before hacking your site, so better secure it now than to regret later. There are a lot of wordpress plugins that will do the job for most users. But if you are a freak like me, keep reading to know how to secure your blog without installing any wordpress plugin.

Here is a list of methods that will enhance the security of your blog:

1. Default admin username:
   Problem: Everyone knows that there exists an admin user in WordPress which has the almighty powers to destroy everything, so they are left with just guessing their passwords. Why not make it a little tough for them, change the username to something else other than admin.
   Standard Solution: Create a new user with administrative privileges and delete the default admin user. Before you delete a user account, you can transfer all the posts and links to another user.
   

   Before deleting a user, you can attribute all posts and links to another author.

   Geeky Solution: You can perform an SQL query or directly change the username via phpmyadmin. Here is the SQL query:

   1	UPDATE 'wp_users' SET 'user_login' = 'NEWUSERNAME' WHERE 'wp_users'.'ID' =1 ;

   You can also create another user with only publishing permissions. A second user gives greater security, that name will be displayed in all future published articles and commentaries, and the name of the actual administrator will never be displayed on blog pages and therefore never communicated to the outside world.

2. Folder and File Permissions: Make sure that you have given only those permissions to your files that are required by the web applications to work properly. Most famous and safe permissions are 755 for folders and 644 for files.
3. Folder Public Browsing: Go to http://YOURBLOGURL/wp-content/plugins. If you don’t see anything you can safely proceed to the next step but if you are shocked to see the whole list of plugins you are using on your site, then its a sign of danger.
   Standard Solution: Hide your files by adding an empty index.php file into your critical folders specially plugins, themes and wp-content.
   Geeky Solution: You can add the following line into your .htaccess file in order to prevent access to the file list of any folder not having an index file:

   1	Options All -Indexes

4. Protect wp-admin Directory:
   Proceed with this step, only if you know what you are doing.
   1. IP protect wp-admin: You can block all IPs from accessing wp-admin directory except your IP address. Add the following code to your .htaccess file:

      1 2 3 4 5 6 7 8

      AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WP Access Control" AuthType Basic order deny,allow deny from all allow from xx.xx.xx.xx allow from xx.xx.xx.xx

      Here xx.xx.xx.xx is your IP address. You can add multiple IP addresses to allow access from.

   2. Password Protect wp-admin directory: You can add a second layer of authentication to the wp-admin folder, which will be controlled by your web server. So that whenever you try to login, you will have to authenticate yourself twice (Hows that!!!)
      Standard Solution: If your your web host provides you with a cPanel, then the work is half done for you. Just Click on “Password protected Directories” link on your cPanel’s homepage, select the directory to password protect, enter the username and password and done!!
      Geeky Solution:
      1. Visit Htaccess Tools Htpasswd Generator
      2. Enter a username and password for your password protected directory.
      3. Create a .htpasswd file in the folder which is inaccessible by anybody (say /home/USERNAME).
      4. Copy the line created by step 1 and paste it in the .htpasswd file created in step 2.
      5. Create a .htaccess file in your wp-admin folder and copy the following code into it:

         1 2 3 4

         AuthType Basic AuthName "Admin" AuthUserFile "PATH_TO_.HTPASSWD_FILE/.htpasswd" require valid-user

      Now every time you will login, you will be asked for this extra authentication.

5. Protect wp-config.php file: This is the most important file in the wordpress installation as it contains the username and password of the database associated with your blog. Add the following lines to the .htaccess file in your blog’s root directory to deny any kind of access to this file through your web server.

   1 2 3 4

   <files wp-config.php> Order deny,allow deny from all </files>

6. Edit Robots.txt: You can prevent access to your wordpress folders by adding the following line to the robots.txt in your blog’s root directory.

   1	Disallow: /wp-*

   This will ensure that the good guys (like Google, Bing, Yahoo, etc) never index your wordpress folders.

Along with this, always keep your wordpress blog, plugins and themes updated to their latest version. And do I need to ask you to backup and backup and backup your blog, you never know when another Tsunami, Rita, Katrina will strike the Data Centers of your web host and you will be left with nothing but an apology.

Enjoy secure blogging!! And do not forget to share your tips on secure blogging in the comments!!