There’s no such thing as a hack-proof Wordpress blog

Before you believe in some people’s claim on how to make your WordPress blog ‘hack-proof,’ think again. There’s no such thing as a ‘hack-proof’ WordPress blog!

You can only reduce the possibility of your blog being hacked but not completely make it hack-proof, as others might claim. The only way for your WordPress blog to be ‘hack-proof’ is to unplug it from the internet. Always remember that security is a process, not a result.

Securing the foundation

Before you start securing WordPress, it is important to secure first the foundation your blog is running on: the operating system, web server, and database server. Normally, you can do this if you’re on a dedicated server, a virtual private server or VPS, or a cloud instance. If you’re on a shared hosting service, you’re at the mercy of your web hosting provider. When selecting a shared hosting provider, you need to ask them if they their web servers are “hardened” — a term used to indicate that the server has undergone a process of ‘hack-proofing.’ A good indicator of a security-conscious web hosting company is the use of mod_security (for Apache-based web servers) on their web servers.

• Securing Apache: Step-by-Step (SecurityFocus.com)
• Securing Linux (TLDP)
• Securing MySQL (SecurityFocus.com)

Securing WordPress

Now that you have secured the foundation, you can now start working on WordPress. There are several ways to keep the bad guys from hacking your WordPress blog.

Keep your WordPress software updated (and plugins, too!)

A common way bad guys can hack your WordPress is by exploiting known vulnerabilities or weaknesses of the current code your running. These exploits can be fixed by regularly updating your WordPress software. Don’t forget to update the plugins, too!

Always use a secure password

Often times, we’re too lazy to use a strong password because it’s just too difficult to remember. Passwords like ‘password’ or ‘1234′ or your birthday is not recommended. Some criteria to remember when choosing a strong password:

• Seven or fourteen (14) characters long
• Contains both uppercase and lowercase characters
• Contains numbers and/or symbols
• Not your name, lastname, or your user login (e.g. admin)
• Not a word found in the dictionary or a very simple word (e.g. bird, keys)

Here’s a tool that can help you generate a strong password.

Delete the default ‘admin’ user

Hackers know that the default administrator username in WordPress is ‘admin.’ The first time you install WordPress, create a unique user and then make this new user administrator. Logout from the current session and login as the new user you just created. Look for the admin user and delete it.

Always keep a backup

While this is not a security process, you can restore a hacked blog from a backup. Always keep a copy off-site — download it from your web server and store it on your local computer.

Miscellaneous

If you’re on an internet connection with a static IP address, you can further increase security by limiting access to the admin page by using .htaccess (for Apache-based web sites).

Conclusion

Remember, security is a process, not a result. There is no silver bullet when it comes to securing your WordPress blog. You need to regularly change your passwords and update your WordPress software as well as related plugins. If you have access to your web server’s logs, it’s also a good idea to check it from time to time to see if someone is attempting to do something nasty but I’m not going to discuss that here. I hope you found this post useful.

Credits: Photo courtesy of pogo.com

Tagged as: Apache, Linux, MySQL, passwords, security, WordPress