3 Must Apply Security Tips for WordPress

Today I was reading through my RSS feeds and I came across a very interesting post from Matt Cutts. Basically he was describing 3 (plus a bonus) tips to secure your WordPress install. I was already using two of them, but the first one was new to me, and looks like it is the most effective one as well.

1. Secure the /wp-admin/ directory

You probably know that most of your WordPress sensitive information is stored in the /wp-admin/ folder. Right out of the box, WordPress leaves that folder open, so people can access these files if they know what they are doing.

Matt suggests to place a .htaccess file inside the /wp-admin/ folder to block the access to all IP addresses, except yours. Here is the code you need to put in the .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx
</LIMIT>

2. Hide your plugins

Many WordPress plugins come with bugs and vulnerabilities that can be exploited to damage your website. The last thing you want, therefore, is other people being able to know what plugins you are using.

If you visit the folder /wp-content/plugins/ on most blogs, however, you will be able to see all the plugins that are being used. In order to hide that list you just need to create an empty index.html file and drop it there.

3. Keep up with patches and updates

Most bloggers probably carry out this tip already. Just keep your WordPress updated and you should be fine. Matt suggests subscribing to the WordPress Development Blog.

The final bonus tip was just to delete the meta tag that reveals your WordPress version on the header of your site.

Do you know any other security tips that WordPress users should apply?

Update: Browsing on the Internet I also came across a WordPress plugin called Login LockDown. Basically it will track down login attempts to your site, and if there are too many of them coming from the same IP address on a short period of time the plugin will disable the login function for that IP range. Useful to avoid people trying to brute force your password.

Daniel Scocco on January 18, 2008 Subscribe to our RSS Feed

You can receive our articles for free on your email inbox, with more web design, SEO, monetization and blog tips. Just enter your email below:

Related Articles

Bookmark

66 Responses to “3 Must Apply Security Tips for WordPress”

  1. Colourblogger on January 18th, 2008 4:11 am

    Good point! I never understand whay bloggers talk so freely about they installed plugins.

  2. David Zemens - 1955 Design on January 18th, 2008 4:33 am

    Great tips. Without a static IP address tip #1 is difficult to implement. I already made the change you suggested in tip #2, but added a bit of an informational message to the index.php file that I dropped into the plugin folder.

  3. Jaan Kanellis on January 18th, 2008 4:37 am

    For #2 you should be blocking the content access in all folders through your htaccess file.

  4. Jaan Kanellis on January 18th, 2008 4:37 am

    Browsing access that is.

  5. Daniel on January 18th, 2008 4:42 am

    Jaan, yeah that is another option. I wonder if this would mess up people visiting single images via Google Image search though.

  6. Daniel on January 18th, 2008 4:44 am

    I wonder if you can specify IP ranges for tip number 1. This would solve the problem for people with dynamic IP addresses.

    Well, you would still be vulnerable to people close to your IP class, but that reduces the risk greatly already.

  7. Jaan Kanellis on January 18th, 2008 4:55 am

    Daniel that should not be a problem at all. Google doesnt find the images by browsing through folder access they find them through links on the pages themselves which would still work fine.

  8. Daniel on January 18th, 2008 5:02 am

    Right, but when the user clicks on the image he would be directed to the wp-content folder on your blog. If you block that he would see a 404 page, won’t he?

  9. Napster on January 18th, 2008 5:10 am

    Great security tips!

  10. Jaan Kanellis on January 18th, 2008 5:11 am

    No. You can find the URL below in my images folder fine:

    http://www.jaankanellis.com/images/napoleon.jpg

    but you cant browse the folder directly:

    http://www.jaankanellis.com/images/

  11. Daniel on January 18th, 2008 5:16 am

    That works then! Can you share the code you used in the .htaccess file? Either here or on your blog and I will link to it.

  12. Daniel on January 18th, 2008 5:18 am

    @David Zemens, nice warning message you put there :).

  13. Jaan Kanellis on January 18th, 2008 5:25 am

    Just add the line:

    Options -indexes

    to your htaccess file

  14. Daniel on January 18th, 2008 5:30 am

    Thanks Jaan, yeah it is the same trick Shoemoney recommended sometime ago.

  15. Lee on January 18th, 2008 6:21 am

    Wow great timing. I wrote about these earlier in January.
    http://www.epiblogger.net/5-wo.....ssentials/

    Don’t forget to make sure you use a strong password.

  16. Michael Aulia on January 18th, 2008 7:13 am

    WOW..thanks so much..especially for Tip #2

  17. Mikhail on January 18th, 2008 8:18 am

    @ David Zemens 1955 Design

    don’t be so excited, bro, by posting your “informational message”

    look,

    you are still exposed

    http://www.1955design.com/wp/w.....s/akismet/

  18. Zac Davis on January 18th, 2008 8:21 am

    Wow, thanks for these tips. I’ll be sure to implement them.

  19. Chris Jacobson on January 18th, 2008 8:29 am

    Great tips.

    Thanks for the .htaccess trick, Jaan.

  20. Jaan Kanellis on January 18th, 2008 8:34 am

    No problem!

  21. Jonas on January 18th, 2008 11:16 am

    Thanks for the tips! There are good reasons for hardening your Wordpress install. Wordpress stores passwords in the database as hash made from the password. A common Unix practice is to add random seed to the hash but Wordpress does not do this. Should the password hash be revealed it could even be revealed by googling the hash!

  22. David Zemens - 1955 Design on January 18th, 2008 1:10 pm

    @Mikhail: There is always a way around a security measure. They are just designed to thwart a percentage of the hackers. Thanks for the tip, though. I placed that index.php file in all the subfolders of the plugin directory. At least for the moment I am not exposed in the Akismet directory.

  23. Ash Haque on January 18th, 2008 2:29 pm

    Kind of defeats the whole point of being able to post to your site from anywhere (tip #1)

  24. dennis on January 18th, 2008 5:43 pm

    If you have control over your site’s httpd.conf, it is probably a good idea to deny index listing by default. Under your DocumentRoot directive, change your ‘Options’ to include ‘-Indexes’ (exactly as others have specified for .htaccess above).

    Example (angle brackets changed so they don’t mess up this comment):

    [Directory "/var/www/html/yoursite"]
    Options -Indexes

  25. dennis on January 18th, 2008 5:51 pm

    @Mikhail: Its nearly impossible to plug all of the holes all of the time. Just depends on how paranoid you are. :)

    http://www.spiritualize.info/wp-includes/

  26. James W on January 18th, 2008 6:23 pm

    Regarding .htaccess and IP Blocking: An alternative method is to use htaccess password - that way you can access it anywhere and not have it restricted to an IP. It pops up with a login box when you try to access the folder.

    There even a wordpress plugin to do it (I havent tested it)

    http://www.askapache.com/wordp.....otect.html

  27. Bong (JB) on January 18th, 2008 10:28 pm

    I haven’t worried about security stuff before but I’m going to implement this. Better safe than sorry. Thanks.

  28. Ruchir on January 19th, 2008 6:51 am

    “Matt suggests to place a .htaccess file inside the /wp-admin/ folder to block the access to all IP addresses, except yours.”

    What if I have a dynamic IP?

    And what if I access my admin through 2 different PCs with 2 different internet connections…

  29. Nick - road2blogging on January 20th, 2008 4:18 pm

    thanks for the tips. Hard to implement #1, but just done the other two.

  30. Daniel on January 21st, 2008 10:45 am

    If you have a dynamic IP just go with a password protected .htaccess file as described by James W.

  31. LoLo on January 24th, 2008 4:58 am

    “Do you know any other security tips that WordPress users should apply?”

    1. Change the default DB prefix (wp_).
    2. Hide your entire install.
    3. Matt’s bonus tip was a bit off. You can still get his version info. Just edit your wp-includes/version.php to hide it correctly.

    Info on how to hide your install and all the rest of this can be found here.

  32. brent berrett on January 25th, 2008 8:30 am

    Can the files can be accessed directly even with a blank index.html file?

  33. Daniel on January 25th, 2008 11:05 am

    Brent, yes.

  34. Mark on January 29th, 2008 8:06 am

    Why a blank index.html? Can you use a blank index.php for this purpose to or is that a bigger security threat?

  35. Hendry Lee on January 31st, 2008 5:49 am

    Regarding number 2, I’d recommend to disable directory index on all directories by placing the a line in .htaccess in the root directory:

    Options -Indexes

    This way, the option is off for the whole domain.

    While restricting access to wp-admin is useful it is not for people who don’t have static IP.

  36. Deborah on February 13th, 2008 4:19 pm

    Jaan and Hendry,

    Thanks for the reminder on the Options -indexes. That works the easiest for managing, without having to add index.php or index.html files in folders.

  37. Ness on February 16th, 2008 6:38 am

    Some good tips. Have just removed Meta tag showing wordpress version. Overlooked earlier.

  38. Bloggero on February 20th, 2008 4:03 am

    If I put .htaccess in /wp-content/plugins/ the plugins will work ?

  39. Mikael on April 11th, 2008 4:59 pm

    What happens if you have other authors writing posts. Will point number 1 affect their ability ot login and post topics? I mean if their IP isn’t added to the file.

  40. WebDiggin on April 22nd, 2008 11:11 am

    Thanks for the security heads-up. We haven’t really thought about it til we saw this post.

    FYI - Matt’s post has an update where Joshua Slive pointed out that the .htaccess file shouldn’t have a around the IP addresses. That would have allowed IP addresses to POST, for example.

    We have a dynamic IP where the last digit of our IP address changes. There are about four or five different XX.XX.XXX.* address that we get with our ISP.

    We found that if we just drop the last number, we’re still able to access our wp-admin folder, but if we use an anonymous proxy and try to access it from an IP address in Germany, it won’t get in.

    Can anyone else verify that this works for dynamic addresses?

    allow from xx.xx.xx
    allow from xx.xx.xxx

    Thanks

  41. rajeev mehta on May 10th, 2008 5:03 am

    great tips.mine was getting hacked i think and this post really helped a lot ..

  1. 8 sfaturi pentru a spori securitatea blogului tau | hwpedia
  2. | HowToTuts.com
  3. Blogging Essential
  4. Secure you WordPress Installation » Tech At Hand
  5. Sunday Special Issue #3 | Be The Boss
  6. Le ultime notizie più succulente dal mondo dei blog - Edizione del ..gennaio 2008 | MondoBlog
  7. » 6 modi per mettere in sicurezza i blog Wordpress Geekissimo
  8. » Poll Results: Will Most Blogs Migrate to Excerpts on the Homepage? Marketing Resources and Marketing Technuques Online: Marketing Resources and Marketing Technuques Online - RSS Feed Available
  9. » Fields marked with Want Ad Traffic - Get Traffic To Your Ads: Want Ad Traffic - Get Traffic To Your Ads - RSS Feed Available.
  10. En vrac #28
  11. Best of the ‘Sphere 21/1/08 | TechnoMoney | Smashing Blogging Tips
  12. Mind Gravy » Blog Archive » links for 2008-02-03
  13. Great tips for Wordpress Security, Blog Directories, Blog Lists, Stock Photos and Google Adsense » PowerDosh
  14. 8 Wordpress security tips | Blognotice
  15. 99 Ways to Improve Your Blog | PureBlogging
  16. Blogosfera: Le Ultime Notizie - Edizione del 21 gennaio 2008 | MondoBlog
  17. Make Sure Your WordPress is Not Hacked
  18. January 2008 Most Popular Posts
  19. Cómo hacer tu blog un poco más seguro » blogpocket 7.0
  20. Web Design Housekeeping — WebDiggin.com: An Adventure to Make Money Online
  21. WordPress 三个必须的安全措施 at 宝库在线
  22. Make Sure Your WordPress is Not Hacked | www.brand-forge.com
  23. So fresh, so clean | VERY FEEL
  24. KEVOST » Blog Archive » WordPress ~ Things You Must Know Before Blogging
  25. Fabworker » Blog Archive » Things done & Things Left

Got something to say?





Sponsors

Online Invoicing For Freelancers Premium WordPress Themes Why I recommend Doreo Hosting Maximize Your Rankings Smarter blogging

Popular Articles

Recent Articles

Killer Domains eBook