* Truth is, I prefer HeadSpace to the All In One, but that's another story.
4. Delete "Admin" User Just to make hackers work harder, bin this. Create a new user with administration rights, and give the user a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original "admin" user.
5. Use a Stronger Password Bit obvious, this one. Mix it up with letters, digits and special characters, upper and lower case. I use RoboForm to remember (and encrypt) my passwords, and that's free.
6. Hide Your WordPress Version From your theme's folder, open "header.php", search for the line...
<meta name=”generator”
content=”WordPress <?php bloginfo(’version’); ?>” />
...and delete it. It has no useful purpose.
7. Ensure WordPress Database Errors Are Turned Off In recent WordPress versions, they are turned off by default. So upgrade.
8. Remove WP ID META Tag Delete this tag from the WordPress core. After you activate and run wp-security-scan, this is done automatically.
9. Create a .htaccess File in "wp-admin/" Open a new text file and paste this...
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Save the file as .htaccess and upload it to your "wp-admin/" folder, i.e., to http://myblog.com/wp-admin/
10. Hide Your Plugins If you're not sure whether they're hidden or not, navigate to http://myblog.com/wp-content/plugins. If you see a 404 error page, they're hidden. Otherwise, you'll see them listed. In that case, copy the following into a new .htaccess file, adding the file to your wp-content/ folder...
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress
Some Web hosts don't allow you to administer .htaccess files. If that's the case, instead of using a .htaccess file to hide the list of plugins, create an index.html file. You can write something about restricted access in there, if you like. Either way, this file will prevent a plugin listing.
Now navigate to http://myblog.com/wp-content/plugins. They should be hidden.
After You're Done
Just to be thorough, and because a few things have changed...
- Backup your files again, using your ftp client.
- Backup your database again, using wp-phpmyadmin.
That's it. Your blog is more secure, and way less hackable. Go make content!
Comment below, or e-mail me with questions and tips.
Article comments
1 - Relevant Trafik
This is a good read and well worth the effort to employ. Also let me add that changing the "powered by Wordpress" to something different is also a good tactic to use. Thanks for posting this.
2 - My Blogging School
Part of the problem is the widespread use of Fantastico for installing Wordpress in the first place. I will be updating my Fantastico Fix report to include the additional plugins you have mentioned, as well as the tweaks for securing Wordpress regardless of the installation method.
Good stuff!
3 - cfazendin
Besides removing the admin account, you should also have each account use a different account name and nickname. Then set their posts to display nickname. Can't hack an account name that doesn't exist.
4 - the_guv
tx folks,
appreciate those comments and tips.
..pleased you like my article.
the_guv
5 - Mike
That makes so much sense. admin is too easy - make it hard to figure out what the admin username is! Brilliant! Thanks!
6 - Joe
Hey these tips worked! Thanks
7 - Cool K
Thanks for the tips! I will try them out.
8 - TV Surfing Solutions
Some brilliant information, these tips are great, something many should follow. Thanks
9 - Dave Metz
Wow, so simple and yet completely out-of-the-box. I will definitely follow this great advice. Many thanks.
10 - Lyle
Excellant information. Many of us don't do these inportant tasks. I will be more aware in the future.
11 - Lyle
Very good I will keep that in mind. I thank you.
12 - Article Directory
Great tips and advice for WP bloggers. As said above, some I would never think of so I'm off to do it right now! :)
13 - Chris Beaumont
"Blog Security" is one of the top security blogs out there keeping an eye on all things blog security and WordPress.
They’ve just released two great articles WordPress fans need to check out.
First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon.
Enjoy.
14 - the_guv
tx all ..
appreciate your kind words.
and am glad you found this Guvnr.com tutorial handy.
15 - Twitter Trends
Great WP tips!
16 - Larry C.
Excellent Article, will be doing this in the AM. thanks much for the good security topic.
Larry
17 - the_guv
@TwitterTrends and LarryC
pleased you like .. best to you.
18 - Mike
I will have to try this out. Security is the one weakness I see in Wordpress
19 - Zedd
Great article. I will check this out soon.
20 - Bob N
Thanks, Guv. Followed a few of your tips - hope I don't get hacked again! Thanks for writing this up.