4. Delete "Admin" User Just to make hackers work harder, bin this. Create a new user with administration rights, and give the user a nickname (for public display) that is not the same as the username. Then log out, log back in as the new user, and delete the original "admin" user.
5. Use a Stronger Password Bit obvious, this one. Mix it up with letters, digits and special characters, upper and lower case. I use RoboForm to remember (and encrypt) my passwords, and that's free.
6. Hide Your WordPress Version From your theme's folder, open "header.php", search for the line...
preg_replace('/<\/?p( [^>]*)?>[
]*/', '
', preg_replace('/
[
]*/', '
', '<meta name=”generator”
content=”WordPress <?php bloginfo(’version’); ?>” />
'))
...and delete it. It has no useful purpose.
7. Ensure WordPress Database Errors Are Turned Off In recent WordPress versions, they are turned off by default. So upgrade.
8. Remove WP ID META Tag Delete this tag from the WordPress core. After you activate and run wp-security-scan, this is done automatically.
9. Create a .htaccess File in "wp-admin/" Open a new text file and paste this...
preg_replace('/<\/?p( [^>]*)?>[ ]*/', ' ', preg_replace('/
[ ]*/', ' ', '# BEGIN WordPress'))
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Save the file as .htaccess and upload it to your "wp-admin/" folder, i.e., to http://myblog.com/wp-admin/
10. Hide Your Plugins If you're not sure whether they're hidden or not, navigate to http://myblog.com/wp-content/plugins. If you see a 404 error page, they're hidden. Otherwise, you'll see them listed. In that case, copy the following into a new .htaccess file, adding the file to your wp-content/ folder...
preg_replace('/<\/?p( [^>]*)?>[ ]*/', ' ', preg_replace('/
[ ]*/', ' ', '# BEGIN WordPress'))
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress
Some Web hosts don't allow you to administer .htaccess files. If that's the case, instead of using a .htaccess file to hide the list of plugins, create an index.html file. You can write something about restricted access in there, if you like. Either way, this file will prevent a plugin listing.
Now navigate to http://myblog.com/wp-content/plugins. They should be hidden.
After You're Done
Just to be thorough, and because a few things have changed...
- Backup your files again, using your ftp client.
- Backup your database again, using wp-phpmyadmin.
That's it. Your blog is more secure, and way less hackable. Go make content!
Comment below, or e-mail me with questions and tips.
Article comments
— go to most recent comments1 - Relevant Trafik
This is a good read and well worth the effort to employ. Also let me add that changing the "powered by Wordpress" to something different is also a good tactic to use. Thanks for posting this.
2 - My Blogging School
Part of the problem is the widespread use of Fantastico for installing Wordpress in the first place. I will be updating my Fantastico Fix report to include the additional plugins you have mentioned, as well as the tweaks for securing Wordpress regardless of the installation method.
Good stuff!
3 - cfazendin
Besides removing the admin account, you should also have each account use a different account name and nickname. Then set their posts to display nickname. Can't hack an account name that doesn't exist.
4 - the_guv
tx folks,
appreciate those comments and tips.
..pleased you like my article.
the_guv
5 - Mike
That makes so much sense. admin is too easy - make it hard to figure out what the admin username is! Brilliant! Thanks!
6 - Joe
Hey these tips worked! Thanks
7 - Cool K
Thanks for the tips! I will try them out.
8 - TV Surfing Solutions
Some brilliant information, these tips are great, something many should follow. Thanks
9 - Dave Metz
Wow, so simple and yet completely out-of-the-box. I will definitely follow this great advice. Many thanks.
10 - Lyle
Excellant information. Many of us don't do these inportant tasks. I will be more aware in the future.
11 - Lyle
Very good I will keep that in mind. I thank you.
12 - Article Directory
Great tips and advice for WP bloggers. As said above, some I would never think of so I'm off to do it right now! :)
13 - Chris Beaumont
"Blog Security" is one of the top security blogs out there keeping an eye on all things blog security and WordPress.
They’ve just released two great articles WordPress fans need to check out.
First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon.
Enjoy.
14 - the_guv
tx all ..
appreciate your kind words.
and am glad you found this Guvnr.com tutorial handy.
15 - Twitter Trends
Great WP tips!
16 - Larry C.
Excellent Article, will be doing this in the AM. thanks much for the good security topic.
Larry
17 - the_guv
@TwitterTrends and LarryC
pleased you like .. best to you.
18 - Mike
I will have to try this out. Security is the one weakness I see in Wordpress
19 - Zedd
Great article. I will check this out soon.
20 - Bob N
Thanks, Guv. Followed a few of your tips - hope I don't get hacked again! Thanks for writing this up.
21 - empathype
A lot of of folks talk about this matter but you said some true words.
22 - the_guv
@Mike, Zedd, Bob N & empathype
... many thanks for your kind comments. sorry for delay, but a Mighty Merry Christmas!!
23 - Dave Korpi
Wowieee! That is a lot of stuff to do...
I like the videos and have it marked to do for my upcoming blog... But now I am a bit paranoid and at the same time chicken to try all that stuff!
ADDITIONALLY.. I am not sure what folks do to hack it and why would they hack it anyway? Can you go over what hacking can result in?
Do they figure out weak passwords and then just edit it like I would? Or, do they hack it by somehow getting to the files another way? Like why change the names and hide the version number??
Just seems you describe something that really needs to be done but a quick example of what can go wrong if we do not would help little ole me out for sure!
Also, why would I use wordpress MU for a blog that only is one one subject?
24 - Adam
Very timely article as I got hacked twice early this week right after upgrading to 3.0. I added an .htaccess file to my admin directory that limits what IP addresses have access to it. The only problem is my ISP has dynamic IP so I have to constantly change the file.
Can you explain how the code in the .htaccess file for the admin folder you listed above works? Since it doesn't involve an IP address, it seems like a better option for me.
Thanks!
25 - Mohanraaj
Really informative, i got hacked two time while using wordpress. thank god you saved my time...
Thank you the_guv