post-page

How To improve basic security on a fresh WordPress install

40
responses
by
 
on
April 15th, 2010
in
HOW-TO, WordPress FAQs
heading
heading
heading
40
Responses

 

Comments

  1. Goon (1 comments.) says:

    I find that two best things to do is to rename admin user of course as you mentioned, and remove any “powered by” be it wordpress or theme name. Most script kiddies just google “powered by wordpress” and then brute force admin user or try some kind of injection. Usually those two things take care of the 80% of all shenanigans.

    • Janine (3 comments.) says:

      Right on Goon. Those are the first two things I do as well out of about 10. I have a checklist for every new WordPress site I create.

  2. Paul says:

    One question about changing table prefix.

    Can this be done with a WP site that’s already installed and run ?
    And if so, what’s the consequence of changing table prefix ?

    Thanks for the article.

    • Mike (3 comments.) says:

      You can rename the prefixes on your tables.

      Don’t forget to change the use of the prefix in the usermeta records for capabilities meta_key entries. There are a few other places too. I think the prefix is also used in the postmeta table aswell for attachments and a couple places in options table field called ‘option_name’.

      Easiest way to replace in fields supposedly is:
      http://wordpress.org/extend/pl.....d-replace/
      but I’ve never used it.

      But that doesn’t necessarily correct the string length in serialised data so try to keep the new prefix the same length (3 chars).

      Hope this helps.

    • Klint Finley says:

      You can also use the Secure WordPress plugin mentioned above to rename the tables. It’s very easy, but BACKUP BACKUP BACKUP before you try it.

    • Paul says:

      @Mike
      Thanks for the info on Search and Replace plugin.
      I bookmarked that, might come in handy.

      @Klint
      Thanks for pointing out the ability of Secure WordPress Plugin.

      Thanks for the great post.

      Security is the most important thing that people overlooked when
      managing websites, most of the time, they wait until it’s too late.( I’m one of them actually – but I do backup that’s ready to be re-installed at anytime.)

  3. kevin love (9 comments.) says:

    Password security should go without saying, but people still need to be reminded. Just look at clickbank. You have to use uppercase, lowercase, numbers, and symbols. My password is the longest most confusing thing ever haha…

  4. Sergej Müller (1 comments.) says:

    Use the WordPress antivirus plugin for more advanced wp security http://wordpress.org/extend/plugins/antivirus/

    • Yael K. Miller (2 comments.) says:

      @Sergej What exactly does your AntiVirus plugin do? Yes, I’ve read all the info at its Codex URL and the one on your site.

      • Sergej Müller (2 comments.) says:

        The plugin scan manually or/and automatically the database, theme templates and permalink structure for suspicious (php) code.

  5. Chris Stumph (1 comments.) says:

    Good tips, I’ve been using that plugin myself, it’s pretty convenient. I also like the “User Locker” plugin which locks down the admin account after a specified number of failed login attempts.
    Backups are probably the single most important step, and seem the most often overlooked. A good backup system can save your site from anything.

    Did not know about the open source tripwire. Looks like a fun new toy :)

  6. Andrew@BloggingGuide (63 comments.) says:

    Security of your wordpress should be the top priority because hackers are always roaming around looking for someone to victimize. Without security, your posts and everything in your blog is exposed thus when attacked will be useless.

  7. Kishore Mylavarapu (13 comments.) says:

    Specifying some .hatcess hacks will be also good.And using Askimit is a great way to reduce the comment spam.And WordPress Security Scan a beautiful plugin to checkout the file permissions.

  8. Paul Goldman (1 comments.) says:

    This is a totally helpful site. I’m pretty new at WP and the official help and tutorial section of WP pre-supposes too much pre-existing knowledge (that I don’t have YET) I really appreciate the tip by “Goon” above about removing “Powered by WordPress”

    Also applaud Sergej Müller for pointing me to the A/V plug-in. Thanks mate!

  9. Dana (3 comments.) says:

    Thanks for this article. I have been plan to start secure my wordpress blog and this article surely will help a lot. I hope the advance part will be coming soon.

  10. Boni (1 comments.) says:

    I have never heard about “Secure WordPress” pluggin. I think I will try it to secure my website. Thanks for the good article.

  11. Evil Mammoth (2 comments.) says:

    Exploit Scanner (http://wordpress.org/extend/pl.....t-scanner/) has also come in handy for me.

  12. David (1 comments.) says:

    Very good article, but bad advice on Tripwire. It is not being updated anymore… A better open source HIDS would be OSSEC ( http://www.ossec.net ) or samhain.

  13. Klint Finley says:

    Thanks, Sergej, for the recommendation. I hadn’t seen AntiVirus for WordPress before. I’m giving it a try.

    Some of the other plugins mentioned will be in my upcoming tutorial that will focus on existing WordPress sites instead of fresh installs.

    Thanks for all the comments everyone!

  14. Yael K. Miller (2 comments.) says:

    Question on the installation screenshots: I’ve never seen those forms before. Where are they?

    How I install WordPress: I create a MySQL database, fill out missing info in wp-config.php, FTP it to site, then go to http://www.site.com/wp-admin/install.php

    • Klint Finley says:

      Good question! If you fill out the wp-config file, you won’t see those fields. Those fields are an automated way of filling out the wp-config file. I forget when they were introduced… version 2.5ish?

    • Janine (3 comments.) says:

      I have the same question..

  15. Klint Finley says:

    Oh, and here are some other good links:

    http://wordpress.org/developme.....rmissions/

    http://www.pearsonified.com/20.....a-hack.php

    The first one emphasizes the importance of being on a secure host, which I didn’t go into in this article. I definitely recommend checking around before you sign-up with a host.

  16. Peter Bird (4 comments.) says:

    There was a comment above re htaccess hacks. I had 2 vBulletin forums hacked and since protected the admincp via .htaccess stuff (that I do not really understand as its a bit beyond me) to protect me in the future – I was good at following the instructions. Is it possible to do something like this in wordpress? I did a google search but found nothing that looked like what I followed for the vBulletin set up.

  17. Uwe (18 comments.) says:

    “password” is _NO_ password + .htaccess deny from .evil_countrys/provider + .htaccess password + latest wordpress with a renamed admin account and no open reg = I feel pretty safe right now :)

  18. Mommy D (3 comments.) says:

    Great post. Made it simple to understand for us non-computer literate types. I have been neglecting backing up my blogs but I checked out your back up suggestion and this should make it simple. I will be sure to back up more often ;)

    Mommy D

    • Janine (3 comments.) says:

      Mommy D I’m with you! Backing up is such a pain, but this post makes it much more feasible.

  19. Nurul Azis (16 comments.) says:

    Keeping a wordpress plugin up to date is good but sometimes, the compability with the wordpress version makes me wait a bit longer before updating the plugin

  20. Pat Bodes (1 comments.) says:

    A good way to stop hackers is to use the security keys in your WP config.php file. Basically, you add a really long, complicated, random string of characters in the appropriate place in your config.php file. See codex.wordpress.org/Editing_wp-config.php section 1.6 for the basic instructions on how to do this. You can get to the config.php file from your hosting account control panel file manager.



Trackbacks/Pingbacks

  1. […] How To improve basic security on a fresh WordPress install […]

  2. […] How To improve basic security on a fresh WordPress install […]

  3. […] my first article on WordPress security I mentioned Open Source Tripwire as an option for monitoring your WordPress install for unexpected […]

  4. […] is a great article on basic security when setting up your blog from Weblog Tools Collection that I recommend everyone […]

  5. […] How To improve basic security on a fresh WordPress install […]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php