Let’s begin by making an especially radical statement: 100% security is impossible to achieve with WordPress! Why? because it would be both impractical and all but impossible to maintain. Nevertheless, there are many steps you can take which will render your blog a great deal more secure than the vast majority or WordPress blogs currently online.
The most important step, is, appropriately enough, NOT to install WordPress using Fantastico! It’s unfortunate how, on forums etc., everyone posts saying use Fantastico, while I seldom read anyone explaining why this is actually such a bad foundation for a new WordPress blog.
Why? It’s simple: by default, a Fantastico installation sets “wp_” as the prefix for each WordPress table name. Knowing this, hackers find it especially easy to send malicious code targeting your wp_ based tables. It’s as if you’ve put a ‘welcome’ mat at the door for them. This knowledge makes it a doodle for them to change the appearance of your site, redirect your url to their site, plus a whole host of other nasty things.
But, virtually everyone reading this already has WordPress installed and running on their servers, so let’s move forward with how you can not only remove that ‘welcome’ mat from the door, but also install a burglar alarm.
Here is a link to the actual WordPress instructions for what they call a “Five Minute Install“.
Your Own Computer
To begin, you need to take a realistic look at your computer. Is it free from spyware, malware, and virus infections? I promise you, you can implement the tightest security on your blog, but if you have a keylogger lurking somewhere on your computer, it won’t do you an iota of good. Malicious keyloggers are very similar to viruses and trojans; they are used by hackers to violate user privacy. Keyloggers can take the form of software, or, on non-wireless keyboards, lurk between the keyboard’s plug and the computer’s keyboard. port. Spybot Search and Destroy will detect and remove most keyloggers. It is absolutely free to use, although users can make donations to its author Patrick M. Kolla
As with most software packages today, in order to address security issues, WordPress gets updated regularly, so, let me begin by reminding you of the importance to always stay updated with the latest version. Since version 2.7, WordPress has featured automatic updates, made available for you to install through your Dashboard, and although many purists will insist you do it manually, I disagree.
Provided you always make it a habit to perform a full backup first, there is nothing wrong with using the automatic update option, especially if it’s the difference between updating “now”, or leaving it “until you have some spare time”. But note my caveat: a full backup. Many backups do nothing more than backup the blog’s MySQL database and these are of little use to you in the event of a catastrophic loss. I use and highly recommend the WordPress Backup To Dropbox plugin.
Plugins and Theme
Similarly, always keep your plugins and theme updated to the latest version and delete any you are no longer using. Delete any plugins and themes you are no longer using.
NOTE: I always keep the default theme which installed with WordPress, just as a fallback in the event of any issues suddenly cropping up with your chosen theme.
Read the rest of this entry