Due to its diversity of application and ease of use, more and more people are turning to WordPress as their publishing platform, be it for internet marketing or personal blogging. The writers of the WordPress open source software describe it as being “both free and priceless at the same time”, and they estimate it to be the choice of over twenty-five million bloggers.
Unfortunately, because of its popularity, the WordPress core software has become the target of hackers, so anyone using it is strongly advised to implement the following steps to safeguard their installation and make it much safer from malicious attacks.
Begin by making sure that your WordPress username is not the name that displays publicly when you publish posts or comments. To change it, follow these steps:
1) Log in to your WordPress site
2) Click on users
3) Edit your username
4) Create a nickname that isn’t the same as what you use to log in
5) Change “Display name publicly as,” to your nickname
6) Click “Update Profile”
The next method listed blocks anyone trying to log-in to your Admin if their IP address doesn’t exactly match those listed in the .htaccess file. It only works if the IP address of your computer never changes.
If you know your computer’s IP address never changes, create a file that only allows you to see your WordPress Admin login page. To accomplish this:
1) Open Notepad and enter the following:
deny from all
allow from xx.xx.xx.xx
(replace xx.xx.xx.xx with your IP address. If you don’t know what your IP address is, go to: http://www.whatismyip.com/)
2) If necessary, you can add more than one IP address to the file. Just add another “allow from xx.xx.xx.xx” in the next line
3) Save the text file as .htaccess
4) Be sure Notepad doesn’t save it with a .txt extension. If it does, just edit it to remove the extension.
5) Use your FTP program to upload this file to your website’s wp-admin folder.
6) Go to yourdomain.com/wp-admin. if it loads correctly, everything is fine. If all you see is a blank page then something is wrong. Go back into your FTP program and make sure you have the correct IP address in the .htaccess file you uploaded.
7) If you cannot figure out what is wrong, just delete the file. There are a number of other methods to protect your WordPress installation listed below.
Following is a list of excellent WordPress plugins that will contribute to making your WordPress site almost impregnable to malicious attack.
The first plugin is called Login LockDown: (http://wordpress.org/extend/plugins/login-lockdown/). It is a great addition to the self-programmed method above. It records every failed login attempt blocks anyone with three failed logins within a five minute period. What it actually does is prevent what is known as “brute force password discovery”.
The second plugin is called Secure WordPress: (http://wordpress.org/extend/plugins/secure-wordpress/). Its tasks are many, all contributing to the blog’s security. One particularly important function removes the WordPress version from view. If hackers cannot see the version, they will most likely move on to easier pickings.
The third plugin is WordPress Firewall: (http://wordpress.org/extend/plugins/wordpress-firewall/). It works in the background to detect, intercept, and log suspicious-looking parameters and prevent them from compromising WordPress.
The fourth and final plugin are called WP DBManager (http://wordpress.org/extend/plugins/wp-dbmanager/). Using this last plugin, you can schedule regular backups of your WordPress database.
Implement the above safeguards and always install all WordPress version and plugin updates immediately they become available, (you will receive notifications within your blog), and your blog should always be guarded and secure from all malicious attacks.
This content was written for a WordPress users’ website and newsletter