How To Secure WordPress Blogs?

You might have worked hard for a year or two to build the search engine ranking and the reputation for your blog/site. Established your authority by spending late nights and long evenings. You are satisfied as your blog is pulling few hundred visitors and decent revenue.

What if this is all gone in split seconds? What is someone hacked in to your site and took over it. Google and other engines smack you down! Even your webhosting provider will keep your site down and add it to you a black list.  If this happens what is your chances of getting back to where it was before is very hard. And your two years of hard work is completely wasted.

You must worry about securing it! If not you need to be at least understand the consequences of not securing it. Just to let you know – you don’t like them at all. You can be fined up to millions of dollars or you can be jailed. The good news is you can avoid all this by just being smart and installing few plugins.

This article’s purpose is to provide you with the information about your blog security and how to defend your self from security threats.

You can avoid all this by simply installing one plugin which saves you from all this mess! Blog Defender – this plugin helped me a lot. There are few out there which does one thing. So you end up installing and managing many plugins one for each threat. Blog Defender comes with a suite of tools that you can use to defend your site. You choose either to install individual plugins or Blog Defender!

Being a certified information systems security professions (CISSP) I deal with a lot of security threats that causes data breach issues and avoid revenue losses.  The recent security threat the shook the IT industry is “heart bleed“. A bug in the SSL can jeopardized the security of many sites and caused millions of PII (personally identifiable information) theft. This is very serious. There are 1000s of well secured sites become victims of identity theft in the past few years.

8884953154_2c85630f46_oPhoto by Julian Ortiz @ flickr

In the wake of few other incidents where bloggers were detained and questioned by police for taking part of Distributed Denial of Service (DDoS) attacks on army site (as shown in the image) with out even knowing that his site got hacked and used for DDoS.

I learned my lesson a hard way in the early days of blogging with WordPress. I left the default options and there are 200 users registered as writes in one night whom I don’t even know. For those who are already veterans this refreshes your memory. But for those who are fresh in blogging and planning to grow their blog as a business this will help to tighten the security of your blog with few simple steps to make the hacker hard to penetrate.

ddoswp2

It is all value vs. time. How much they can get spending on your site for hours? Not that much. So in reality nothing is secure or in other words any thing is secure for a period of time. The period could be 2 minutes or 2 days. If some on spend hacking your site 2 days and find the information worth pennies they will go to some other site.

Once I attended the monthly meeting with my local Shariff’s office. The Shariff educated all of us that, all the break ins happens in less than a minute. If you can deter the burglar for more than a minute you will be able to save your home from burglary.

This is so true with internet too. I learned by several years of internet security education and practice in the industry that if you can make it harder enough to penetrate into your secure zone you will be succeed saving yourself losing your sites reputation, hefty fine in terms of losing traffic or not getting any traffic and even from getting phone calls and visits from authorities.

Here is how the threats divided into various attacks. In could be software, hardware, social engineering are all of them combined.

blogsecurity

How to Secure WordPress Blog

There is a lot of information your WordPress Blog broadcasts.

This information includes:

  • WordPress Version,
  • Directory Structures,
  • User Names,
  • Plugin list,
  • Java Script libraries List and more

You can find out your self all these threats & warnings by going to HackerTarget website and entering your site’s URL there.

Here are few steps you can take today to secure WordPress blog.

Turn off Membership ( if you are not using them)

I was on blogspot.com for several years before I moved to WordPress. I still have some few blogs out there on blogger.com as part of my Backlinking strategy. In the early day of WordPress blog, on one fine morning I noticed I grew my contributors list to 200. In reality I am the only one that is contributing. All I did is left the default setting of “Membership” on the General Settings.

anyonecanregisterIf you want to secure the WordPress blog, uncheck the Membership and change the New User Default Role to Subscriber.

Disable Directory Listing

This will help you protect from people looking at the list of files under your directories with the public html folder. If you don’t disable this a hacker can easily find your list of file and more information about the plugins you are using etc. Also able to get access to those directories and list and download all the files with out your permission.  It is highly recommended to disable the directory listing, It is a security 101 for any webserver administration.

Here is how you can do it. Go to you “.htaccess” file and add the below line at the end of the file and save it.

Options -Indexes

You can go to you host login, select the “cpanel” [most hosts, especially Bluehost and InmotionHosting, offers this service as part of hosting] – select filemanager. When prompted to select the folder you want to go to – select “public-html” and select “show the hidden files” check box.

Now when you are at the file manager display you can pic the “.htaccess” and select “edit”.  Add the above line you are all done.

Disabling User Enumeration

When you create users and not mask the user enumeration, there is a way today for hackers to get that information using simple tools. Not only user enumeration but all the plugins details. At this time I am not much worried about the plugins lists and JavaScript file lists.

However the user enumeration exposes all the user names of your users/admins on the blog. This is a serous threat and great information for hackers. The can use bruteforce technique to brake the password to gain access or even control your blog.

There is a simple WordPress plugin that can be use to eliminate this issue. “Stop User Enumeration” is the WordPress you should use. It is simple and gets the job done.

Comprehensive Solutions

You can look at the below comprehensive solutions for a complete security package.

WP Security

You can also use a free plugin from WP Security from aunetix for scanning your blog. This can turn of all the possible meta tags that are not required.

Blog Defender

Blog Defender is a suite of plugins that takes care of all that you need for any blog. If you are not a tech savvy person or looking for a simple select and click solution to secure your blog Blog Defender is the best choice for you.

These plugins including:

  • Automated Backup,
  • WP Security, and
  • WP Scan & Repair.

Blog Defender block the crawlers from unknown sites that can be configurable. You can setup up to hide all the vulnerabilities that WP naturally inherits by design. i.e., all the information that WordPress the sends out as a standard broadcast can be controlled using Blog Defender.

Image from Blog Defender

I recommend visiting the Blog Defender site at least once to learn the kind of vulnerabilities that exists out there on the internet as a whole. It also can help you bust some of the myths that you may have in your mind.

If you are earning a good portion of income from your blog I highly recommend that you MUST visit Blog Defender site at least once.

In summary, making these few tweaks secure your WordPress blogs and the your businesses that are based on the blogs. These are enough to attempt as long as you  know what you need to do. Once you add these security settings you are mostly likely reducing your chance of being a victim to hacking attacks.

Leave your comments and any  information that you want to add to this post in the comments section.

 

There was an issue loading your exit LeadBox™. Please check plugin settings.

Kris Rud

Kris is an IT strategist, enterprise architect, IT leader, blogger and an author. He helps businesses grow rapidly by optimizing their resources with technology strategy and providing enterprise architecture consulting working closely with the senior management and C-lever officers in governments and commercial organizations. He write on several blogs about Technology, Personal Finance for IT people, Passive Income, Health, Meditation and Yoga.