Top 12 Wordpress Security Measures That You Can't Miss!

When you first create a Wordpress site or blog, the default login that most people create is a default account called "admin." Be sure NOT to do this, since it's not mandatory to name your admin account "admin." Instead, use a different name as your administrator login.

If you use "admin," you're using the most common login that hackers will attempt to get in with, and you'll make the job 50% easier on them if you do! If you've already named your account "admin," simply go into your "users" menu, create a new user and give it administration rights, then remove the default account.

When installing Wordpress, you'll have the option of using the default "wp_" as your table prefix (i.e., wp_comments, wp_links, wp_posts, etc.) You can change this to something else if you'd like - it's another measure toward straying away from default attributes. If it's too late and you've already created a site with a database, you can still make the change: here's an in-depth article showing you how. It's not too painful, either :)

Sorry to repeat the same thing you've already gotten drilled into your head - but by having the most recent version of Wordpress and all of its plugins, you'll make a huge stride toward having a secure site. Vulnerabilities are always exploited by hackers. When a new version of Wordpress is out, it will notify you via a site stripe at the top of your admin panel. Now that Wordpress has its own auto-upgrade function, it's easier than ever.

Robots.txt is used to tell search engines which folders of your site they should not look into for spidering purposes. You'll want to tell them not to look into folders that are unnecessary for them, such as the "/plugins" and "/wp-admin" folders. Simply copy and paste the code below into a Notepad document, and save it as "robots.txt", then add it to the root directory of your Wordpress site:

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

I've learned this one from Google engineer & popular SEO blogger, Matt Cuts. By creating an .htaccess file just for your WP-Admin folder, you can block all IP addresses except the ones you specify. If you don't know what your computer's IP address is, check it here instantly. Here's what the contents of this file should look like (just open up Notepad, and copy & paste this in...then, replace the dummy IP's with the ones from your other home or work computers):

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# IP address of my 2nd home computer
allow from 00.000.000.00
# IP addresses of my two work computers
allow from 00.000.000.000
allow from 000.000.00.000
# IP address at my uncle's house
allow from 000.000.0.00

If, by any chance, you don't want to do this - you can also rename the /wp-admin folder to something entirely different with this tutorial. This is a viable alternative for any Wordpress user who doesn't want anyone to type in "mysite.com/wp-admin" to see the login screen!

This is the oldest trick in the book. Open up Notepad. Don't type anything in, and just save the blank page as "index.html." Then, simply save this file into directories such as ..wp-content/plugins (new versions of Wordpress SHOULD already have one in there, that says "Silence Is Golden" within it). By doing so, you're preventing anyone from seeing a list of your plugins. Exploiting Wordpress sites with outdated plugins is one of the most common attacks, and this will help mask some information.

This will be a minor annoyance to you, but a great additional barrier for the security of your site! On your web server, get into your Wordpress site's account. Find the option for "Password Protect Directories" (this is what it's called in cPanel, but it might be named differently on another platform). Password protect the directory "wp-admin." Give it a unique password, and write it down.

Now, if someone attempts to visit YourSite.com/wp-admin, they'll get nothing but a white screen and a pop-up box from the server, asking for a username and password. Unless they know of these, they'll never be able to see the Wordpress admin log-in screen. Of course, this will now give you two passwords you'll have to enter in order to edit your site (the server password and the Wordpress admin password), but you can have your browser "remember" all of these so that you don't have to type them in every time. Just don't lose the passwords!

This is a simple one: go into your footer.php file and remove anything that says "Powered By Wordpress." Remove any script that might be displaying what version you have, too. Hackers typically search the internet for "powered by wordpress" and will attack everything that comes up.

One more tip is to remove the following line from your header.php file. Matt Cutts from Google Inc. stated that it is no longer needed:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats please -->

This plugin scans your Wordpress site and reports back with a list of vulnerabilities, and how to fix them. It's good to run this every once in awhile - there might be a loophole you've overlooked!

When you CHMOD your Wordpress files, be sure you know what you're doing, and what changes you've made. The most dangerous CHMOD code is 777, which gives all groups and users full read, write and execute permissions to a folder or file. This is the level of access that hackers would need in order to inflict a lot of damage on your site, depending on what it's applied to.

Many folders need to be write-able (755) in Wordpress in order for certain things to function. Just be wary of assigning a 777 to anything. For a more technical look at Wordpress CHMOD defaults and security recommendations, see this section of the Changing File Permissions section.

Wordpress blogs by their own nature are magnets to spam bots. Whether you like it or not, you WILL get hit by them. However, there's a solution for it: by running both Akismet and Bad Behavior (both are free), you'll be able to block spam (with Akismet) and block craftier spam methods (with Bad Behavior), effectively making your Wordpress site spam-free.

There are sites out there using what are called "content scrapers" to pull RSS feeds into a website. The biggest threat in these sites is that they might get your page cached in search engines before you do, essentially making your original article become "duplicate content." This is rare, but possible. There is a remedy, though - by using the Feed Footer plugin, you can insert a line of code within your articles that will only appear in RSS format that point to your website. In other words, every time your article gets scraped, you also get a backlink to your site, which defeats the purpose of anyone scraping your site :)

For a better look at what else you can do to stop content thieves, look to this article which has a collection of other methods.