Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Wordpress blog

Securing Wordpress blog

Talk presented at Day 1 of Wordcamp baroda.

Paresh Mayani

January 26, 2013

More Decks by Paresh Mayani

Other Decks in Technology


  1. Android & WP7 Developer @Digicorp Wordpress blogger Head, Google Developers

    Group Ahmedabad @pareshmayani www.TechnoTalkative.com Who am I?
  2. Common sense • Secure password • Keep Wordpress & plugins

    up-to-date • Delete unused files • Use a reputable web host • Clean your site/blog like you clean your house
  3. Some security Steps 1. Regular backups are best friend 2.

    Change table prefix 3. Proper file & folder permissions 4. Use secret keys 5. Protect your wp-config.php file 6. Protect your .htaccess file 7. Remove the admin account 8. Do not advertise your WordPress version to the world 9. Limit the number of login attempts 10. Prevent users from browsing your Wordpress directories 11. Use security plugins
  4. 1. Regular backups are best friend • Take backups •

    plug-ins available – BackUpWordPress http://wordpress.org/extend/plugins/b ackupwordpres/ – BackWPup http://wordpress.org/extend/plugins/b ackwpup/
  5. 2. Change Table Prefix • Default table prefix is wp_

    • Change the table prefix (wp_) to some random value.
  6. 2. Change Table Prefix Steps: 1. Open wp-config.php and change

    $table_prefix = 'wp_wordcamp'; 2. Change all database table name with this prefix (through phpmyadmin)
  7. 3. Proper Files & Folder permissions • Give users a

    minimal required access • Set file permissions at 644 & folders at 755 4 read 2 write 1 execute For example: • 755 (rwxr-xr-x) • 644 (rw-r–r–)
  8. 4. Use secure keys • To increase the security of

    passwords stored in your WordPress database, you should ensure that your wp- config.php file has unique values. • Step: Generate unique keys through https://api.wordpress.org/secret-key/1.1/ https://api.wordpress.org/secret-key/1.1/salt/
  9. 5. Protect your wp-config.php file Steps: 1. Open .htaccess file

    2. Include below code: <Files wp-config.php> order allow,deny deny from all </Files>
  10. 6. Protect your .htaccess file Steps: 1. Open .htaccess file

    2. Include below code: <Files .htaccess> order allow,deny deny from all </Files>
  11. 7. Remove the admin account • The default account created

    for you in wordpress is admin • Steps: 1. Create a new user with Administrator permissions 2. Log out and then log back into wordpress with the new user you created 3. Delete the admin user account 4. When it asks you want to do with posts attributed to admin, select the user you created
  12. 8. Delete Wordpress version • WordPress sites always publish the

    version number thus making it easier for people to determine if you are running an outdated non-patched version of WordPress. Step: Include this line into functions.php: remove_action('wp_head', 'wp_generator');
  13. 9. Limit the number of login attempts • Limit Login

    Attempts – http://wordpress.org/extend/plugins/li mit-login-attempts/ • Login LockDown – http://wordpress.org/extend/plugins/lo gin-lockdown/
  14. 11. Use Security plug-ins • Better WP Security – http://wordpress.org/extend/plugins/better-wp-security/

    • BulletProof Security – http://wordpress.org/extend/plugins/bulletproof-security/