Blog Security is one of the top security blogs out there keeping an eye on all things blog security and WordPress. They’ve just released two great articles WordPress fans need to check out.
First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon.
The second is “How to Firewall Your WordPress Blog” by Jaimie Sirovich of SEO Egghead guest blogging on BlogSecurity. He covers options to help you make your WordPress blog more secure with a variety of WordPress Plugins.
Don’t forget that the best line of defense protection for your WordPress blog begins with a strong password, followed by regularly upgrading your WordPress blog, especially after mandatory security alerts.
There is a lot of misinformation on the web about blog and WordPress Security. Many will tell you that CAPTCHAs and their paid services will protect you and your WordPress blog. They will give you a lot of out-dated steps to take. Don’t be fooled. Get your information from the official and reputable WordPress resources. WordPress is inherently secure. It should be. It is used by some of the top government agencies in the United States and around the world.
The current version of WordPress is very secure with no critical security vulnerabilities reported since its release. There are, however, some security issues with WordPress Plugins so make sure you check in with your favorite WordPress Plugin authors and your Plugins Panel for updates on a regular basis.
Here are some reliable articles on blog and WordPress security:
- Lorelle on The Blog Herald – Protect Your Blog With a Solid Password
- Smashing Magazine – 10 Steps To Protect The Admin Area In WordPress
- Vladimir Prelovac – Improving security in WordPress Plugins using Nonces
- Matt Cutts – Alerting Webmasters to Webserver Vulnerabilities
- WordCamp Toronto 2008 – WordPress Security with Mark Jaquith
- Weblog Tools Collection – Maximum WordPress Security
- Weblog Tools Collection – Fake WordPress Site
- Technorati – Vulnerable WordPress Blogs Not Being Indexed
- Mark Jaquith – US Government Agencies Using WordPress
- Lorelle on WordPress – WordPress Security Prevention, Reactions, and Scares
- Blog Security – WordPress Security Predictions in 2009
- Arachna – Fear, Uncertainty and Disinformation About The WordPress Exploits and Spam
- Lorelle on The Blog Herald – WTF Blog Clutter: The Death of the CAPTCHA
- Daily Blog Tips – Make Sure Your WordPress is Not Hacked
- Donncha – There’s Never Been A Better Time To Upgrade WordPress
- Blog Security – Interview of a WordPress Hacker
- Noupe – WordPress Security Tips and Hacks
Site Search Tags: wordpress news, wordpress security, wordpress vulnerabilities, security vulnerabilities, wordpress risk, is wordpress safe, wordpress tips, security, safety, blog security
Subscribe 
Via Feedburner 
Subscribe by Email 
Visit
Copyright Lorelle VanFossen, the author of Blogging Tips, What Bloggers Won't Tell You About Blogging.
Lorelle on WordPress 
32 Comments
It’s not just a strong password, but also creating a special administrative account with a strong password, then deleting the “admin” account.
How do you delete the admin account? I created a new account as you had suggested, providing the new user with adminstrative privileges, yet I am unable to delete “admin”.
You cannot delete the primary administration account. If you cannot change the admin name, you either do not have the proper permission levels or you are using an old version of WordPress. You can change it in the database. Check the WordPress Codex for details on how to carefully edit the WordPress database.
It’s all the strong password with the good firewall and also the intelligent admin. who have eye on his blog regular.
Thank you! I needed this. One of my blogs was recently hacked. Not sure how and neither was the service provider. I hope this helps.
This is exactly the article I needed right now! After my blog was hacked into not once but twice last month and causing me to lose more than 1,000 visitors, one of my readers asked how it could be prevented. My answer was “I don’t know.” Now I’m off to find out. Thanks.
@Dan Schulz: Renaming/removing the “admin” account doesn’t really improve security any. Using a strong password is more important. It’s not really a matter of 1 vs. 2 things to guess.
Also, about 90% of the hacked sites I’ve seen (which have been plenty) have been a) on shared hosting setups b) with bad security choices in their software (using suPHP is a good start for secure shared systems) and c) the actual hack was performed through some other site’s software and then a script was run to search for and compromise all sites on that server. This is the usual method, once somebody gets into a server, if the security isn’t done right, every site on that server can get hacked automatically.
Dedicated servers are less likely to be hacked *if* the admin knows what he’s doing. Shared server security is a different bag of tricks, and not many admins are particularly good at it.
Actually, the biggest WordPress vulnerability is the free reign plugins have. The framework is WIDE OPEN for abuse.
Staying up-to-date and watching those file permissions is the main one I come across a lot when people come to me with “hey what happened to my WordPress site?” (this is usually followed with “can you help me fix it?”.
Once those security holes get out, any WordPress site that isn’t being watched will get hammered very quickly. The higher your PageRank, the faster this will happen.
Back up often to prevent a catastophe!
We all need more security, thanks!
Big cheers Lorelle. Wow, flattery indeed. Splendid to meet you, and I appreciate your commendation for that ten tips post. (The server’s bearing up at the moment, just about. Next time you link me though, do me a favour and warn me to enable supercache;) the_guv at guvnr.
You truly do not comprehend the redaction of our Fourth under the House that bush Built, do you? WordPress has disemvoweled me, removed posts, wrote posts without me knowing then acting as if the Vets that read that and many from the Hill do not KNOW that it isn’t me? I used Effector, eff.org. It took their covert guy 2 days of mucking about with me and now I have a quite tidy paper trail thank you, I do appreciate your naivete’ or towing the Party Line but Gheeez louise have you even read a Constitution?
@Rhoda: Are you talking about blogging with WordPress.com or a full version WordPress blog? If you were using a full version WordPress blog, then there is nothing anyone from WordPress or Automattic could do to your blog. It’s your blog to do with it what you will. If you were blogging with the free hosted version of WordPress.com and you violated their terms of service, then like anyone else who violates those terms, you would be informed of the violation and given a chance to respond. Sorry you had a bad experience, whatever that was with.
Thanks for this info. With a popular cms like wordpress, it is a much bigger target for attacks. WordPress has been pretty secure in my experience, but it’s always good to have as many layers of security as possible.
I am also managing my blogs.
But i have lost two of my favorite blogs one time that I have managed with heart. And I was really unable to have that again as the complete data was lost.
Yups.. I agree, using a strong password is more important. Never use your name, family, phone number,or personal information as a password or username. Make a unique username and password.
thanks…;)
I was once told that the safest computer is one that is buried 6 feet below the ground and is unattached. 🙂
Thanks, a good reminder.
Will check out some of your links.
I would like to know what happens when hacked; they just make me look stupid? There is no financial info connected here. But also what if I use the same password as on my other email accounts. When they hack to they retain knowledge of the password?
@maaark: If you use the same password for other accounts, and they have a way of tracking you to those accounts, they could use it, but the damage is usually done by machines not humans. When a blog is hacked, they can do a wide variety of damage. They can track everyone who visits your blog. If someone leaves a comment, they can track their email and contact information, then travel to their sites and do damage. They can track passwords, not just on your site, but actually worm their way into your computer by putting ads or links on your blog that you click and unknowingly install a file on your computer. They can pound away at your website, increasing traffic, database hits, and server load, thus driving up your server costs with no benefit to you. At the last, that kind of action can crash your server and your account closed, not to mention the damage they might do across a shared hosting service.
At the least, they can deface your site, thus ruining your reputation and credibility when people visit your site. And leave a big mess for you to clean up. It’s a lot of work, a lost of wasted time, and painful.
Good article to drive home the security need. I had a blog hacked recently (not my primary one thankfully) and it really spurred me to be more careful about my passwords and security in general (so easy to be lazy and use the same passwords).
I keep a link to this password generator in my bookmarks toolbar so I can quickly come up with something complicated and random anytime I need a new one.
Shouldn’t all these safety features come with the WordPress installation itself? Except for the password of course.
@Joy: WordPress is fairly secure and getting better all the time. These are things that others are doing to further enhance WordPress security. Many of these involve customization of Apache, PHP, and server elements that cannot be controlled nor accessed by Woopra, especially across the wide variety of server types and programs. For those to whom top level security is critical, these are the steps they can take that go beyond what WordPress can, and should, do.
these hackers are stupid.. we’re safe only if we use computer only at our home or our PC. but renting computer in the internet cafe is very dangerous. in most cases, many victims of keylogger.. this really sucks. many accounts (email, personal site, game accounts,etc) had been lost and ruined.. we have to be wise when we gonna protect our personal thing we love.
always a challenge to stay one step ahead of the hackers… for sure stay away from any password entering on public computers…
I was hacked into one of my sites last year, luckily I only had content on my site
It really through me for a loop I could not figure out why someone would want to hack
a site that was of no importance. I guess it was the thrill for them to ruin all the
time I had in setting it up. I wish I would have found this site earlier. It would
have saved me from getting wiped out.
I’ve been using the secure wordpress plugin and I have not had any problems since.
Good strong word of advise, Back up regularly
Will this still apply for the version 3?
Yes and no. Some features have changed but these are mostly still valid.
I wish I would have found this site earlier. It would
have saved me from getting wiped out
Nice tips and links. But, the number one tip you left off is change the admin name to something different and make sure to use a strong password.
This article was written in 2009. Changing the admin name and having a strong password is something that is like a default, and should go without saying, though it does always bear repeating. Thanks for the reminder.
15 Trackbacks/Pingbacks
[…] Link […]
[…] article with links to some WordPress security resources. Firewalling and Hack Proofing Your WordPress Blog posted under […]
[…] Firewalling and Hack Proofing Your WordPress Blog Blog Security is one of the top security blogs out there keeping an eye on all things blog security and WordPress. […] […]
[…] Firewalling and Hack Proofing Your WordPress Blog (tags: wordpress blogging security Hack) […]
[…] up this excellent article via twitter – Firewalling and Hack Proofing Your WordPress Blog by Lorelle. I think the most chilling part is perhaps the comment below the post on the […]
[…] Firewalling and Hack Proofing Your WordPress Blog « Lorelle on WordPress. […]
[…] of Lorelle On WordPress fame has written an excellent post about what you should do to firewall and hack proof your WordPress blog. var […]
[…] Need help securing your blog? I follow Lorelle On WordPress. She wrote an article in March that is a must read. Go here. […]
[…] Lorelle on WordPress: Comprehensive post and links on Firewalling and Hack Proofing Your WordPress Blog […]
[…] such an offensive mistake it makes me cry a little. As I(and Mark Jaquith and Vladimir Prelovac and many others) have written, using nonces is a must for any plugin which takes options from a user. Strangely […]
[…] Firewalling and Hack Proofing Your WordPress Blog […]
[…] Firewalling and Hack Proofing Your WordPress Blog […]
[…] Firewalling and Hack Proofing Your WordPress Blog […]
[…] Firewalling and Hack Proofing Your WordPress Blog […]
[…] Protect WordPress Against Malicious URL Requests 13 Vital Tips and Hacks to Protect Your WordPress Admin Area Firewalling and Hack Proofing Your WordPress Blog […]