Since my site was hacked yesterday, I have been paying more attention on making my WordPress blog more secure from hackers. For starters, I have upgraded to WordPress 2.3.2 which fixes some major security flaws. I also googled to find out if there are other tips I can implement to protect my blog from further attacks. I came across Matt Cutts’ post on how to protect your WordPress installation. For those of you who don’t already know, Matt Cutts works for Google and is the head of Webspam team. He has also posted many videos on YouTube which are really worth watching if you are into SEO.
Here is a summary of the post.
1. Secure your /wp-admin/ directory by locking down /wp-admin/ and allowing only certain IP addresses to access the directory. You do that by using an .htaccess file and place the file in the /wp-admin/ directory. You can define your whitelist IP addresses in the .htaccess file. See example below.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
# IP while in Kentucky; delete when back
allow from 128.163.2.27
2. Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
3. Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog and you can upgrade accordingly.
4. In the header.php file for your theme, you might want to check the meta tag which shows the blog version
bloginfo(’version’)
Delete that line or at least the bloginfo(’version’). If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog.
Thank you Matt Cutts for your invaluable tips on securing WordPress.
(Full post can be found at http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/)
a tech junkie and a software developer.
a apple fan and an avid photographer.
a frequent traveller and loves art and graphic novels.
Ouch, getting hacked sure is painful.
But many thanks for sharing about the plugins thing. I seriously didn’t know about this and feel it should be shared to other bloggers.
I’ll share this finding on my blog tonight.
Putting a white list is slightly difficult unless you know all range of IP address taht you may access from.
thanks for this tips.
cebu seo contest’s last blog post..Cebu Seo Contest by capiz bloggers participants
Yes, I use dynamic IPs on my home machine, so I’m wondering how I could create a whitelist for that? Would it even be possible? Is there a way to use MAC Address filtering instead? O.o
@Sairah You will not be able to create a whitelist unless you have fixed IP address. With a dynamic IP, that will not be possible.
My suggestion is to aware of new WordPress updates and apply them diligently. And make sure you don’t use obvious Admin password that will allow hackers to encrypt easily.
And regarding MAC Address filtering, I don’t think that is possible either.