digg

Facebook Connect Join Digg About
See the original image at sixrevisions.com

12 Essential Security Tips and Hacks for WordPress

sixrevisions.com This article highlights several tips and hacks that you can use to secure and lock down your WordPress site and to fortify it from attacks.

Who dugg this? Made popular Jul 13, 2009

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

19 Comments

show profanity settings
expand all
  • inactive, on 07/13/2009, -0/+8Just implemented some of these on my blog. Some of these are really quick to implement. Nice Tips.
  • JonnyCasino, on 07/13/2009, -0/+7dugg for #1. It is so important to back up, do it and save yourself some risks.
  • merreborn, on 07/13/2009, -0/+4TFA seems to mention altering file permissions, but neglects to mention making sure you verify file owneship first.

    If the files are owned by the wrong user, setting the recommended permissions will only cause trouble.
  • Yarkz, on 07/13/2009, -0/+2Backing up is definitely a must, I can't tell you how badly off I would be if I didn't do biweekly/daily (depending on site) backups.
  • keyo, on 07/13/2009, -0/+2A lot of these apply to all content management systems, backing up, not displaying the version, update, file permissions, decent passwords.
  • vaby42, on 07/30/2009, -0/+2nice post bro
  • badqat, on 07/13/2009, -1/+3Excellent listing...thanks for posting!
  • keyo, on 07/13/2009, -0/+1I agree, for a files directory for instance it's better to chmod 775 (all access to owner and group) with www-data as the group than to chmod 777 (all access to anyone).
  • jemka, on 07/13/2009, -0/+1Dude thanks. I needed some help with my boner. Thank god for digg comments.
  • janvierdesigns, on 10/26/2009, -0/+1No need to analyze too much. The only relevant one I would give a thought is the 12th. Everything is pretty basic - trivial
  • lalalalamppost, on 07/13/2009, -0/+1Irony defined.
  • socokoolaid, on 07/16/2009, -0/+1I was wondering WTF you where talking about, and then it hit me. You are talking about PHP/HTML injection. Well when you inject via SQL some PHP/HTML code to be displayed in the page. This may be relevant, but many times the SQL you inject is only SQL and never gets displayed on the page. Like the following over simplified examples which exclude URL encoding for clarity:

    h ttp://xyz.com/product.php?id=123"; DROP TABLE product; #
    h ttp://xyz.com/admin/login.php?user=admin&pass=123" AND 1="1

    (or something similar, but likely much more complex)
    *edit had to remove ticks and make them quotes so Digg didn't encode them
  • juankovo, on 07/13/2009, -0/+1Apparently usernames AAA0A0A through RWE4T5U were all taken. Good thing RWE4T5W got his name before they were all gone!
  • xeonrage, on 07/13/2009, -0/+1agreed, most of these are either built in, useless, or worst of all harmful.
  • Otto, on 07/15/2009, -1/+1If you can inject SQL code, then you can also access the PHP variable that holds the prefix, making #8 useless to a hacker with half a brain.
  • socokoolaid, on 07/14/2009, -1/+1Here's my take on the controversial ones.

    #2 Seems best practice, and may slightly help prevent finger printing your wp version if your trying to go incognito.

    #3 If done without breaking anything, removing the version number, does make things harder to fingerprint. I think there are some plugins that strip version numbers and maybe even some other identifiable characteristics from you site.

    #5 I always get that pathetic brute attempt from some IP in China that would take a million years. I see changing this user name as just making your pass twice as long.

    #7 -

    #8 would sure make sql injection a million times harder if you did this (considering your sql user grants are reasonable)

    #10 If you did #2 correctly then you shouldn't need this.

    All in all a pretty nice list, sure beats most the drivel lists I've read on the same topic.
  • Otto, on 07/13/2009, -2/+2Poor.

    #2 doesn't add any real security, since most hacks happen outside of wp-admin.

    #3 is totally useless, and even dangerous, as wp_head() is often critical to the operation of the site.

    #5 is nice, but doesn't really add any security. Brute force attacks are not a common way in.

    #7 is built in, there's a password strength meter in WordPress that actually works pretty well.

    #8 doesn't help from a good hack attempt.

    #10 is actively harmful, as it prevents Google from indexing any of your uploaded images.

    #12 makes sense, but since the wp-config doesn't create any output on a server running php anyway, it won't do anything.
  • jemka, on 07/13/2009, -1/+1You don't get how people are uninformed and/or lazy?
  • dgtesting, on 07/13/2009, -1/+0It's so important for people to understand that they need to back their blog up! I don't get the reasoning behind not protecting your data...

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.