Catatan

Original Post:http://www.mytradedomain.com/secure-your-wordpress-blog/

Should I be worried? After all, I’m using a blogging tool/platform that is used by many millions. Actually that’s precisely the reason to lockdown your WordPress blog. Remember to do the following once you’ve setup your WordPress blog. Don’t leave home without doing it.

1. Change your Blog’s Admin user name.

Rename your username and always use a strong password. Login directly or use phpMyAdmin to access your blog’s mysql database and update the “Admin” username. Simply execute the following mysql update command to change your administrator username.

update wp_users set user_login=’new user name’ where user_login = ‘admin’;

Note: If you have used a different table prefix, replace “wp” in the above command with your table prefix. You should also modify your table prefix from the default.

2. Backup your database and installation periodically.

You have a number of options to back up your blog database. Make it easier by using phpMyAdmin to connect to your database to do the backup. You can even install phpMyAdmin as a plugin to be able to easily access your blog database from within your WordPress admin panel.
Launch phpMyAdmin, select your blog database and the following options as shown in the picture below and click on the “Go” button to download your database backup file. Do this regularly and often.



Alternately you can use plugins to do the work for you. There are a number of plugins that more or less do the same job. I’ve listed a couple below.

1. wp-dbmanager

Claims to optimize and repair your Blog database as well as backup. I cannot really comment as I have never used it personally.

2. wp-db-backup
   

   I like the feature where you can specify an email address and the wp-db-backup plugin will backup the database and send you the backup file to the specified email address.

All said and done, do ensure that you test your backup file. You do not want to be in a situation where from some reason your database needs to be rebuilt and you find out that your backups are corrupted.

3. Remove your Blog version details from the header.

Remove the following line from your header.php or header template in your theme.

<meta name=”generator” content=”WordPress < ?php bloginfo(’version’); ?>” />

4. Uninstall any unused plugins.

Don’t merely deactivate unwanted plugins. Remove the unwanted plugins completely from your WordPress installation.

5. Create a index.php file in every directory within your blog’s main directory.

Open your favorite text editor. Include the line shown below and save the file as “index.php”. Upload the newly created file to every sub directory within your main WordPress installation.

< ?php die ('<h2>Directory Access Prohibited</h2>'); ?>

6. Scan you blog theme for vulnerabilities.

Read my previous post about scanning your blog theme for any vulnerabilities.

7. Restrict access to the wp-admin folder.

Lockdown your blog’s admin folder by ensuring only you can access your blog’s admin panel. You do this by restricting access to only the IP Addresses that you use. Simply copy and paste the block of content below, change a.b.c.d and w.x.y.z to reflect the IP Addresses you use.


AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
allow from a.b.c.d
allow from w.x.y.z


You can easily find out your IP Address from here. You can add as many IP Addresses you choose. Once you are done editing, save the file as “.htaccess” and finally upload the .htaccess file to your wp-admin folder under your blog installation using your favorite ftp program.

Alternately you can also use the “AskApache Password Protect” plugin to password protect your wp-admin directory.

8. Restrict access to the wp-content and wp-include folders.

Similar to the previous step. The .htaccess file will look like this


Order Allow,Deny
Deny from all
<Files ~ “\.(css|jpe?g|png|gif|js)$” >
Allow from all
</Files>


By doing this you are restricting access to only the image, css and javascript files. However, do note that you might run into issues with a few plugins because of this. When you do come across a problem with a particular plugin, open up access to only the plugin file by doing something like the below


<Files “NameOfThePluginFile.php”>
Allow from all
</Files>


9. Last but not the least, keep your WordPress and your plugins updated.

There are plugins that will help you keep WordPress updated automatically thereby saving you the effort but I wouldn’t really recommend it as I always prefer doing this activity manually (Backup first, pray a bit and then go for it.)

10. One final one. Under “General Options” in your WordPress Admin Panel, disallow anyone from becoming a member and set the default user role to “Subscriber”.



Original post:http://www.mytradedomain.com/secure-your-wordpress-blog/