You need some serious password protection if you have a WordPress blog.
Your wp-admin directory is not the only part of your blog that needs protection…plugins, scripts, includes and content can all be hacked.
I’m paying more attention to this now because one of my blogs got hacked last week. Hundreds of invisible links for body part enlargement products and porn were attached to one of my blog posts, and the only reason I discovered the hack was because there were so many lines of code they crashed the post. I was lucky that only one post was affected.
Research led me to the AskApache Password Protect plugin. This is a BIG gun - the author says “It’s like being surrounded by a small army, a sniper can still get you, but you can forget about the ground troops.” It’s simple enough to use - choose a username and password and you’re done.
I also recommend Replace WP Version. This plugin removes your blog version so virus and worm programs that rely on software versions are foiled.
Login LockDown will record the IP address and timestamp of failed WP login attempts, and will disable the login function if a certain number of failed attempts are made. This prevents brute force password recovery.
WP Security Scan scans your WP installation for security vulnerabilities and suggests corrective actions.
While researching this post I found even more information on safeguarding your blog from Mircea Goia’s post Is your Wordpress blog hacked?Why not upgrade to the latest version?
Addendum: And yet another post with great tips How to Secure WordPress Sites.
It’s a matter of when, not if. Take these precautions before your blog gets hacked.
Popularity: 47% [?]
Tags: blog, blogs, password protection, wordpress
18 Comments
Thanks for this. Didn’t know about this plugin
Great information for wordpress people …
I guess no system is perfect … IT is just lines of code after all
Do you think the recent wp 2.5.1 plug-in has greatly reduced security risks?
This is fantastic, thanks! So as far as you know, all the above plugins work together and don’t mess with other plugins either?
Btw, the WP Security Scan link goes to the Login Lockdown page, is that right?
Thanks for posting the link to my website regarding Wordpress security. Hope it helps other people too.
@db0 - you’re welcome!
@Search Engine - you’re right, and we have to protect ourselves online in many ways…just the way it is.
@Dennis - as far as I can tell they work fin together. Thanks for the tip on the link - I have corrected it.
@Mircea - thanks for your article - you have some great info in it.
I hadn’t heard of Apache Password Protect. Will definitely be giving that a try as well as the Replace WP version plug in! (I’ve been removing the references in themes by hand. This will be easier!)
Nice articles. But I unrecommended Replace WP version plugin because it can’t be used with other plugin that read your WP blog version. See the plugin faq
@Virtual Impax - trying to tweak themes can be so risky sometimes, I always look for a plugin to help me out!
@Drunken Dragon - thanks for your input - I will check it out.
I would also suggest using a different account than the admin account. Through admin, create another account giving it full privileges and then delete the admin account. This will make hacking the account much harder since most bots / hackers try the admin account.
Just a suggestion though.
@devjargon - excellent idea! I didn’t realize you could delete the admin account. That will be my next step. Thanks for the tip!
Awesome idea, but just the thought scares the non-techie heck outa me
Dennis - I held my breath and did it, and it worked just fine…I can still access my dashboard!
I am willing to use “Replace WP Version”, I think there is no need to install anything else if you can deceive a software by version change.
I’m not sure if deleting the admin account will affect previous posts or not. But if you know how to edit the database (using phpmyadmin which most shared hosts have). You can go to the wp_users table. Edit the admin account and change the user_login field to whatever new name you want.
Hey Diva,
I subscribed, gets you one closer to your goal.
I’m going to try some of these privacy tools, sounds like just what I’ve been looking for on one of my Blogs.
I’m trying to set up categories for individual subscribers, each to have their own section with login. Got to test some out.
Thanks.
Rich
Nice post, Wordpress is becoming especially vunerable because of the sheer volume of people who have installed it on their servers. The Scan plugin in particular is really useful for picking up on plugins etc that offer a way in.
Remember you can password protect with htaccess too.
@Security Gates - thanks for the plugin tip!