Password Protect Your WordPress Blog

Stop Hackers: Protect Your WordPress Blog

3 July 2008 21 Comments

Welcome! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

You need some serious password protection if you have a WordPress blog.

Your wp-admin directory is not the only part of your blog that needs protection…plugins, scripts, includes and content can all be hacked.

I’m paying more attention to this now because one of my blogs got hacked last week. Hundreds of invisible links for body part enlargement products and porn were attached to one of my blog posts, and the only reason I discovered the hack was because there were so many lines of code they crashed the post. I was lucky that only one post was affected.

Research led me to the AskApache Password Protect plugin. This is a BIG gun – the author says “It’s like being surrounded by a small army, a sniper can still get you, but you can forget about the ground troops.” It’s simple enough to use – choose a username and password and you’re done.

I also recommend Replace WP Version. This plugin removes your blog version so virus and worm programs that rely on software versions are foiled.

Login LockDown will record the IP address and timestamp of failed WP login attempts, and will disable the login function if a certain number of failed attempts are made. This prevents brute force password recovery.

WP Security Scan scans your WP installation for security vulnerabilities and suggests corrective actions.

While researching this post I found even more information on safeguarding your blog from Mircea Goia’s post Is your WordPress blog hacked?Why not upgrade to the latest version?

Addendum: And yet another post with great tips How to Secure WordPress Sites.

It’s a matter of when, not if. Take these precautions before your blog gets hacked.

Tags: blog, blogs, password protection, wordpress

http://dbzer0.com db0

Thanks for this. Didn’t know about this plugin
http://www.maxsearch.com.au Search Engine

Great information for wordpress people …

I guess no system is perfect … IT is just lines of code after all
http://realestatetwincities.net Minneapolis MLS

Do you think the recent wp 2.5.1 plug-in has greatly reduced security risks?
http://www.directsaleswebmarketing.com/blogging-ti Dennis Edell

This is fantastic, thanks! So as far as you know, all the above plugins work together and don’t mess with other plugins either?

Btw, the WP Security Scan link goes to the Login Lockdown page, is that right?
http://www.mytestbox.com Mircea

Thanks for posting the link to my website regarding WordPress security. Hope it helps other people too.
http://www.seodiva.net/ SEO Diva

@db0 – you’re welcome!
@Search Engine – you’re right, and we have to protect ourselves online in many ways…just the way it is.
@Dennis – as far as I can tell they work fin together. Thanks for the tip on the link – I have corrected it.
@Mircea – thanks for your article – you have some great info in it.
http://virtualimpax.com Virtual Impax

I hadn’t heard of Apache Password Protect. Will definitely be giving that a try as well as the Replace WP version plug in! (I’ve been removing the references in themes by hand. This will be easier!)
Drunken Dragon

Nice articles. But I unrecommended Replace WP version plugin because it can’t be used with other plugin that read your WP blog version. See the plugin faq
http://www.seodiva.net/ SEO Diva

@Virtual Impax – trying to tweak themes can be so risky sometimes, I always look for a plugin to help me out!
@Drunken Dragon – thanks for your input – I will check it out.
http://devjargon.com devjargon

I would also suggest using a different account than the admin account. Through admin, create another account giving it full privileges and then delete the admin account. This will make hacking the account much harder since most bots / hackers try the admin account.

Just a suggestion though.
http://www.seodiva.net SEO Diva

@devjargon – excellent idea! I didn’t realize you could delete the admin account. That will be my next step. Thanks for the tip!
http://www.directsaleswebmarketing.com/why-you-wil Dennis Edell

Awesome idea, but just the thought scares the non-techie heck outa me
http://www.seodiva.net SEO Diva

Dennis – I held my breath and did it, and it worked just fine…I can still access my dashboard!
http://www.unlimitedcomplimentaryringtones.com John M

I am willing to use “Replace WP Version”, I think there is no need to install anything else if you can deceive a software by version change.
http://www.bitfoo.com Mark Ramige

I’m not sure if deleting the admin account will affect previous posts or not. But if you know how to edit the database (using phpmyadmin which most shared hosts have). You can go to the wp_users table. Edit the admin account and change the user_login field to whatever new name you want.
http://LinkMoney.org Rich Hill

Hey Diva,

I subscribed, gets you one closer to your goal.

I’m going to try some of these privacy tools, sounds like just what I’ve been looking for on one of my Blogs.

I’m trying to set up categories for individual subscribers, each to have their own section with login. Got to test some out.

Thanks.
Rich
http://www.newgate.uk.com/ Security Gates

Nice post, WordPress is becoming especially vunerable because of the sheer volume of people who have installed it on their servers. The Scan plugin in particular is really useful for picking up on plugins etc that offer a way in.

Remember you can password protect with htaccess too.
http://www.seodiva.net Seo Diva

@Security Gates – thanks for the plugin tip!
http://nthambazale.com Clement

Man, you are doing the digging for me. I am a great beneficiary of your resourcefulness. Many thanks keep them coming.

Clements last blog post..Do not be deceived, Google Adsense really pays!
RaiulBaztepo

Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language
See you!
Your, Raiul Baztepo
http://phoneservice.tblog.com/ Phone service

Good post i like the login lockdown it should stop most atempts. Thanks i have to look over the rest of them and see wich ones i want to try.

Phone services last blog post..Broadband phone voip service.