Fluffy thinks outside the box when it comes to defending his blog against attackers.

No, this series on how to better secure your WordPress blog from being hacked does not expand on Fluffy’s alternative means of defending it.

Sorry.

However, we will look at some relatively easy things you can do to fortify your blog and take a defensive position without the use of hand grenades and land mines.

This topic will be a series of 7 posts which include guided picture tutorials and is intended for anyone with great web development skills to well, maybe just above a beginner.

For this first post though, I’d like to mention a few good practices and first steps you should do to better secure your WordPress blog. Following that, we’ll look at ways to create multiple layers of protection by:

• Changing your default WordPress username
• Obscuring your database tables
• Setting up a .htaccess file to restrict files and directories from being accessed
  
• What to do if your blog is cracked
• How to protect the wp-config.php file and /plugins directory
• A security scan plugin and some final thoughts of mine

Create A Unique Username And Password

One way an intruder will try to access your blog is to take a stab at guessing your username and password using recursive algorithms, such as Brute Force and Dictionary.

They send a bot to your login page which exhaustively tries to make a guess; therefore, your first step to protecting your blog is to create a truly unique username and password. This is by far the easiest thing you can do and works remarkably well, yet so many people ignore it and create simple usernames and passwords.

Here’s a quick test for you, John closes his eyes and puts both index fingers to his temples, your WordPress username is “admin.” Am I right? If so, I’m already halfway there and it took me all of .5 seconds.

Don’t let this worry you too much, if your username is admin, I’ll show you how to change that in a follow-up post. Just keep in mind the best kinds of usernames and passwords are ones with a mixture of numbers and letters in it (some caps and some lowercase).

Ok, so I convinced you to create a good username and password, but now what? They can still try and exhaustively guess my password. What can I do now?

Login LockDown - Your First Security Plugin

From the plugin’s page: “Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.”

To put it simply, Login LockDown will ban a user from trying to log into your WordPress account for a specific amount of time (chosen by you) after so many unsuccessful login attempts (also chosen by you).

Note that this plugin only takes affect when the correct username is used. If the username is wrong, there’s no need for the plugin to take action. I’m sure you’ll want to test the plugin so listen closely.

My suggestion to you is once activated, go to the options area and set the ban time for users to 1 or 2 minutes. Then go back and enter in your username and try a number of incorrect passwords. After your specified number of incorrect attempts is reached, you should be banned . . . for 1 or 2 minutes. Now that you know it works, go back to the options page and change the timed banned to something a bit longer.

I’d like to thank the author of this plugin, Michael VanDeMar, for taking the time and answering a few questions I had on this plugin. Personally, I think this is a great plugin to have and highly recommend it.

More Of Fluffy’s Recommendations

Here are a few other quick tips to help keep your blog secure:

• Make sure you have the latest version of WordPress installed. If you don’t know how to upgrade, use the Wordpress Automatic Upgrade Plugin. I’ve also written a tutorial on how to use this plugin as well.

• Install a database backup plugin and have it email you backups of your blog’s database every week.

• If someone completely crashes your blog or site, contact your web hosting’s technical support and have them install a backup they should have of your website. Your hosting company does include backups for your site, don’t they? Then immediately get in and change your password and read this series.

• Plugins are another area that leave security leaks and are considered a possible backdoor into your blog files. As with WordPress itself, make sure you have the latest updated version of the plugins you are using. PlugInstaller is a great plugin which gives you a one-click way to update your plugins to their latest versions.

• Speaking of plugins, don’t go plugin happy. The more you have, the slower your site will load and the more options someone has to access your files.

• I know a few of you author multiple blogs. Make sure you set up a separate database for each. In other words, don’t share one database for 2 or 3 blogs. This way, if one gets attacked, the other will be insulated.

• Customize your WordPress installation as much as possible. The less cookie-cutter your blog the better.

Stay tuned. On Monday I’ll show you how to add an extra level of protection to your admin login by changing your default username.

If you’re looking to start a blog and like to host it with eVentureBiz Web Hosting, we’ll be happy to install WordPress for you, upload a theme of choice, and install typical WordPress plugins we suggest as well as implement all these security features for you - free of charge. Don’t forget, we also do web design.

And we won’t stop there. We’ll also be glad to set up some email addresses for you and get your ftp settings squared away.

Simply contact me and let me know what your needs are.