Image by Roo Reynolds

We’ve reached the end in our series on how to better secure your WordPress blog. It’s been a bumpy road, but we made it.

The techniques I’ve shown here are by no means exhaustive and I don’t want to give you a false feeling that your blog is fully secured. However, the steps I’ve laid out should provide a decent amount of protection.

Many times these attackers are nothing more than kids who have a program which finds hundreds, if not thousands of login pages all accessible on the Web and will run a set number of algorithms to hack these sites while the kid pulls his corn dogs out of the microwave and gets back to his Play Station game.

The key here then is to accomplish two things:

1. Create a series of road blocks and redirects for anyone other than you who tries to access sensitive WordPress directories (like your login page).
2. Make your default WordPress installation not so cookie-cutter.

These are essential steps you need to take in order to create at least some level of protection. As I’ve said before, it’s about creating multiple layers of protection.

Let’s take a quick look at some of the obstacles we have created for would-be intruders.

1. No one other than you (and maybe a few others in your IP range) is allowed access to your login page.
2. The easy default Username (admin) everyone knows has been change.
3. Your password is not easily guessed.
4. We’ve limited the number of tries to guess your password thanks to the Login Lockdown Plugin (link opens in a new window).
5. Even if the above were overcome, we’ve restricted access to your Dashboard by restricting access to wp-admin.
6. We’ve obscured your database tables so a simple program to locate the sensitive wp_ database files will return as false.
7. The ever so sensitive wp-config.php file has been blocked from view as is the /plugins directory.

Another great tip is to limit the number of areas someone can enter text in a form box and click the “send” button.

Anywhere a user can enter some text and click submit or search, such as a blog search box or Contact Us form, a more sophisticated intruder could use it for instant access to your database, such as SQL Injection.

A Note About Plugins

WordPress plugins are a fabulous thing, heck I wrote an article entitled 50+ Wordpress Plugins & Hacks Candy Store. They lets us mod out and customize the layout and functions of our blogs. However, plugins add a huge security risk to our blogs.

WordPress plugins are written in the programming language PHP. As someone who has a degree in computer science (programming), I know computer code can be written in many ways to accomplish the same task - some quicker, smarter, and more secure, others - not so great. It really depends on the programmers experience and knowledge.

Do you know the expertise and education of the person who coded that plugin you’re using?

What security features did they add? Did they use a decode call improperly in the code (could be dangerous)? Does the plugin work slowly thus slowing down your website?

A simple line of code in that plugin (which connects to your database) could leave a major security hole in your WordPress fortress. Whether it’s intentional or unintentional doesn’t matter. This is one reason why you might want to protect your /plugins directory and hide which plugins you’re using.

I’m not saying stop using plugins all together. Just don’t go plugin happy.

In fact, if you’re not using one, delete it from your server. It will decrease any security holes and speed up your website’s load time since the server won’t need to worry about it.

The WP Security Scan Plugin

It’s only natural after mentioning a warning about using plugins that I offer up a new plugin to try!

The WP Security Scan Plugin will scan your WordPress installation for a few common security holes WordPress default installs have and suggest the corrective action.

If you’ve followed along and implemented the strategies I’ve mentioned in this series, you shouldn’t have many, if any, problem areas the WP Security Scan will find.

2 Tools To Enhance Your Security

KeyScrambler For FireFox

If you’re using FireFox as your Web browser of choice (you should), consider installing the KeyScrambler add-on. This little add-on scrambles your key strokes you make when using FireFox so keyloggers can’t see what you’re typing (like your keystrokes for your username and password).

Of course it’s not 100% full-proof, but what is?

It’s just one more layer of . . . you guessed it, protection!

RoboForm Password Manager & Web Form Filler

If you’re like me, you have about a gazillion logins and passwords to various sites. Unlike me, you probably use the same login and/or password for many of these sites. That’s bad. Let me give you an example.

Let’s say you have an account on some social media site (like my StumbleUpon page) and just for fun I decided to hack their system and gained access to thousands of usernames and passwords (not something I would ever do).

What I could do then is log in using your username and password and gain all kinds of information about you in your preferences, like your email address for example.

Let’s take a look at what I have now. I have:

• A common username you use.
• Your email address.
• A password I can almost guarantee you use on other sites as well.

Now what if I discovered you have a blog or what bank you bank with?

Need I go on?

So here’s how to remedy that problem. There’s a great tool I’d like to suggest (no it’s not an affiliate link) called RoboForm.

This program has been given glowing reviews and contains no spyware or adware which will assist you in generating strong passwords and allow you to auto-login to any site/page which requires you to login. Your passwords are all encrypted so no one can see them. It also has a form auto-fill feature for one-click inserts of your name, address, phone, etc.

This tool has allowed me to create a unique strong password for every site I’m a member of and each time I return to that site, I click one time and my username and password is filled in automatically.

The upside is it’s free for 30 days. The downside is after your 30 days are up, it turns into a lite version and also, I believe this tool is only good for Windows users. The program only costs $30 and I think it’s well worth it.

This concludes our series on how to better secure your WordPress blog. I hope you found this information useful and please don’t hesitate to ask questions.

If you’re looking to start a blog and like to host it with eVentureBiz Web Hosting, we’ll be happy to install WordPress for you, upload a theme of choice, and install typical WordPress plugins we suggest as well as implement all these security features for you - free of charge. Don’t forget, we also do web design.

And we won’t stop there. We’ll also be glad to set up some email addresses for you and get your ftp settings squared away.

Simply contact me and let me know what your needs are.