This post is written by Mark Twain who works for a conversion rate optimization company Invesp and blogs mainly about landing page templates, conversion rate optimization, SEO and affiliate marketing.
WordPress is the most popular blogging platform on web mainly due to its easy and user-friendlyplatform, which has made the blogging so easy, that even a person with no technical knowledge can learn in it ten minutes. The huge popularity of WordPress has also made it the primary target of Hackers. In this article we’ll cover six thing which you should do to make your WordPress blog safer.
Some posts ago we covered some stories about WordPress being hacked and I also told you about some of my friends who got hacked many times and also I shared a fact that “Hackers Compete“.
Remove The Footprints – This is the easiest way a hacker can use to find your blog. Almost all WordPress themes come with a footer credit – something like “theme by XYZ”. So, In case a hacker finds an exploit in any such theme, he can easily find you by doing a Google Search for that Footprint and can easily compile the list of blogs using that theme.
To delete the Footprint, go to Theme Editor Option in your Dashboard, Find the file named “Footer.php” and remove the links. In this way, your website will not appear in such search queries.
Remove The Meta Generator Tag – By default, almost all WordPress themes use a meta generator tag something like this –
<meta name="generator" content="WordPress 2.7" />
This tag, tells the WordPress version you are using. In case a hacker finds an exploit in any WordPress version, All he has to do is to see your page code and check if you are using the same version or not.
To remove meta-generator Tag, Go again to the Theme Editor in your WordPress Dashboard, find a file named header.php, and delete the following code.
<meta content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats -->
Remove Footprints Of Plugins – Many WordPress Plugins leave a footprint on the blogs, mostly linking back to developer’s site. You can easily remove such footprints by editing the Plugins file. In case you want to give recognition to those developers, it’s better to write a post and link to them, rather than linking from footprints.
Disable Directory Indexing – Directory indexing means when anyone can navigate to the directories on your server. Make sure that you’ve already disabled directory indexing. To check- type the following code after your domain name - “/wp-content/plugins/”
Like this,
http://example.com/wp-content/plugins/
Now if you can see WordPress plugins for your website like this site,
http://www.yvideoblog.com/blog/wp-content/plugins/
Then please disable it ASAP. To disable directory indexing, just copy the following code in .htaccess file and upload it on your server.
Options –Indexes
Now, a 404 page will appear, when anyone tries to check the Plugins installed on your blog.
Hide Admin Directory – Okay. this tip is only for bloggers with some programming knowledge. By default the admin directory of wordpress blog is located at /wp-admin folder. You can change the name to any random name, So that hacker can’t find your admin directory easily. Here is a detailed tutorial about this – http://www.michiknows.com/2007/02/12/who-else-wants-to-hide-their-wordpress-admin-folder/
Avoid Shared Hosting- We’ll know that shared hosting is more vulnerable to Hacking. Most of these cheap hosting servers host 500-600 domains at one time and lack security infrastructures. So If possible go for a reputed hosting company with a good hosting plan.
Download Plugins From Official WordPress Site – This is not a rocket science tip. Just make sure that you download all your WordPress plugins from the WordPress site only and not from any other site.
These were the six things which you can do to make your WordPress blog safer. Do you know of any more tips? Then feel free to share them in the comments below.
Remember this post is written by Mark Twain. Don’t forget to thank him by commenting here!
Related Blog Posts
Share The Blog Post
Last Updated: May 23, 2012
Loading ...
{ 42 comments… read them below or add one }
i have already done these things mate and for shared hosting hostgator is best. Anywyas thanks for sharing this great post Gagandeep :)
Keep it up
.-= Dev | Technshare´s Last blog ..30+ Inspirational Social Bookmarking Sites =-.
This was the first post by Gagandeep on BJ and the post I feel is wonderful!
But is it safe to remove the footer credits (links).I once opened the footer.php, there I can see “if you remove the links, your blog will not work”
.-= Blogging Tips´s Last blog ..Bye Bye Blogger, welcome Wordpress Self Host =-.
@Blogging Tips , Are you serious? There is nothing like this, they write such kind of codes , so that blogger get scared and don’t remove those links.
For eg – on your blog , you’re linking to “CD Rates, Free MMORPG Games and Home Information Packs”
Just remove them.
.-= Gagan @ Conversion rate´s Last blog ..Interview with WebProNews =-.
Actually Gagan some write these codes to scare bloggers, but some themes aren’t so! Some do what they write. In some case this can come true. Some theme makers put codes in their themes that makes the theme unusable when the links are removed. Such themes can be found at “NewWpThemes.Com”.
In some case this can come true. Some theme makers put codes in their themes that makes the theme unusable when the links are removed. Such themes can be found at “NewWpThemes.Com”.
My theme is also from “newwpthemes.com” I see that your theme is too from “newwpthemes” but you don’t have such links.Why ??? Have you removed them ??
.-= Blogging Tips´s Last blog ..Bye Bye Blogger, welcome Wordpress Self Host =-.
Yes I removed them bro!
Its a myth, there is nothing like this , Even if you any doubts , take a backup of that file and if something goes wrong you can go back to default settings.
.-= Gagan @ Conversion rate´s Last blog ..Interview with WebProNews =-.
Ya sure ! I’ll try doing that Gagan
.-= Blogging Tips´s Last blog ..Bye Bye Blogger, welcome Wordpress Self Host =-.
Bro the themes that come from NewWpThemes come code protected! The links in the footer can’t be removed. I tried removing them, but to no success. Then I removed the code altogether.
Will you help me in removing those links completely along with code ??
.-= Blogging Tips´s Last blog ..Bye Bye Blogger, welcome Wordpress Self Host =-.
Sure! Send me the theme by e-mail and I will send it back to you with the edit!
some theme developers put the removal of footer from theme as violation of terms and condition and its best you do not remove the footer
.-= Tushar´s Last blog ..Your Opinion on BloggersPassion and Content =-.
But the links aren’t good bro! They link to some unrelated websites and can reduce our ranks!
Thanks for the tips, its better to take regular back ups.
.-= Anish K.S´s Last blog ..Reliance Communications Commemorates 100 Mn Customer Landmark with Free Celebratory Airtime on 28th March =-.
Yes. Taking back ups is a must to do job.
BTW which plugin do you suggest for backups.
.-= Blogging Tips´s Last blog ..How to remove the Comment Luv error =-.
Just delete the code at the footer , but before have you given Wordpress permission to write to your files on server.
If not, then please refer to this tutorial –
http://codex.wordpress.org/Changing_File_Permissions
.-= Gagan @ Conversion rate´s Last blog ..Interview with WebProNews =-.
Gagan, I’ve sent you an e-mail. Please take a note of it!
I haven’t given yet.Is it compulsary ??
.-= Blogging Tips´s Last blog ..Bye Bye Blogger, welcome Wordpress Self Host =-.
I manually backup my files from cPanel. But if you want tobackup lone databases, then use wp-dbmanager plugin. Its the best one!
Good tips. Security is a major concern these days.
Yes. Its a must these days. Today’s is the time of spammers and hackers!
Wow what a co-incidence I too yesterday wrote about security in my blog, but my was about a free software with the help of which we can find vulnerabilities in our site and blogs. And your post just covers up how to remove this vulnerabilities after finding them :)
.-= Shiva @ SEO Magazine´s Last blog ..WebSecurify – Finds Out Your Sites’ Vulnerabilities =-.
Great. This is like One post in Two parts in two blogs!
Thanks for this informative post Saksham.
You’re welcome bro! Thanks to Gagan!
Wow! You have a great blog. Now, I’m your fan on facebook. Don’t forget to be my too :) Option is on my blog.
Thanks!
.-= Anup´s Last blog ..Hack Tutors new custom domain http://www.hacktutors.info =-.
I will surely be your fan bro!
Nice tips but It’s not possible for everyone to get vps or dedicated hosting from the start. But after taking some security precautions shared hosting is as good as dedicated.
.-= Sushant @ Technology Design´s Last blog ..Avira Premium 10 Slow Speed and Errors Solution =-.
Yeah, you’re right! VPS and Dedicated hosting is very expensive!
Great post Gagan. It’s great to see you writing for BJ here. All the best :)
.-= TechChunks´s Last blog ..Top 10 Secrets You Never Knew About Your Blog Readers =-.
His first post here is a bang!
Great tips, I implement all of those but the domain, I have to share right now. Once the site gets the traffic for different setupm, I will update it.
.-= element321´s Last blog ..52 Beautiful Examples of HDR Photography =-.
That’s fine. Thanks for the comment here mate and nice to have you here! Hope to see you back here soon!
Two more security tips:
1) If you’re not hosting blog in root dir, and if blog dir is /blog then move the wp-config.php one level higher to root dir of domain (wordpress will find the config file from the higher dir); if you’re hosting in root dir, open wp-load.php and change the ABSPATH to something else and keep the config file there. Thus, hackers won’t be able to easily locate where your config file is :)
2) Normally after wordpress blog creation, the username is “admin”. Login as ‘admin’ and go to your profile page, create a new username with alphabets+digits and set a new password. Now give administrator privileges to this new username. Then logout from ‘admin’ and re-login with new username and go to users & profiles, delete the default ‘admin’ username. Thus, hacker will now have an additional hard task to find out your username! So, your username & password both will act as passwords now – let the hacker do the most difficult job of finding out both unusual strings of chars :)
.-= Florence´s Last blog ..Statius Wordpress Theme by Camelgraph =-.
Both points you mentioned are very useful. But I like the second point more. But I think, hackers can do it easily. I mean in our posts, there comes a line “Written By Saksham Talwar” in my sites case, if site theme supports it. The word Saksham Talwar (Author name) links to author profile. And the author profile link contains the username.
For example in my site Saksham Talwar links to,
http://www.bloggingjunction.com/author/admin
Admin is the user name! So hackers can get the user name from the profile URL!
Oh, in that case just edit the theme files and erase off “posted by” portion or set a fancy name for yourself and delete the linking :P Normally we do not require author archives, maybe required if there are some other guest posters. (can we use a URL cloaking in that case?)
.-= Florence´s Last blog ..Statius Wordpress Theme by Camelgraph =-.
URL cloaking will be possible if we have only one author I guess! Because it will be very difficult to make cloaked URL’s come in place of author links using PHP. Well author archives aren’t that necessary if there is only one author in our blog, but I love author pages. That’s the reason I use them!
Great tips especially about remove meta-generator Tag (i never read about this before)
thanks mate, i’ll try to remove it
Surely remove it! It will make your blog safer by 1 point!