SitePoint Sponsor

User Tag List

Results 1 to 24 of 24
  1. #1
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securing Wordpress

    When you Google "how to secure wordpress" you get a plenty of results. However, what are the most important things that I can do to secure my blog?

    Thanks.

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,498
    Mentioned
    164 Post(s)
    Tagged
    1 Thread(s)
    I'd say the single most important thing is to always keep your blog updated to the latest version.

    Being open-source, vulnerabilities, once known, can be easily found by the skiddies. Stay a step ahead of them and the odds are in your favor.

  3. #3
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am already on top of that. Anything else? Based on the reading that I've done, its recommended securing of the .htaccess file.

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,498
    Mentioned
    164 Post(s)
    Tagged
    1 Thread(s)
    Having sercure permission settings is important, and yes, the htaccess file shouldn't be HTTP accessible. Another thing you could do is NOT use the default "wp" prefix.

  5. #5
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How do I make sure that "the .htaccess file is not HTTP accessible" ?

  6. #6
    In memoriam gold trophysilver trophybronze trophy Dan Schulz's Avatar
    Join Date
    May 2006
    Location
    Aurora, Illinois
    Posts
    15,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The best way to do it would be to put a two letter combination other than wp into the config.php file before you install WordPress. That way it will set up the database using that prefix instead of the default wp. I've got a few links that show how to secure WordPress laying around. I'll see if I can find them for you.

  7. #7
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is it possible to change the prefix once the blog is already live? Like mine.

  8. #8
    In memoriam gold trophysilver trophybronze trophy Dan Schulz's Avatar
    Join Date
    May 2006
    Location
    Aurora, Illinois
    Posts
    15,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think so. You'd have to update your config.php file afteword though.

  9. #9
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Rename all the tables in the database and change the value in the config.php file. The first of these would be most easily done via phpMyAdmin selecting each table in turn then going to the operations tab, type the new prefix in place of wp_ in the "rename to" field and press the Go button, then repeat for the next table.

    Alternatively you need to type in to the SQL tab (substituting your chosen prefix for each spot where I have put blog_)

    Code:
    RENAME TABLE wp_comments TO blog_comments;
    RENAME TABLE wp_links TO blog_links;
    RENAME TABLE wp_options TO blog_options;
    RENAME TABLE wp_postmeta TO blog_postmeta;
    RENAME TABLE wp_posts TO blog_posts;
    RENAME TABLE wp_terms TO blog_terms;
    RENAME TABLE wp_term_relationships TO blog_term_relationships;
    RENAME TABLE wp_term_taxonomy TO blog_term_taxonomy;
    RENAME TABLE wp_usermeta TO blog_usermeta;
    RENAME TABLE wp_users TO blog_users;
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  10. #10
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have the WP Security Scan plugin installed. It allows me to change the prefix. If I use the plugin's option to change the prefix, will I still need to update the config.php file?

  11. #11
    In memoriam gold trophysilver trophybronze trophy Dan Schulz's Avatar
    Join Date
    May 2006
    Location
    Aurora, Illinois
    Posts
    15,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm pretty sure you would, yes.

  12. #12
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I tried using the WP Security Scan plugin to change the prefix but I get the following message when I enter the new prefix and click the START RENAMING button.

    Your User which is used to access your Wordpress Tables/Database, hasn't enough rights( is missing ALTER-right) to alter your Tablestructure. Please visit the plugin documentation for more information. If you believe you have alter rights, please contact the plugin author for assistance.

    What do I need to change? I am the admin.

  13. #13
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,608
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    You will need to use a user login that has alter rights to be able to run that option. You may want to give the user that WordPress uses alter rights temporarily in order to run that command and then remove the alter rights again as that user would not normally need alter rights except to make that change.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  14. #14
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can I create a second user account for myself with admin rights to accomplish this?

  15. #15
    In memoriam gold trophysilver trophybronze trophy Dan Schulz's Avatar
    Join Date
    May 2006
    Location
    Aurora, Illinois
    Posts
    15,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, you can. In fact, I'd also make that user the administrator and leave it - then delete the admin account name afterword (assigning everything to the new user).

  16. #16
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dan,

    What else do you recommend to secure a wordpress blog? There are many options that come up on Google, but which are the top 3?

  17. #17
    In memoriam gold trophysilver trophybronze trophy Dan Schulz's Avatar
    Join Date
    May 2006
    Location
    Aurora, Illinois
    Posts
    15,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Still going through my bookmarks. I've got hundreds of them on WordPress alone, so it's taking some time - despite being organized better than the Dewey decimal system.

  18. #18
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,498
    Mentioned
    164 Post(s)
    Tagged
    1 Thread(s)
    Regarding the htaccess file check to see that it has
    RewriteEngine on
    Options +FollowSymlinks
    and
    Code:
    RewriteRule ^\.htaccess$ - [F]
    it's also a good idea to have
    Code:
    Options -Indexes
    The "on" is needed for the "rules" to work.
    The "symlinks" is for rewritten URL links.
    The "[F]" flags HTTP requests for ".htaccess" as Forbidden.
    Although folders can have a "dummy index" file so that HTTP requests like
    .../wp-content/plugins/
    won't show Apache's default directory content list, the "-Indexes" works for folders without one.

    Also, you can remove the readme.html file. It contains the WordPress version number. Of course the version also shows other places too, and it's not that important if you keep the blog up to date, but I have had HTTP requests for it in my logs.

    I realize some measures are "security by obscurity" which really isn't security at all. But the more difficult you make things for the skiddies the more likely they'll go elsewhere.

  19. #19
    SitePoint Enthusiast
    Join Date
    Apr 2006
    Location
    Chicago
    Posts
    38
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow, you guys are awesome.

  20. #20
    SitePoint Member
    Join Date
    Dec 2008
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wordpress is pretty secure right out of the box, as long as you have the most updated version.

  21. #21

  22. #22
    SitePoint Addict
    Join Date
    Jun 2004
    Location
    somewhere
    Posts
    218
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What about changing the "wp" part in folders?
    TYCP Magazine
    Picspaces - image hosting with unlimited bandwidth
    Hollywood Encountered - submit your celebrity encounters

  23. #23
    In memoriam gold trophysilver trophybronze trophy Dan Schulz's Avatar
    Join Date
    May 2006
    Location
    Aurora, Illinois
    Posts
    15,495
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You mean the directory structure, like wp-admin? That's covered in the link to the "The Blog Experiment" forums.

  24. #24
    Non-Member
    Join Date
    Jul 2008
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Check out new wordpress 2.7 they have changed admin/user panel for it pretty much,just downloaded today and works a lot better then the old style!


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •