SitePoint Sponsor |
|
User Tag List
Results 1 to 24 of 24
Thread: Securing Wordpress
-
Dec 5, 2008, 22:09 #1
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Securing Wordpress
When you Google "how to secure wordpress" you get a plenty of results. However, what are the most important things that I can do to secure my blog?
Thanks.
-
Dec 5, 2008, 22:38 #2
- Join Date
- Jul 2005
- Location
- West Springfield, Massachusetts
- Posts
- 17,290
- Mentioned
- 198 Post(s)
- Tagged
- 3 Thread(s)
I'd say the single most important thing is to always keep your blog updated to the latest version.
Being open-source, vulnerabilities, once known, can be easily found by the skiddies. Stay a step ahead of them and the odds are in your favor.Big Change Coming Soon - if you want your PMs save them now!
What you need to do to prepare for our migration to Discourse
A New SitePoint Forum Experience: Our Move to Discourse
-
Dec 5, 2008, 22:45 #3
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I am already on top of that. Anything else? Based on the reading that I've done, its recommended securing of the .htaccess file.
-
Dec 5, 2008, 23:17 #4
- Join Date
- Jul 2005
- Location
- West Springfield, Massachusetts
- Posts
- 17,290
- Mentioned
- 198 Post(s)
- Tagged
- 3 Thread(s)
Having sercure permission settings is important, and yes, the htaccess file shouldn't be HTTP accessible. Another thing you could do is NOT use the default "wp" prefix.
Big Change Coming Soon - if you want your PMs save them now!
What you need to do to prepare for our migration to Discourse
A New SitePoint Forum Experience: Our Move to Discourse
-
Dec 5, 2008, 23:27 #5
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
How do I make sure that "the .htaccess file is not HTTP accessible" ?
-
Dec 6, 2008, 00:07 #6
- Join Date
- May 2006
- Location
- Aurora, Illinois
- Posts
- 15,476
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
The best way to do it would be to put a two letter combination other than wp into the config.php file before you install WordPress. That way it will set up the database using that prefix instead of the default wp. I've got a few links that show how to secure WordPress laying around. I'll see if I can find them for you.
Save the Internet - Use Opera | May my mother rest in peace: 1943-2009
Dan Schulz - Design Team Advisor | Follow me on Twitter
SitePoint References: HTML CSS JavaScript | Become A Guru
WordPress SEO Checklist | What WordPress Plugins Do You Use?
Web Standards Curriculum | Image Free Equal Height Columns
-
Dec 6, 2008, 00:46 #7
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Is it possible to change the prefix once the blog is already live? Like mine.
-
Dec 6, 2008, 01:26 #8
- Join Date
- May 2006
- Location
- Aurora, Illinois
- Posts
- 15,476
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I think so. You'd have to update your config.php file afteword though.
Save the Internet - Use Opera | May my mother rest in peace: 1943-2009
Dan Schulz - Design Team Advisor | Follow me on Twitter
SitePoint References: HTML CSS JavaScript | Become A Guru
WordPress SEO Checklist | What WordPress Plugins Do You Use?
Web Standards Curriculum | Image Free Equal Height Columns
-
Dec 6, 2008, 01:32 #9
- Join Date
- Sep 2005
- Location
- Sydney, NSW, Australia
- Posts
- 16,875
- Mentioned
- 25 Post(s)
- Tagged
- 1 Thread(s)
Rename all the tables in the database and change the value in the config.php file. The first of these would be most easily done via phpMyAdmin selecting each table in turn then going to the operations tab, type the new prefix in place of wp_ in the "rename to" field and press the Go button, then repeat for the next table.
Alternatively you need to type in to the SQL tab (substituting your chosen prefix for each spot where I have put blog_)
Code:RENAME TABLE wp_comments TO blog_comments; RENAME TABLE wp_links TO blog_links; RENAME TABLE wp_options TO blog_options; RENAME TABLE wp_postmeta TO blog_postmeta; RENAME TABLE wp_posts TO blog_posts; RENAME TABLE wp_terms TO blog_terms; RENAME TABLE wp_term_relationships TO blog_term_relationships; RENAME TABLE wp_term_taxonomy TO blog_term_taxonomy; RENAME TABLE wp_usermeta TO blog_usermeta; RENAME TABLE wp_users TO blog_users;
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
-
Dec 6, 2008, 01:34 #10
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I have the WP Security Scan plugin installed. It allows me to change the prefix. If I use the plugin's option to change the prefix, will I still need to update the config.php file?
-
Dec 6, 2008, 01:39 #11
- Join Date
- May 2006
- Location
- Aurora, Illinois
- Posts
- 15,476
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I'm pretty sure you would, yes.
Save the Internet - Use Opera | May my mother rest in peace: 1943-2009
Dan Schulz - Design Team Advisor | Follow me on Twitter
SitePoint References: HTML CSS JavaScript | Become A Guru
WordPress SEO Checklist | What WordPress Plugins Do You Use?
Web Standards Curriculum | Image Free Equal Height Columns
-
Dec 6, 2008, 01:47 #12
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I tried using the WP Security Scan plugin to change the prefix but I get the following message when I enter the new prefix and click the START RENAMING button.
Your User which is used to access your Wordpress Tables/Database, hasn't enough rights( is missing ALTER-right) to alter your Tablestructure. Please visit the plugin documentation for more information. If you believe you have alter rights, please contact the plugin author for assistance.
What do I need to change? I am the admin.
-
Dec 6, 2008, 02:18 #13
- Join Date
- Sep 2005
- Location
- Sydney, NSW, Australia
- Posts
- 16,875
- Mentioned
- 25 Post(s)
- Tagged
- 1 Thread(s)
You will need to use a user login that has alter rights to be able to run that option. You may want to give the user that WordPress uses alter rights temporarily in order to run that command and then remove the alter rights again as that user would not normally need alter rights except to make that change.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
-
Dec 6, 2008, 02:42 #14
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Can I create a second user account for myself with admin rights to accomplish this?
-
Dec 6, 2008, 02:58 #15
- Join Date
- May 2006
- Location
- Aurora, Illinois
- Posts
- 15,476
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Yes, you can. In fact, I'd also make that user the administrator and leave it - then delete the admin account name afterword (assigning everything to the new user).
Save the Internet - Use Opera | May my mother rest in peace: 1943-2009
Dan Schulz - Design Team Advisor | Follow me on Twitter
SitePoint References: HTML CSS JavaScript | Become A Guru
WordPress SEO Checklist | What WordPress Plugins Do You Use?
Web Standards Curriculum | Image Free Equal Height Columns
-
Dec 6, 2008, 03:09 #16
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Dan,
What else do you recommend to secure a wordpress blog? There are many options that come up on Google, but which are the top 3?
-
Dec 6, 2008, 11:33 #17
- Join Date
- May 2006
- Location
- Aurora, Illinois
- Posts
- 15,476
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Still going through my bookmarks. I've got hundreds of them on WordPress alone, so it's taking some time - despite being organized better than the Dewey decimal system.
Save the Internet - Use Opera | May my mother rest in peace: 1943-2009
Dan Schulz - Design Team Advisor | Follow me on Twitter
SitePoint References: HTML CSS JavaScript | Become A Guru
WordPress SEO Checklist | What WordPress Plugins Do You Use?
Web Standards Curriculum | Image Free Equal Height Columns
-
Dec 6, 2008, 12:18 #18
- Join Date
- Jul 2005
- Location
- West Springfield, Massachusetts
- Posts
- 17,290
- Mentioned
- 198 Post(s)
- Tagged
- 3 Thread(s)
Regarding the htaccess file check to see that it has
RewriteEngine on
Options +FollowSymlinks
Code:RewriteRule ^\.htaccess$ - [F]
Code:Options -Indexes
The "symlinks" is for rewritten URL links.
The "[F]" flags HTTP requests for ".htaccess" as Forbidden.
Although folders can have a "dummy index" file so that HTTP requests like
.../wp-content/plugins/
won't show Apache's default directory content list, the "-Indexes" works for folders without one.
Also, you can remove the readme.html file. It contains the WordPress version number. Of course the version also shows other places too, and it's not that important if you keep the blog up to date, but I have had HTTP requests for it in my logs.
I realize some measures are "security by obscurity" which really isn't security at all. But the more difficult you make things for the skiddies the more likely they'll go elsewhere.Big Change Coming Soon - if you want your PMs save them now!
What you need to do to prepare for our migration to Discourse
A New SitePoint Forum Experience: Our Move to Discourse
-
Dec 6, 2008, 20:43 #19
- Join Date
- Apr 2006
- Location
- Chicago
- Posts
- 38
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Wow, you guys are awesome.
-
Dec 8, 2008, 17:56 #20
- Join Date
- Dec 2008
- Posts
- 19
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Wordpress is pretty secure right out of the box, as long as you have the most updated version.
-
Dec 8, 2008, 18:36 #21
- Join Date
- May 2006
- Location
- Aurora, Illinois
- Posts
- 15,476
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Okay. I went through my link library and pulled up a "few" links you folks might be interested in. Not all of them are WordPress security related, but as the old saying goes...
http://css-tricks.com/first-steps-af...dpress-instal/
http://www.smashingmagazine.com/2008...for-wordpress/
http://www.prelovac.com/vladimir/wor...mization-guide
http://www.michiknows.com/2007/02/12...-admin-folder/
http://www.devlounge.net/articles/pr...ont-get-hacked
http://andybeard.eu/2007/04/the-ulti...cess-file.html
http://www.theblogexperiment.com/blo...ad.php?p=14001
http://www.dailyblogtips.com/3-must-...for-wordpress/
http://www.mattcutts.com/blog/three-...-installation/
http://wpcandy.com/articles/tutorial...elp-sheet.html
http://wpcandy.com/articles/tutorial...elp-sheet.html
http://www.twentysteps.com/creating-...obotstxt-file/
http://www.bloggingtips.com/2008/07/...rackback-spam/
http://www.wolf-howl.com/blogging/wo...clean-backend/
Hope that helps.Save the Internet - Use Opera | May my mother rest in peace: 1943-2009
Dan Schulz - Design Team Advisor | Follow me on Twitter
SitePoint References: HTML CSS JavaScript | Become A Guru
WordPress SEO Checklist | What WordPress Plugins Do You Use?
Web Standards Curriculum | Image Free Equal Height Columns
-
Dec 11, 2008, 03:46 #22
- Join Date
- Jun 2004
- Location
- somewhere
- Posts
- 218
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
What about changing the "wp" part in folders?
TYCP Magazine
Picspaces - image hosting with unlimited bandwidth
Hollywood Encountered - submit your celebrity encounters
-
Dec 11, 2008, 04:24 #23
- Join Date
- May 2006
- Location
- Aurora, Illinois
- Posts
- 15,476
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
You mean the directory structure, like wp-admin? That's covered in the link to the "The Blog Experiment" forums.
Save the Internet - Use Opera | May my mother rest in peace: 1943-2009
Dan Schulz - Design Team Advisor | Follow me on Twitter
SitePoint References: HTML CSS JavaScript | Become A Guru
WordPress SEO Checklist | What WordPress Plugins Do You Use?
Web Standards Curriculum | Image Free Equal Height Columns
-
Dec 11, 2008, 07:36 #24
- Join Date
- Jul 2008
- Posts
- 3
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Check out new wordpress 2.7 they have changed admin/user panel for it pretty much,just downloaded today and works a lot better then the old style!
Bookmarks