Category Archives: security

Basic WordPress Security

Found this in my Tumblr blog stream and thought it was funny.

Found this in my Tumblr blog stream and thought it was perfect for this post.

Here’s some basic measures you can take to help secure your wordpress blog. I’m not a security consultant, and I don’t pretend to play one on t.v. Some of this stuff is common sense and some of it is stuff I picked up doing a little research on this subject recently. This post certainly isn’t the end all and be all of WordPress security and really covers the very, very, basics. I do think it’s a good start though. Let’s get started.

When you created your WordPress blog, the first user is set to “Admin” by default during set up. You have an opportunity to change this during the set up process and hopefully you took advantage of that. This is one of the most basics of computer security yet so many people seem to ignore it. NEVER KEEP THE DEFAULT ADMIN USER NAME !

Now, whether you kept the default admin, or you created a user name, a good idea for the admin account is to make sure to use a nickname that will appear on the site when you’re replying to comments. In you’re dashboard click on users, then under the user name click on the edit link. In the field for nickname create a nickname for the admin account. Then below that select the “Display name publicly as” and make sure the new nickname you created is selected. So now when you reply to a comment or post, the nickname appears instead of the Username for the Admin account.

Another trick is to not use the Admin account for posting anything. Create another account, that you’ll only use for posting, with limited privileges. Do this by creating a new user, then click on users again and at the top of the list of users you should see a drop down menu that “reads change role to”. Simply check the new user you created and then  change that drop down to contributor, and only use the Admin account to make changes to the blogs design. If you go this route make sure to select a nickname for this “contributor account” as explained previously.

The reason for doing all this is to make sure someone with ill intent doesn’t get the login name of the Admin account. Once a hacker gets a login name, they have achieved half the battle. Now they just have to figure out the password. By using these techniques someone would now have to guess the Login name, and also the password in order to access the account. It’s almost like creating two passwords for your blog and having two lines of security or doubling your basic protection.

So, lets talk passwords. Passwords are a royal pain. We have so many passwords, and we always try to make them easy to remember, or use the same password for all our websites. Huge mistake ! If you do this and you’re compromised they now have access to your e-mail, maybe the website, your ftp server, and God knows what else. That’s a really bad habit and practice to fall into. Give your blog a unique password !

Let’s start with really bad passwords. Really bad password choices are names of wives, pets, street address, favorite foods, etc, etc,. By using a password like this, anyone who knows you and might want to gain access to your site will achieve that goal with just a couple of guesses. A friend of mine once asked me to check the security on a server he set up, I gained entry in under 5 minutes ! He was absolutely flabbergasted, and didn’t understand how I cracked his server so quickly. I looked at him and said next time don’t use your lovers name as a password ! He was embarrassed to say the least.

Really good passwords really shouldn’t be words at all. A random sequence of numbers and letters are best, mixed with capital and lower case letters. In all fairness though, that just sucks. Most people won’t do this, and it really is difficult to remember the password. You could use l337 letters using words and replacing letters with numbers like 1amG0d or something but even that isn’t very secure these days. Brute force crackers can and will figure these passwords out in a very short amount of time.

Here’s a few tricks for creating passwords that are hard to crack and easy to remember.

1) Make the password at least 8 characters long and use a series of UPPER CASE and lower case letters with a few numbers thrown in the mix.

2) Use a movie quote, or line from a favorite poem or song, or maybe a passage from your favorite spiritual book. Replace some of the letters with numbers, like zeros for o and 1’s for L’s.

3) Now, this is my favorite. Use the above technique, but instead of using the complete quote or phrase, simply take the first letter from each word in the phrase.

For example: the line below taken from Bowery Blues by Jean-Louis (Jack Kerouac)

“the night will be bright with the gold of old.”

This would break down to : 7NwbBwtg0o

You now have a 10 letter and digit password that is very secure and somewhat easy to remember. You can come up with your own system for how you place the letters, caps and numbers. Like every third letter is CAPS, or 7 for t’s, 0 for o, etc, etc,.

Finally, lets talk about that meta widget, with the link included for the login page right out in the open. That gots to go ! The first time I seen a WordPress blog, I couldn’t believe they placed the login link right on the main page of the blog. I’ve heard that removing it wasn’t even an option till recently. Well now you can remove it and I suggest you do. Why even tempt someone ! Out of site out of mind !

To do this, go to your dashboard, click on appearance and select widgets. On the right hand side of the page there will be a column titled Main Sidebar, simply take your mouse and drag the Meta widget to the Inactive Widgets box on the bottom of the page. Thats that for that. Now make sure to bookmark your login page so you can login to your blog.

On that note, it may not be a bad idea if you know and understand WordPress and PHP to change the url of the login page. As I get to know this blogging program better, that may be a future post down the road. This should probably only be attempted by webmasters with a good understanding of PHP and how the WordPress software works and is configured.

Anyway, this covered the very, very,very basics. I’m not a security expert, but I think this is a great start for someone concerned about the security of their WordPress blog. Thanks for reading and I hope I didn’t make this overly complicated or confusing. If you have any other suggestions, or I missed something obvious, please comment and share. Till next time , keep on blogging and  cheers!