By taking small steps you can make your WordPress blog more secure. As your blog begins to get recognized for great stuff it becomes vulnerable to all sorts of attacks. A well-known nuisance is of course, comment spam. Within a couple of days your blog can be deluged with 100s of spammy comments selling Viagra and other exotic material in all worldly languages. Then you also need to deal with trackback spam: there are some blogs and websites that simply crawl other blogs, copy/paste a few lines from the original blog and place a back link, making a trackback link appear on your WordPress blog.
Making your WordPress blog more secure against comment and trackback spam
The problems mentioned above can be easily tackled by a few tweaks and plugins. You can protect your WordPress blog from comment and trackback spam by
- Installing the Akismet plugin. Akismet is developed by Automattic, the same people who have developed WordPress. You will need an API key from wordpress.com (you can obtain it by creating a free account there) in order to run this plugin. Akismet has a central database of comment spam sources so whenever a comment is left on your blog (by a human or a bot) it immediately cross-checks with the central database. It does the same with trackbacks.
- Installing the Spam Karma plugin. If you don’t want to get an API key (mentioned above) the other alternative is the Spam Karma plugin. Although it is no longer supported by its original author, many Word Press blogs are still using it.
- Using CAPTCHA. It is a feature that generates an image of random alphanumeric characters that your visitors have to submit before their comment can be accepted.
- Using 3rd party comment plugins. There are many websites using 3rd-party commenting plugins like Disqus and Intense Debate that totally takeover the management of your comments. Once you create an account there you need to install their plugins and then they let you import your existing comments into their system. At HowToPlaza we use Disqus.
- Turn off comments for older posts. Comment span normally begins to appear on blog posts that are a couple of months old, so from your WordPress Admin area you can set the upper limit of days and after that limit the comments are automatically turned off for that blog post.
Making your WordPress blog more secure against hacking attempts
Hacking attempts are the more dangerous sort of vulnerabilities your blog may face. As you get more and more successful, there are many people who would like to take your blog down. The reasons can be:
- They are jealous of your success
- They don’t like competition
- They don’t agree with your ideology
- They are practicing their hacking skills and have nothing particularly against you
- They’ve got nothing better to do
You can immediately make your WordPress blog more secure by using the latest version of the software. They are constantly plugging the security holes with every new release so the threat you are currently facing might already have been taken care of in the latest WordPress version.
You shouldn’t display your WordPress version publicly as this helps the hackers to mount version-specific attacks upon your blog.
Using a strong password also immediately eliminates a big chunk of aspiring hackers. Read how to create a strong password and remember it.
Your wp-config.php contains information that can immediately give access to your WordPress database. You can block its access by adding the following lines to your .htaccess file:
<files wp-config.php>
Order deny,allow
deny from all
</files>
Take regular backups of your WordPress database. Even if your blog gets hacked, at least you have all your blog posts that you’ve been creating for months, or even years. The easiest and safest way of taking a backup is by exporting your entries to an XML file. From your WordPress admin area, you will find this Export feature in the Tools section. If this doesn’t work for you you can use the WordPress Database Backup plugin. It automatically takes backups at set intervals, saves them on the server or mails them to a specified email address or downloads it onto your PC: whatever option you want.
Aside from this there are a few plugins you can use.
- AskApache Password Protect. It installs an extra layer of security over your WordPress admin area. Once you install it, it asks for a new login and password that specifically protects your wp-admin, wp-include, wp-content and other vulnerable folders.
- Secure WordPress. Once installed, it adds an index.php file to all the WordPress folders that don’t have it (so that the contents of the folders are not publicly visible), removes version numbers from public areas and restricts various system critical bits of information.
- Login Lockdown. It keeps track of all failed login attempts. So if someone is trying to login using various usernames and passwords, after a certain number of attempts his or her IP address is blocked and he or she cannot make another login attempt.
Got some more tips on how to make your WordPress blog more secure? Please share them in the comments section.
