Securing Your WordPress Blog, from abaadblogs

In advance of our Basic Internet Privacy and Security workshop, which we’re hosting tomorrow in our offices, from 10 am to 4 pm, blogger and web developer Mireille Raad, our very first guest blogger, offered to write up a few tips on securing your WordPress blog from hacking attempts. You’ll also find this post on abaadblogs, a collection of blogs from all around the blogosphere, with a special highlight on the Middle East. Offers to translate this post into Arabic are gratefully accepted.

Building a nice, popular blog is a challenging and time-demanding task. We spend hours and hours getting our posts just right, picking that perfect image, and customizing our sidebars with badges, sign-ups, and embeds.
But we rarely realize that all our efforts will go to waste if on a creepy, cold, moonless night, some monstrous creature of the dark world wearing a black hat attacks your site and brings down your lovely home on the web.
You may think it will never happen to me or it will never happen here in Lebanon; sadly, this is not true. Not so long ago the ArabNet website was defaced. In another incident, a “l33t” guy wanted to send blogger Maya Zankoul a love message by…well.. hacking a site she used to work with.
What I am saying is that evil people exist out there. They take control over blogs as an easy way to get lame advertisement, to show off, to make some money, or just to hurt or silence us.
That is why taking security measures for your blog is a must. Learning some security skills and spending a few hours applying them might save you tons of trouble and days and maybe weeks of wasted time. With that in mind, I’m offering some easy-to-do, yet effective tips and tricks on how to secure your blog and protect your dear online belongings. I’ll start with a tutorial on securing WordPress blogs:

1. Don’t use “admin” as your username. Delete it once you have created your own username and assigned yourself administrator privileges.
2. Use a strong password. Doh, make sure to include symbols and numbers, upper case and lower case letters. Also, think in passphrases, not just passwords. An example of an easy-to-remember passphrase is “i<3toblog” (but that one’s taken ;P).
3. Make frequent backups of your site, in case you lose your data. Most blogging platforms provide an easy way to export your posts. Web hosts also provide tools for backing up your sites. Set a schedule for this, and follow it.
4. Keep your WordPress installation and your plug-ins updated to the latest versions. Just be careful when updating, because sometimes plug-ins versions don’t keep up with WordPress versions.
5. Change your WordPress table prefix. When installing for the first time, you can specify your prefix as part of the install. A good strategy for making an attacker’s life a bit harder is not allowing them to know your table names.
6. In addition to your administrative account (not admin!), create a “posting user” that has no administrative privileges. In addition to protecting your blog from unscrupulous hackers, you’ll be protecting it from you! If someone managed to sniff your account or to use a keystroke logger, they will have minimum opportunities to damage your site. (A keystroke logger is a piece of software or hardware that saves everything you type on the keyboard.)
7. Limit login attempts. By limiting the number of false login attempts allowed, you will be able to avoid brute-force attacks or password guessing strategies. Here’s an example of a plugin that helps you do just that.
8. Create stealth logins. You can create your custom address to login to your blog. By not using the classic “myblog.com/wp-admin” path to get to your dashboard, you will give attackers a hard time trying to log in to your site even if they know the password. This will also help you avoid those bots that automatically subscribe to your blog. This page will help you with creating stealth logins and other security measures.
9. Encrypt your password before sending it to login. Sniffing people’s password from the network is a nasty trick that always works. No matter how strong your password is or how secure your site, if someone can scan the network for your login info, they might be able to gain access to your blog. That’s why it is a good counter measure to encrypt your password before sending it.
10. Use an onscreen keyboard to enter your password. You can avoid the typical keystroke logger’s trap by simply using an on-screen keyboard, where you don’t “type” your password but instead input it using a screen and a mouse.
11. Activate the Secure WordPress plugin. This nice plugin helps you do many nice tasks in one go, such as:
    1. removing error-information on the login-page
    2. adding index.php plugin-directory (virtual)
    3. removing the wp-version, except in admin-area
    4. removing Really Simple Discovery
    5. removing Windows Live Writer
    6. removing core update information for non-admins
    7. removing plugin-update information for non-admins
    8. removing theme-update information for non-admins (only WP 2.8 and higher)
    9. hiding wp-version in backend-dashboard for non-admins
    10. adding strings for use with WP Scanner
    11. blocking bad queries

Those are really simple and really easy to use steps that can help you increase the security of your WordPress site or at least make it really, really hard to hack. Safe blogging everyone!
CC-licensed artwork by ZYG_ZAG.