There are some basic steps you can take to help limit your exposure to malicious behavior directed at your WordPress install. My intention with this article is not to make your website bullet-proof (if such a thing exists) but to cover the most common exploits/weaknesses. File and directory permissions have been discussed elsewhere but I’ll post a reminder about the basic rule-of-thumb: Set files to 644 and directories to 755. If you have to use less secure settings (for /wp-content/uploads/ for example) you don’t have a good host.
Failure to do the following doesn’t mean your blog will be hacked, it just means it’s more likely. So here we go:
..Cover your privates (or: “Nice knickers there!”)…
- Delete unnecessary files /wp-admin/install.php and /wp-admin/upgrade.php ((Once you are finished with the installation or upgrade these files will not be needed and they will be replaced with your next install/upgrade))
- Delete default post and comment ((advertises “New Blog! Come SPAM me!”))
- Make it harder to reveal your SQL login info and help prevent users browsing where they shouldn’t: In your root directory (where wp-config.php resides) make sure there is a .htaccess file containing the following ((Turns off ftp-style browsing;Only recognize index.php index.html as legitimate index files;Don’t allow ANY remote access to wp-config.php)):
DirectoryIndex index.php index.html
Deny from all
- Change permissions for wp-config.php to 600 (equivalent to rw——-) if possible ((One of the few exceptions to the standard 644 rule))
- Prevent browsing of directories not covered by WordPress: Drop an empty (0-byte) file named index.html in /wp-content/plugins/ or /wp-content/uploads/ (for example) ((The reason we use .html instead of .php is in case PHP breaks on the server we’re still covered at the HTTP level))
- For SPAM prevention, activate Akismet ((Akismet is great at weeding out spam comments)) (comes with WordPress) and install/activate Bad Behavior ((Bad Behavior stops a lot of spam/malicious-activity before it ever hits your site)) These two plugins are the minimum in spam prevention in my opinion, but feel free to experiment on your own.
As always: Feedback welcome!