4 WordPress Security Tips – Don’t Leave Your Doors Unlocked

We spend alot of time thinking about how to write the best content, get more traffic, or earn more money from my blog.  However, its important not to let the security of your blog get pushed down to the last thing on your list of things to do.  Here is a list of quick easy tasks that will give you a slight advantage against would be evil doers. These Security tips are pretty important so I’ve made the headlines nice and big to make sure you can read them very clearly.

1. Remove the Admin User

By default WordPress will name the administrator user account as “admin.” The problem with this is pretty clear. Anyone who is trying to get into your site already has 50% of the combination to your lock, and using a few programs can force their way in via a brute force attack on your password. So take back the advantage and change your login settings.

If you are still logging in via “Admin” then you need to do the following:

Go to WordPress > Users > Add new > fill out the form for your new account.
Next log out and log back in with your new login.
You may now delete the admin account > be sure to check the box to assign all posts to your new login and not accidentally delete everything

2. Don’t broadcast what version you are using.

Don’t let it be known which version of any given software you are running to keep the hacker guessing. Once they become aware of your version they may be more savvy to which exploits to use.

Tip: Find the tag in your header.php that displays your current version of wordpress.

>meta name=”generator” content=”WordPress >?php bloginfo(‘version’); ?<"<

Hide your wordpress version by deleting it or simply changing it to

>meta name=”generator” content=”WordPress<

3. Hide the details about what plugins you use.

In a normal wordpress installation, anyone can access your WordPress plugin folder to see which plugins you have installed.

The path is: http://www.yourdomain.com/wp-content/plugins/

Tip:Put a blank index.html in /plugins/ directory.

Try it for your blog and your entire directory structure is revealed. Just create a blank file in notepad and name it index.html and drop it in your plugins folder and the folder details will no longer be visible to the public and prevent hackers from cracking a plugin security hole.

4. Guard your wp-admin folder

Put .htaccess directly in the /wp-admin/. This will limit access to this folder by IP address and attempts at accessing any file within this folder will be greeted with a Forbidden error message.

You need to place this file in the /wp-admin folder and not replace or delete the .htaccess file in the root folder of your blog. Though he says the security issue was fixed in recent wordpress version, this is a security idea which can help you further protect your wp-admin folder.

Tip: It is easy to block search engines from crawling your wp-admin folder by blocking access via robots.txt file. I added this line
Disallow: /wp-admin/

Now that you know there’s no excuse for not doing it. I’ll be checking up on each of your blogs to see if you followed my advice so you best not slack, lest you be hacked