This is a guest post by Robert Regehr.
Are you a full-time blogger earning a living from your WordPress blogs or an aspiring Problogger with your first taste of the freedom that comes from blogging? There’s a ton of really good advice out there on getting up and running from bloggers like Darren Rowse and Yaro Stark. However, there’s shockingly little on protecting your blogging nest egg. If you rely on income from blogging to support your family you need to secure your WordPress installations immediately. Here are five actionable steps you can take today to ensure hackers won’t disrupt the income stream you’ve worked so hard to build from blogging.
What’s All The Fuss About? I’ve Never Been Hacked
The default WordPress install is about as secure as a wet paper bag, especially if you make a habit of blogging from your favorite coffee shop. You’ve put a lot of hard work into enjoying the rewards that come from blogging. The last thing you want is some script kiddie or hacker taking over your site; it’d be like someone breaking into your home and robbing you blind.
I’m sure you’re very careful when shopping or banking on the Internet; would you ever consider logging into online banking or shopping without looking for the â€œhttpsâ€ in the URL? If you’re like me and blog with a white chocolate mocha on free Wi-Fi, you’re pretty much shouting your username and passwords to anyone within earshot. Public access points in coffee shops and cafes are far from secure and you never know who’s sitting across from you with a packet sniffer watching your every move.
Fortunately there are steps you can take to secure WordPress and protect yourself. I’m not just talking about using stronger passwords but actual bank level security for your site. If you’re serious about earning a living from your blogs you simply cannot ignore security when it comes to protecting your online assets.
Step One: Secure Your WordPress Dashboard
When you log into the WordPress dashboard, your login credentials are transmitted in plain text and are unencrypted. (Remember, default install = secure as a wet paper bag) This means your dashboard session can be intercepted and hijacked, something I’m sure you’d like to avoid.
The most important thing you can do to secure your blog is install an SSL (Secure Socket Layer) certificate on your site to protect your admin dashboard. What this does is encrypt everything you do in the dashboard to your webhost just like your bank does with online banking.
I’m not going to get into the technical aspects of installing SSL certificates; your webhost can do that for you. Think SSL is overkill? I’m not talking about running your entire site on SSL, just the admin. If you’re not securing the WordPress dashboard everything you do is being sent in the clear for anyone with a packet sniffer to exploit.
If purchasing a certificate is not within your budget, contact your webhost about using their shared certificate. While shared SSL is not as good as buying your own, shared SSL is better than no SSL. If you want to purchase your own certificate there are plenty of affordable options available from companies like Verisign and Comodo. You’ll need a dedicated IP address for your blog which may or may not be included in your web hosting plan.
Once your webhost has installed the certificate and verified that it’s working correctly you need to let WordPress know to start using SSL for the dashboard. In your installation root folder locate the file wp-config.php and simply add this line to enable SSL for your dashboard:
This will enable SSL for your dashboard; however, you’ll probably see certificate errors for WordPress including unencrypted content. Fortunately, there are plugins available to force WordPress to encrypt everything in your dashboard, eliminating these errors. I use WordPress HTTPS by Mike Ems and find it does a nice job of forcing SSL for all dashboard content.
You can verify that SSL is working correctly by using the Chrome browser to log into your WordPress Admin and you’ll see the green padlock and https in the address bar.
Step Two: Install WordPress Secret Keys
Hackers can exploit cookies found on your computer to gain access to your dashboard even if you’re using SSL. Fortunately, WordPress allows you to configure secret keys for strong encryption cookie goodness. Why this isn’t done by default is beyond me; however, it’s very easy to enable.
You’ll need to access that wp-config.php file again from the previous step. First, generate your secret keys using with WordPress API located here:
You’ll get something that looks like this:
Notice that the keys change every time you refresh the page so your keys will be unique; don’t share these keys with anyone and please don’t use the ones I’ve shown here. Simply add your keys to your wp-config.php file, replacing any that might already exist. (I didn’t have any in my wp-config.php) That’s it! You’re now protected from cheeky cookie-exploiting criminals.
Step Three: Deny Access to wp-config.php
Now that we’ve enabled SSL and set up secret keys in our wp-config.php, we need to deny access to this file. This is easy to accomplish by editing the .htaccess file found in the root directory of our WordPress install. If you’re not comfortable editing any of the files discussed today make sure you’re having someone trustworthy make the changes for you.
You should already have the .htaccess file in your WordPress install root directory if you’ve enabled permalinks on the site, so simply add this code to the end of that file:
Deny from all
This will prevent anyone from looking at your wp-config.php file using a web browser. Note that if a hacker gains access to your webhost they will have access to everythingâ€¦ which is of course, very bad.
Step Four: Kill the Admin Account
If you’re still using â€œadminâ€ as your WordPress login, shame on you! The problem with using the admin account is that hackers know it exits and can exploit the login with brute force. Most WordPress users don’t bother to change the default settings reinforcing our notion of security by wet paper bag. If you’re still blogging under the admin account you’re well on your way to getting hacked. Even if you’re not using the admin account but it still exists you’re vulnerable; make sure this account has been deleted from your user list.
Fortunately it’s very easy to delete the admin account. In your dashboard, create another user account with a custom username and grant it administrative rights. Login to your dashboard using your new account and delete the old admin account. WordPress will prompt you to transfer all the posts you’ve made under the admin account to another user; just make sure you don’t mess this up.
Step Five: Rename The WP Tables Prefix
Another feature of wet paper bag security found in WordPress is that the SQL table prefix is â€œwpâ€ by default. If a hacker knows your table’s prefix then you’re vulnerable to SQL injection attacks. What you need to do to protect yourself from this exploit is rename the prefix. This used to be tricky because you’d have to login to phpmyadmin and change the prefix manually; however, there are a number of plugins that automate this process for you. One example of a plugin with this functionality is Secure WordPress:
WordPress Security by Website Defender is free and not only renames that table prefix for you but will perform several security checks on your site, even back up your database and scan for malware. You can’t beat free when it comes to good plugins and this is one is a must for every WordPress installation.
Securing WordPress Doesn’t Have to be Difficult
There you have it; five actionable steps you can complete today to make sure your blog and income are protected. Talk to anyone that’s had their site hacked and you’ll quickly discover the threat is real. Part of succeeding as a blogger is treating your blog as a serious business; this is why you simply cannot afford to ignore your blog’s security any longer.