With WordPress dominating the market with approximately %55 of the CMS implementations, its a common platform for clients to transition to. Being an open source platform allows the community to provide upgraded features and bug fixes for the product. As these security vulnerabilities arise, they are generally patched quickly. You can take steps to minimize any effect these vulnerabilities have on your site by implementing a simple list of security precautions.
1. Do not leave the administrator account named “admin”. This makes it far too easy for someone to attempt to guess your username by brute force attempt. Additionally to changing your username, you want to make sure the account “alias” is different than the username. The account alias is what shows publicly on your website for posts that you author. The goal is to hide the account name, and changing the alias to something different helps.
Example: Admin Account Name: Mk1982
Example: Alias Name: Miles
2. Use strong passwords people. “12345” or “password” are not secure. Even worse, the 25 top common passwords used by users generally does not change year over year. Due to brute force attempts (repeated automated attempts at guessing your password), you need to come up with a complex password that contains upper and lower case characters, numbers and symbols. An example of this could be a combination of your favorite destination, the year of your car and some symbols.
Login lockdown is a few years old but does an excellent job of looking for failed login attempts and immediately bans that persons IP. It is configurable to allow for a larger amount of failed logins and can unblock IP’s after “x” minutes if you choose. We would certainly suggest this plugin, even if you occasionally forget your password. Blocking malicious users after 12 failed logins is far better than no precautions at all.
Secure WordPress is another simple plugin. This works by removing some WordPress specific information from your site. By removing the version information and login error information from your site, you will not give malicious users anything to work with. If you publish that you are running WordPress 3.1 (released Feb 2011), you can be sure that malicious users will know exactly what security holes you have on your site.
4. Move your wp-config out of your websites document root (generally ./public_html). The nice thing about this is you do not have to make WordPress aware of this change, it will natively look up one directory for this config file. By doing so, you will remove any compromised access to your config file which contains your database connection info, salt keys and other critical info.
Wp-config Location: ./wp-config.php
Wp Location: ./public_html/
Look for next weeks post on completing your WordPress security changes!