WordPress

From WOT Wiki
Revision as of 15:07, 1 September 2010 by Mentalist3d (talk | contribs) (quick guide to WordPress best practices for non technical users in securing their WordPress site.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

As a WordPress user, I have added this page as a guide to some best practices you can adopt for your site, to make it more secure. This guide is just a basics to new, non-technical WordPress users. For more advanced technical users, follow the guide on WordPress (Hardening WordPress) - http://codex.wordpress.org/Hardening_WordPress

Keep Up to Date

The first rule is quite simple, keep WordPress up to date, all your plug-ins, and all your themes up to date. Each up-date is usually because a bug has been found and corrected, new vulnerabilities being found and corrected, or just the functionality has been improved. It is important that you keep all aspects of your WordPress site up to date. The most common cause of your site being exploited is due to some part being outdated.

Remove unused features

If you have several themes installed, these can still be exploited whether active or not. Once you have settled on a theme for your site, remove any extra themes from your server.

This is also true for plugins for your WordPress site, even inactive plugins can still be exploited, so any plugins you no longer use, delete these files from your server.

Reduce Spam

Through your settings in the dashboard it is advised that you disallow the usage of PingBacks as these can be abused by spammers. Also make sure all comments need admin approval before being displayed on the site. There is an option that will allow a user that has 1 approved comment then be allowed to make other comments without prior approval, switch this off, as it is better just to approve each comment as they are made.

Recommended Plugins

Askimet Plugin - http://wordpress.org/extend/plugins/akismet/ Comments are checked against the Askimet web service to see if the comments look like spam. Any spam comments are moved to a spam folder for you to review at a later date. Very good accuracy rate.

Stop Spammers Registration Plugin - http://wordpress.org/extend/plugins/stop-spammer-registrations-plugin/ Any email address that is being used to register on your site is automatically checked against the Stop Forum Spam database. If a match is found they cannot register with your site.

Project Honey Pot Spam Trap - http://wordpress.org/extend/plugins/project-honey-pot-spam-trap/ Invisible links are scattered throughout your blog that only Bots can see these. Their IP addresses will be tagged and this infor will be sent back to ProjectHoneyPot.org

Secure WordPress - http://wordpress.org/extend/plugins/secure-wordpress/ Registered users can have a lot of access to useful information that will help them if they decide to hack your site. This plugin will remove some of that information (as well as doing some other minor tweaks) such as removing update notices to non-admins, removes the WordPress version number, error-information on login page, etc.

Login Lockdown - http://wordpress.org/extend/plugins/login-lockdown/ Every failed login attempt is logged (IP Address & Timestamp). If a certain amount of login attempts are failed within a short time period then the login function is disabled for one hour (default setting) for the IP range.

Retrieved from "https://www.mywot.com/wiki/index.php?title=WordPress&oldid=1165"