Securing WordPress

by Duf Anything and Everything

I have had issues with my blog getting hacked.  As much as I like WordPress, I don’t think they do a great job of making it very secure out of the box.  I had my entire hosting site hacked as a result and later discovered some phishing files sitting out in my uploads directory.  There are lots of articles on how to do secure WordPress.  I just wanted to list a few simple changes I made to help minimize security holes.

First I created an .htaccess file and put it in the root of my WP installation.  It simply reads like this: 

# Prevents directory listing
Options -Indexes

I uploaded this file to the root of my WordPress install and then set permissions on it to 644.  This change makes it impossible for malicious hackers to do a directory listing of any of your blog directories which could expose possible vulnerabilities.

Next I made another .htaccess and put it into my UPLOADS folder.  This one looks like this:

Order Allow,Deny
Deny from all
<Files ~ “\.(css|jpe?g|png|gif|js|bmp)$” >
Allow from all
</Files>

Again after uploading the file, set it to 644 permissions.  What this does is prevent anybody from accessing any files in the UPLOAD directories that shouldn’t be there.

Of course strong passwords on your WP admin account are a must in order to prevent brute force attacks.  There are also changes you can make to limit the amount of attempts to lock out potential evil doers. 

If you want more comprehensive info check this out, http://www.mytradedomain.com/secure-your-wordpress-blog/  or simply Google “secure wordpress upload directory”