Securing a WordPress blog is pretty simple. If you google the words “How to protect wordpress”, you will find a lot of sites talk about the basic techniques, such as
- Make sure that your WordPress software and other plugins are always up to date
- Enable Akismet to protect your site from spam comment
- Don’t share your WordPress account with others people
While these advices are absolutely correct, but to me (and most other experienced users), these are common sense only. As an advanced user, I am interested in learning more innovative or advanced techniques, rather than some junk collected from WordPress for Dummies.
In the following paragraphs, I am going to show you some advanced techniques that 90% of the WordPress sites have not implemented. They are nothing fancy, just require you to do tweak using terminal. Notice that doing something through terminal (a.k.a. command line) is considered an difficult task to 90% of the people in the world.
Anyway, the techniques I introduce below are targeted to solve the most basic and fundamental security problem that WordPress do not address, because these problems go beyond its capability.
Securing WordPress: Step 1 – Secure your server, at least secure how you login to WordPress Dashboard
WordPress provides an extremely easy way to access the WordPress Dashboard:
It is very handy because you can log in to your website anywhere, as long as you have access to a browser with internet connection. However, it also opens a door to everybody as long as they have your login and password. How? When you login to WordPress, you are sending your login and password to the WordPress server in clear, unencrypted format. Everything are visible to everybody. If someone is interested to steal your information, it is possible.
There are two ways to solve this problem –
1.) Building a secure HTTP server, i.e.,
Notice that it is https, not just http.
Depending on what web server you use to run WordPress. In my case, I use Apache and it is very simple to run a secure Apache server. All I need is to generate a website certificate, apply it to my domain and my secure web server is ready.
There is only one problem – All browsers will complain about your certificate because it is generated by myself, not the other authorities such as Verisign. However, I can ask my browser to ignore that.
If it sounds difficult to you, you can ignore that. The second suggestion below will help solving this problem.
Securing WordPress: Step 2 – Limit the access to WordPress Dashboard
Okay, now you’ve already secure the communication channel between your computer and the WordPress server, and no one can see the login and password in your transaction. Is it enough? Nope. I can still brute-force attack your website by trying all different combination. So, we need to limit the access by IP addresses. Depending on how you access your WordPress blog, if you always access it from certain location, such as home, office or other locations, and if these IP addresses do not change often, this may work for you.
Simply go to the wordpress directory, e.g.,
Make sure that .htaccess exists.
Add the following to the end of the file:
order deny,allow deny from all allow from XXX.XXX.XXX.XXX allow from localhost
Replace XXX.XXX.XXX.XXX by your IP addresses. Here are some examples:
allow from 192.168.1.101 #Allow from this address allow from 192.168.1 #Allow from 192.168.1.* allow from 192.168 #Allow from 192.168.*.*
That’s it! If you want to go further, you can check the IP address inside wp-login.php as well, i.e.,
$IP = $_SERVER['REMOTE_ADDR']; if ($IP != '192.168.1.100') exit();
However, I don’t recommend this way because your codes will get overwritten after upgrading the WordPress.
That’s it. Enjoy building a secure WordPress site.