Blogging is a very good way to make money online. Making money through blogging is sufficient for some people to make a living. I am an example of this. But what happens if that source of income suddenly becomes destroyed? What happens if a building which has been your major income source is suddenly gutted by fire? You know it is a terrible experience.
If you are making money through blogging under the WordPress platform, you should take security steps to ensure that your WordPress blog cannot be taken over by internet thieves. You might never have experienced hacking but you should never wait until you are a victim before you take necessary actions.
Website hackers steal website information and destroy the data of the site, making not only the hacked website useless but in some cases, the entire server hosting all other websites.
Here are 13 Ways of securing a WordPress blog against hacking :
1) Hide Your Plugins Folder
Anybody can gain access to your blog folders containing themes, uploads and plugins.This is a good opportunity for hackers to gain access to your blog and your entire server.Your wordpress blog plugins are located in http://domainname.com/wp-content/plugins. To hide the plugin folder is very easy.
There are two ways to do it:
a. Using the .htaccess file – This method is used to disable browsing the directory of your site sensitive files. To do this, go through the FTP client, locate the .htaccess file. Then right-click to open it with Notepad. After that, add this code:
In some cases, you may not be able to locate the .htaccess file. This depends on the type of FTP client you use.For FileZilla, go to SERVER and click FORCE SHOWING HIDDEN FILES.
b.cpanel - Directory browsing can also be turned off through the cpanel. This is very easy if you cannot handle .htaccess files. Cpanel displays your entire website files and folders through the “Index Manager”. Using the cpanel option, the server automatically creates the necessary .htaccess for you. Some people find the tree format display of cpanels easier.
Some web hosting companies do not have appropriate security measures to prevent hackers from gaining entry into website files. To know how your hosting company compiles your site files, simply create a phpinfo.php file. This file will display how your hosting company compiles and configures php. This will give you a lot of information if there are any security loopholes.
After you are done with your investigation, make sure you delete the phpinfo.php file in order to prevent unauthorized people from gaining access to it. Most of these things are easily changed by .htaccess and php.ini files.
2) Define user privilege for your multiple-author blog
If content of your blog is contributed by multiple authors, there is need to assign access rights limits or privileges to each uthor. To make the administration easier, you should install the User Access Manager.The plugin enables you to manage the access to the blog posts, pages and files.
To use the plugin,you only create a user group, put registered users to this and set up the access rights for the group. The post/page will then only be accessible and writable for the specified group
3) Always upgrade WordPress and plugins versions to the latest ones
Make sure the version of WordPress is the latest. Latest versions always fix the bugs and other security issues of the previous versions. This also applies to plugins. It might be difficult to upgrade at once if you have multiple niche blogs. How can you upgrade 100 niche blogs at once. This is a disadvantage of maintaining multiple blogs.
In my own case, I do not just install plugins. I make sure that the ones I install are ones I really need for making the site make money. Not just fancy plugins. I don’t install plugins because everyone else is installing.This makes it easier for me to plan and upgrade all of the WordPress versions and plugins in no time.
4) Do security scan regularly
On a regular basis, do a security scan of your blogs. A security scan reveals if you have correct CHMOD permissions for all website files. A good plugin to do this is the wp-security-scan plugin. The plugin also proposes the correct ways to fix those security loopholes found in any file or folder.
I recommend you to use Website Defender to scan your WordPress blog.If something is not right,Website Defender will send you an email to notify any vulnerability found on your WordPress blog.
5) Use Secret Keys in the wp-config file
Hackers are getting wise everyday. They are always creating new ways of hacking websites after new version of wordpress is developed to combat the security vulnerabilities of the previous one. Hence, you need to use a security key in order to completely put your site under tight security.
A secret key is very good because it makes a blog difficult for hackers to hack. Not only that, secret keys make access to a blog harder to crack by adding random elements to the password. A secret key is a password with elements that make it harder to generate enough options to break through your security barriers.
Security Keys are single-line definitions in your WordPress configuration file, the wp-config.php. If you don’t know what the wp-config.php file is, it is the file that stores the names, address and password of the database that the blog needs to function. The file also stores user details and blog posts. It is in fact the engine that keeps a WordPress blog moving.
6) Encrypt your login
WordPress has some security weaknesses. One of them is that whenever you login to your blog,your password is not encrypted. The security flaw is more serious if you are on a public network where a hacker can easily download your login information with login harvesting scripts.
Encrypting a WordPress blog is to be done with the use of SSL or other secure protocols. The problem is that most people don’t have the technical skills to do this. Hence, if you are one of them, you should use the Chap Secure Plugin. The only problem I have noticed with this plugin is that it can give errors even when you have set the parameters correctly.
7) Prevent brute force attack
A brute force attack is when a hacker uses all possible keys against an encrypted data until the correct key is found. There are many ways of doing this. A script can be written to send automated requests to the system, seeking permission to gain entry to your server with different keys.If a key does not gain entry, another one is automatically developed. This system is also used for hacking Twitter accounts.
To stop brute force attacks, you should install the AskApache Password Protect plugin. This plugin is designed to stop automated attempts to exploit your blog vulnerabilities. Another one is the Login LockDown plugin. The plugin ;imits the number of login attempts from a given IP range within a certain time period. Once a certain number of failed login attempts are reached, the plugin automatically disables the login function for all requests from the IP range.
8) Use strong password
Don’t just use any word for a password.Don’t use dictionary words, birthday, names of spouse,children,etc.Use a combination of digits, upper and lower case letters and special characters that will not even be easily remembered by people, including you.Write the password down and keep it in your home.
Do not store passwords on your computer. use a minimum of 8 characters for your password.
9) Protect the wp-admin folder
The wp-admin folder is where the main information directing how your blog functions is kept.Most hackers enter through this folder before gaining access to other files in the server. Use the WP Scan plugin to always scan all your blog files to determine which one is vulnerable. The plugin will reveal if some file do not have the correct CHMOD permissions.
You can also use the AskApache Password Protect.This plugin enables you to use password to protect the directory and give access right only to authorized people.
10) Remove WordPress version information
Each WordPress version has its security weaknesses. Hackers use the WordPress version of a blog to easily create and launch hacking strategies and bring the blog down in minutes. Therefore, you should prevent the version of your blog from being displayed. If you are using general WordPress themes for your blogs, make sure they do not display your version of WordPress.
To remove the WordPress version info, log in to your WordPress dashboard. Go to Appearance->Editor. Then click on the header.php tab and the file codes will be displayed. Click Ctrl+F on your keyboard and paste this code:
Delete the entire line and click Update File.
11) Do not use “admin” login name
WordPress 3.0+ allows you to choose your own username. The previous versions of WordPress had “admin” as the username. The use of a login name different from “admin” makes it difficult for hackers to use automated means to guess your login information.
12) Backup the WordPress database
Even after taking all necessary security steps, you still need to always backup your wordpress database. This is because anything can happen at anytime and what you thought was secure might not be secure. The WordPress EZ Backup plugin allows you to create backup archives of your entire site (not just the wp installations). It also allows you to backup any mysql database. Another plugin is the WP-DB-Backup plugin.
This does a complete backup of your core WordPress database and other tables in the same database. You can also schedule the backup process so that the plugin automatically does a backup at your specified time interval.
Most of the backup plugins are not written to be compatible up to the current version 3.0.1 version of wordpress but they can still work with it.
13) Don’t download plugins from just anywhere
Plugins are what make the WordPress blogging platform very robust. With plugins, you give flexibility to your blog to fit in to internet marketing situation. This is why it is very easy to make money with WordPress blogs than any other blogging patform or static html websites.
However, there are security risks in using plugins. Plugins can contain malicious codes that store and relay back your site information to the plugin author. This is why you should not just download and install any plugin you find around. Do not install plugins unless they are really necessary for the smooth-running or survival of your blog in any niche market you are targeting.
There will be never-ending security precautions we can take,but as long as we prepares for the worst,everything will be under control.