Making your WordPress Blog safe: Security tips

Posted on Sep 17, 2009 in Q/A | 0 comments

I try to keep my WordPress version up-to-date but before the introduction of automatic update feature [which was introduced in the version 2.8], I was not so much comfortable with the whole updating procedure. Because of this updating, my sites had to go offline for quite some time as I do not have a high speed internet connection.

Anyway, thanks to this new automatic update feature, we can now update in just a flash. So the first thing to do is: make sure your WordPress blog is up-to-date.

Update whenever a new version is available.

Few months back, when I was installing a forum script, I found that we need to change the free forum script core files, so that it does not show the software version in the source code. So I made the necessary changes to the forum script. I also removed the version display in my WordPress blogs source code.

This is how version of WordPress is shown in the source code:

<meta name="generator" content="WordPress 1.3.3" />

There are many ways to remove this information from the source code. I used to Edit WordPress core file to remove this info but I no longer do this as every time I upgraded my WordPress installation, I had to edit the file again.

So here is a simple solution. Open the “functions.php” file of the theme that you are using in your blog. Before the ending PHP tag “?>” put this code:

remove_action('wp_head', 'wp_generator');

Upload this new file and now the WordPress version will not display in the source code.

One interesting thing about this security tip was that after few months of implementing it, I found that people can still see my blog(s) version in the source code: HOW?

Via simply opening the source code of the RSS/FEED page(s).

I have seen some sites where this tip is mentioned: They have removed the WordPress version from their main site source code but they have not removed it from the RSS/FEED page(s).

I am surprised to see MATT CUTTS blog where the version is appearing on his RSS page source code : )

If MATT CUTTS have not removed this WordPress version display from the RSS/FEED page then may be this version display is not a threat?

In order to make sure that no one knows about the WordPress version that you are using, you need to make necessary edits in RSS/FEED and all pages where the WordPress version appears in the source code.

One of the most important tips is the prevention of WP-Admin folder via .htaccess file.
You should restrict the access to WP-Admin folder by IP using this code in .htaccess.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from 123.45.67.89
</LIMIT>

If you want to allow a range of IPs, then write something like this:

allow from 123.45.67

or

allow from 123.45

You may want to allow range of IPs in case your ISP assigns you dynamic IPs.
I will try to find some more tips.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify via Email Only if someone replies to My Comment