Many famous blogs have been hacked and defamed before. To avoid the same disaster from happening to your own blog, you can try the tips below to make your Wordpress blog more secure, at least from the view of script kiddies.
Tip 1 :Remove Wordpress ‘version string’ in your theme files
- Go to Wordpress dashboard, click on presentation -> edit themes -> header.php
- Find and remove this.
bloginfo('version')Save the file.
Explanation: Hide the version number of your Wordpress such that it will be hard for hacker to find security loopholes for the specific version of Wordpress.
Tip 2 
lace empty ‘index.html’ file in the plugins folder
- Open Notepad. Click ’save as’ and save the file as index.html (be sure to change the filetype from text files to all files)
- Upload the file to Wordpress plugins folder in your web server.
Explanation: Hide the plugins used by your Wordpress blog. It uses the same concept as above which is to hide security loopholes in the plugins.
Tip 3: Upload a copy of .htaccess file in the wp-admin folder
- Using FTP program or your webserver file manager, go to the root folder of your server and download .htaccess file (set ’show hidden files’ first if you’re using FTP program such as FileZilla)
- Go to your wp-admin folder
- Upload the .htaccess file you’ve downloaded just now.
Explanation: Prevent files in wp-admin from being accessed by hackers by limiting the access to this folder by IP address (means that the access is limited to the server owner/user only).
Thanks to ro.botys for passing us the three Wordpress security tips.
You can also disallow users pretending to be search engine/ search engines from crawling the core Wordpress folders by putting these in your robot.txt file (upload the file to root of your Wordpress installation folder when you’ve finished).
# This rule means it applies to all user-agents
User-agent: *
# Disallow all directories and files within
Disallow: /wp-admin/
Disallow: /wp-includes/
August 20th, 2007 at 11:50 pm
thanks..good info
August 21st, 2007 at 12:25 am
chot: no problem!
August 21st, 2007 at 1:58 am
that is a good info bloganything, I don’t know that the words “bloginfo” can be attacked by hacker.
August 21st, 2007 at 5:08 am
The php tag will produce this when being processed by the web server (check the source page of any Wordpress blog):
meta name=”generator” content=”WordPress 2.xx”
so what we did was just hide the Wordpres version number.
Thanks for visiting.
August 21st, 2007 at 5:50 am
Interesting. Thanks for the tips I’m going to do them now
August 23rd, 2007 at 10:19 pm
[...] Fuad memberi tips untuk menjaga keselamatan blog wordpress anda [...]
August 23rd, 2007 at 11:43 pm
nice…i will dot it right now dude!
August 24th, 2007 at 1:21 am
[...] to bloganything for passing us the three Wordpress security [...]
August 29th, 2007 at 3:33 pm
nice advice on security, its a must for every wordpress blogger
August 30th, 2007 at 8:48 am
Good. But the version number appears in many other files, for example at the top of RSS feeds ! Try the “wp-scanner” tool to see yourself all the version leaks…
So search manually and edit all the files where there is the same piece of code, in order to really hide the version number. When wp-scanner is unable to find the exact version of your blog, you’ll know that it’s okay
Yeah I know, knowing the version number of a blog is not necessarry to try to hack it, but it can slow down hackers…
September 5th, 2007 at 10:59 am
Excellent advice. Speaking as someone who had an earlier version of wp hacked with porn uploaded into uploads folder & site subsequently banned from Google (& still banned, 4 months on) – I am so tuned into this now.
September 26th, 2007 at 1:12 pm
How about a way to remove the WordPress version from feeds… short of hacking the core, that is.
November 5th, 2007 at 7:31 am
[...] ce qui suit, j’essaie de dresser quelques astuces et conseils (trouvés sur Bloganything), pour assurer une sécurité minimale pour les gens qui ont un blog tournant sous [...]
April 29th, 2008 at 7:05 am
For those who are looking to really secure their wordpress installation, have a look at this:
http://tinyurl.com/3jdgaj
It’s a php firewall that you can install on any php/mysql based site, be it wordpress, vbulletin, whatever.
May 1st, 2008 at 7:58 pm
It’s been some time since this post was written, but I wanted to mention that the robots.txt simply does not do any good as far as security is concerned.
‘Good’ spiders and crawlers will surely respect that rule, but if someone (or an evil spider bot) wants to know what you want to hide … there it is.
Summing up, robots.txt does not prevent your content to be viewed, rather the opposite, it will be exposed.
May 5th, 2008 at 6:06 am
[...] upgrading and backing up, there are a number of little things you should do to further protect your [...]
June 5th, 2008 at 1:17 pm
nice tips, will use this for my sites
August 5th, 2008 at 3:49 pm
Gotta agree with Frames on this one. Robots.txt can actually work against you if you include your sensitive context in it. Keep in mind that ANYONE can get at those urls if they want to!
December 1st, 2008 at 12:27 am
Thanks! I’ll try that.
February 24th, 2009 at 6:29 am
cheers Fuad, but I think some of this is a little outdated with 2.7+
I’ve added a security video tutorial which hopefully makes a nice accompanyment to this piece, anyhow.
Must admit, I did include the one about updating to the latest version though! Plus some about my favorite security plugins…
Video How-to: 10 Tips To Make WordPress Hack-Proof
http://guvnr.com/web/blogging/10-tips-to-make-wordpress-hack-proof/
May 5th, 2009 at 12:56 pm
Let us know how it worked out for you webkinz.
-Jack
May 14th, 2009 at 2:32 pm
thank you, I am sick of spammers and I hope that this will stop them
June 15th, 2009 at 3:17 pm
Hmm, Isn’t “secure wordpress blog” an oxymoron?
July 15th, 2010 at 12:31 am
Although these are essential for us to secure our blog, if there’s any hacker who really desperate to hack you, you just cant avoid them…
But we have to do whatever we can!