Thursday, June 05, 2014

Hardening Wordpress blogs to protect yourself from hackers.

You probably have noticed that there are more and more multi-site dashboards becoming available for Wordpress blogs.

I’ve been using one for about a year now and I quite like the way it works.  I got it under Beta and it has steadily been improving to the point that it is now quite useful.  Check it out here .. MainWP.

The main reason given for using these tools is to speed up the process of looking after your various sites.  Essentially you can do all of your site maintenance from on place.

Anything which helps you backup your sites and/or helps you do the required updates regularly is a good idea and helps protect you from hack attack.

This is what the WP Maintenance Robot does was well.  The robot does this from your desktop though so you don’t even have to login to any site nor do you need to install anything on any of your Wordpress blogs.

Just set it going and go do whatever else you need to be doing.  When it’s done you can get your reports, download the backups and your done.

Sorry, still not available right now due to the No Brute Force program development and the changes this brings to your blog.

That’s what I wanted to tell you about in this post.

The one thing that all of these, admittedly useful, dashboards miss out on is the one thing which stops most hack attacks in their tracks is to change the name of the login page.

It’s a simple thing for the hackers to point their hacking program at the wp-login.php page on your site and begin their attempts to break in.  If you are using the default admin password then you have just cut their required workload in half so I’m assuming that you have stopped that one at least.

What the free No Brute Force program does is log into your blog host, not your blog, and renames the wp-login.php page to whatever you want it to be.  You could call it Rumplestiltskin.php if you wanted, I wouldn’t recommend that one, or anything else you like.  It will also make the required adjustments to all the other pages that are required to reflect the new name for your blog to continue to work correctly.

In addition the No Brute Force program modifies the original wp-login.php page to redirect the spammer/hacker attack back on themselves.

You can do this manually yourself if you wish but it’s much easier to use the program and faster.

There is a downside to this change.  If you forget your new login page you’ll have to click on the login link on the front page, if it exists.  Otherwise you might have to have a look on your hosts file list.  Typing in will also redirect to your new login page.

Unfortunately every time your Wordpress site is upgraded the wp-login.php is also upgraded and this removes your protection.  It’s a simple matter to run the program again and restore your protection but you will need to do this for each upgrade, even the automatic ones.

This is the functionality that I am writing into the Wp Maintenance Robot, this will need to have a monitoring script added to make sure that your protections are maintained.

There is one other thing you must install on your blog, the Wordfence plugin is the best additional security you can add to your blog.  Have a look at this video to find out how to set it up.


Pretty easy isn't it?  Do it, this is your blog's protection we are talking about here which is all your hard work.  Don't let some scumbag steal your traffic or content.

Here is some background information for you.

Enhanced by Zemanta

Blog archive