As FrogenYozurt.Com is enjoying increased popularity, I never thought about protecting it from malicious attacks other than spams. See also my post WordPress Tip – Additional Spam Protection.
However, spam is not the only threat. In fact, a hacker attack, for instance, targeted to add unwanted content to your blog, can be disastrous for your blog. Not only may you lose all your work that you accumulated over years; the impact on your credibility can be profound.
There are a few, initial and easy-to-accomplish steps you can take to protect your blog:
1. If you use admin as the username to log in, replace it immediately!
We are all creatures of habit, and we all accept the default username admin. Using admin makes it easier for hackers to find access to your system. In this case they can just concentrate on hacking your password. Create a new user account and give it administrator rights. Use a strong user name and password. Log out, and log in as the new user. Delete the existing admin account.
2. Remove the WordPress version information
Hackers may look for known security issues in specific WordPress versions. In the WordPress dashboard click on Appearance->Editor. Look for the line <meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” /> and remove it entirely. It is apparently used for statistical purposes, but doesn’t do any good to protect your blog from hackers. To finish the change click on Update File.
Alternatively, if you prefer some convenience, you can use the Replace WP-Version plug-in. See http://wordpress.org/extend/plugins/replace-wp-version/. This plugin comes in handy when you replace your WordPress theme.
3. Upgrade to the most recent WordPress version
It may sound obvious, but it is nevertheless very important. WordPress does not release bugfix patches, all fixes are incorporated in the next full version release (which causes frequent new releases, to stay current with the latest security issues).
4. Backup your entire blog
You should back up your entire blog, including databases and web site files, at least once a week. This will allow you to revert back to an older version if the blog is hacked. You will, though, lose the new posts and any site changes that you made since the last backup. Check out whether or not your ISP offers a backup feature. There is also a WordPress backup plugin available at http://wordpress.designpraxis.at/plugins/backupwordpress/.
5. Copy .htaccess to /wp-admin directory
Use the FTP program of your hosting server’s file manager to copy the .htaccess file in your root directory to the /wp-admin directory. This sets the same access permission to your blog admin panel as your server login access, making sure that only the server owner/user can access this directory.
6. Drop empty index.html file in /plugins directory
Create an empty “index.html” file in your text editor (make sure to set the file type to “All files”), and upload it to the wp-content/plugins directory. This will hide the content of this directory, and hence the plugins used by your blog, to any snooping outsider. Hackers may information on vulnerabilities of certain plugins, and use them against you.
7. Avoid sponsored themes
An easy way to get spam links in your blog is by installing an unknown 3rd party theme, instead of getting it from reliable sources (such as the WordPress theme repository). Advertisers often pay theme developers to add outbound links promoting their sites, which can have all sorts of bad effects on your blog. See also http://weblogtoolscollection.com/archives/2007/04/12/on-sponsored-themes/.
8. Check all links in your blog
One way to know if your blog has been hacked is to check all outbound links for any spam redirection. You can do this by searching for “http://” in the source file of every page in your blog, making sure there is no funny link lurking anywhere. Firefox makes this job easy with Tools–>Page Info–>Links.
More Information
For more detailed information on WordPress security topics see also the post on WordPress.Org: http://codex.wordpress.org/Hardening_WordPress
