Blogeek

Hardening your Wordpress blog

I came across a site that teaches bloggers how to harden their blog. Some steps might be complicated to newbies and some are easy enough to be applied.

Configure your WP tables
Avoid using root user to access the WP database. If attacker gains root privilege from your blog, he/she will be able to expand the attack to other database as well (forums, directory list, etc). Never set global SQL privileges to the WP database user.

Change your table prefix
Use a unique table prefix such as “7hq2G_” instead of the default one, “wp_”. This will make the SQL injection become harder. Some exploits scattered around the net usually use the default prefix. If the attacker is not 1337 enough to modify the exploit, then you’re safe.
  
Change the Admin username
The objective is same as above. Using the default username will expose your blog to user enumeration and brute-force attack.

Add .htaccess to the wp-content and wp-include
Create a .htaccess with the following code

Order Allow,Deny
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>

This will deny all files except for css, image and javascript.

There are many more tips, including using a plugin to change the table prefix easier. For details, you can read it here. Don’t forget to scan your blog for vulnerabilities using the WP scanner.

There’s a new exploit found [1st one] in Wordpress 2.3 Dexter which enables attacker to flood your blogroll with spam links. Scary uh? Better patch it soon.

P/S: I can’t find any point saying adding a index.html in your plugin folder will increase your blog security.
:-/

Tags: wordpress 2.3 secure