WordPress is the most popular blog platform in the world. This is convenient because you have a big community when you need a helping hand, but the other side of the coin, WordPress is also a target of choice for hackers of all kinds. As a result, safety is a point to which special attention must be paid. I do not think you learn much since the net is full of articles explaining how to secure your blog. Why do I write a nth in this case? It’s not that I find them null or incomplete, but when talking about security, very often, you are brought with great principles, accompanied by doing that, and then that, install this plugin … It’s good you are armored. So you have not quite understood why you have to do this or that, and it’s a shame, because on the one hand you will certainly forget certain points, on the other hand, you lose an opportunity to learn stuff, and that’s a shame, is not it? So let’s put ourselves in the shoes of an ugly pirate and try to attack your blog to better understand the parades. Are you ready? Let’s go!

Choosing good passwords

You would be surprised to see the number of blogs having login and password admin / admin or admin / 1234. If I wanted to get into your home, the first thing I would do is try these simple passwords. If my attempt is not immediately successful, I would add a layer using a dictionary attack for the login admin as well as the one corresponding to the author of the articles of the blog.

Three lessons to be learned here:

  • Do not use admin as login, this is the first thing a pirate would think
  • Make sure that the nickname that appears when you post articles is not the same as your wordpress login. You can assign a nickname to your account: user -> your profile -> pseudonym
  • Find a good password!! We will never repeat it enough, but in one case a logical password (your date of birth etc …) will be found quickly if the attacker takes the trouble to think about it, in the other case, the passwords will not resist a dictionary attack

It may also be useful to limit the number of attempts to connect from the same IP address – just like the pin code on your phone. This will enable to thwart the dictionary attacks. There is the LockDown Login plugin . Please note that if you are a disabled person and you are not sure of remembering your password, you will have to call your customer service to have the PUK code sent to you. You will have to wait a few moments before you can try again.

Access to the WordPress administration interface does not give access to the server itself, it may just make things easier. One of the first things an attacker will do if he can access the admin interface is to inject code into your theme to gain access to the server.

This is made possible by the “Editor” functionality found in the “Appearance” menu. This convenient feature allows you to edit WordPress files directly from WordPress itself. This is great for small CSS changes for example. But as every piece with two faces, this practicality has its setbacks in terms of safety. I advise you to disable this functionality via this small line in the wp-config.php:

define ('DISALLOW_FILE_EDIT', true);
( 'DISALLOW_FILE_EDIT' , true );

Keep WordPress up to Date

The flaws of older versions of WordPress are known, so it is important to make updates to the CMS as soon as they appear. And for good reason, having an old version of WordPress with proven flaws is a bit like spinning the intrusion instructions to your enemies, there’s more than sneaking into the security flaw, you admit that it is a little con …

Some advocate hiding the version of WordPress, I do not really find it useful if you respect the advice above and you are always up to date. It can even be a deterrent to proclaiming that you’re up to date, it’s a bit like the bad sign /! \ Dog hanging on your neighbors’ gate! And as our politicians would say so well, when we have nothing to hide …

Regular updates are also valid for themes as plugins, as they are also potentially flawed.

WordPress in its recent versions allows to automate the updates. For this, everything happens inwp-config.php

// allow all auto majors (major and minor)
define ('WP_AUTO_UPDATE_CORE', true);( 'WP_AUTO_UPDATE_CORE' , true ); 

// automate only minor majors// automate only minor majors
define ('WP_AUTO_UPDATE_CORE', 'minor');( 'WP_AUTO_UPDATE_CORE' , 'minor' ); 

// and to forbid everything// and to forbid everything
define ('WP_AUTO_UPDATE_CORE', false);( 'WP_AUTO_UPDATE_CORE' , false ); 

And to activate the automatic updates for themes and plugins, you must place a filter in function.phpyour theme:

// activate plugins update
add_filter ('auto_update_plugin', '__return_true');( 'auto_update_plugin' , '__return_true' ); 

// activate the update of themes// activate the update of themes
add_filter ('auto_update_theme', '__return_true');( 'auto_update_theme' , '__return_true' ); 

However, if it remains globally safe to automate the updating of the heart of WordPress, it is a little more risky to automate that of the plugins, especially if you have many and / or exotics…

The ideal is of course to make the updates manually and to check that everything works to resolve as soon as possible a possible bug. However, if you are an idle type with the maj, it may be better to take the risk of having a bug because of it than to have a gaping hole publicly known.

Pamper sensitive files

Some files contain particularly sensitive information. In this case, wp-config.phpit contains the admin and the password of your database, the prefixes of your tables etc … So much to say that it is not to be made available to everyone. Otherwise, just display the info directly in your header. Prevent anyone from accessing these files by making a good setting of your .htaccess:

Update: after a few remarks in the comments, thanks to JM and Scout123, normally, wp-config.phpeven if it is accessible, will display nothing in the browser since the php is interpreted and that the code is not supposed to display whatever. On the other hand, as the Scout123 note, if the php module crashes while apache remains in function (it could be the result of an attack …) then the php page would be displayed as is by apache. So even if all this is unlikely, a little extra security costs nothing!

<Files wp-config.php>   wp-config . php >  
order allow, deny  
deny from all  
</ Files></ Files>

Normally, if your server is configured correctly, it is not possible to access the .htaccess. If this is not the case, proceed as above, replacing wp-config.phpwith .htaccess.

Also, remember to prevent the listing of your records if it is not already done. Without that, we could walk in your tree looking for clues likely to give us a boost to come and give you a cuckoo, go directly to see the plugins that are installed in your home would be a good start. To prevent this, return to .htaccess:

Options All -Indexes
 All - Indexes

Restrict Access to the Administration Interface

This is not an imperative, but it is a plus for security. You can put one .htaccessthat restricts access to your entire admin folder. In this way, if someone wants to try to guess your password, or wants to try a dictionary attack, he will first have to cross this first security lock. If you want to put this in place, it’s very simple, we’ll still call in .htaccess, but this time we’ll create a new one, which we’ll put in the admin folder:

AuthUserFile path-absolute / .htpasswdpath - absolute /. htpasswd
AuthName "Guess what!"AuthName "Guess what!" 
AuthType BasicAuthType Basic 
Require Valid-UserRequire Valid - User 

You must then create a file .htpasswd(you can name it as you want, everything is consistent with AuthUserFile), in which you will put your login and your password like this:

Username password
: password

Note: it is possible to encode the password in MD5 (unless you are hosted at Free), you simply need to use an MD5 encoder and paste the hash MD5 instead of the password.

Finally, you can place this file where you want. Do not forget to fill in the absolute path to the file. Be careful, this is a server path and not an internet path. To find it, you can create a php file that will tell you the path. Name your file path.php, place it where you want to put it .htpasswdand access it via your browser. You just have to copy / paste this path in your .htaccessby replacing chemin.phpwith. htpasswd!

<? Phpphp
realpath ( "chemin.php")( "path.php" )

Shield does not exist

We can do whatever we want, the 100% secure does not exist in computer science, you have to know it and live with it, that’s all. What? it does not put a little spice into your life all of a sudden ?! Anyway, what is certain is that it is very wise (I impose it, but it is true that if you like the danger … free to you) to make regular backups of its database in order to be able to restore it in case of piracy. Similarly, remember to back up your uploads folder, which contains all the multimedia files of your articles!

I think we’ve pretty much gone around. If I forgot something, tell me. And good blogging!


With a natural and eclectic curiosity, internet surfer, I am interested in everything related to digital: from programming to entrepreneurship, via webmarketing and social networks.

Pin It