7 Easy Ways to Secure WordPress

WordPress is an excellent application used the world over. This unfortunately makes it also a target for hackers. There are some very simple steps you can take, completely non-technical, that can help secure your WordPress blog.

1. First things first. Eliminate all known vulnerabilities. Now.

Update your WordPress installation to the latest version. This is the absolute most important and most effective first step. Do it now.

2. Don’t make your WordPress blog so easy to target

Install WordPress in a folder rather than document root, this makes it slightly more difficult for large scale hackers to find your system files. There are so many root installations of WordPress to keep hackers busy that the effort returned finding sub folders is not usually worth it.

3. Do not delete the admin account. Yes, you read it correctly.

So we need to secure admin, do this by creating a new administrative user, then downgrade the admin account to subscriber. This will make it impossible for a hacker to administrate your site using admin. By not deleting the admin account the hacker is kept busy trying to guess the password and the focus is away from the ‘real’ administrator account.

4. Control failed login attempts.

Lock the account after a number of failed attempts. This will render dictionary attacks on your account pointless for the hackers. Use a plugin such as Login LockDown to control failed log in attempts.

5. Implement easy eveyday plugin security

Use some WordPress security plugins such as Stealth login, AskApache password protect and WP security scan.

6. If they get in – don’t let them take you out

Take regular backups. Should a hacker gain access at least you don’t permanently lose your site. You will be able to restore, tighten up and continue. Don’t let them take you out!

7. Honestly, this is the step that is most often ignored

Have an absolutely ridiculously difficult to guess password. Have some numbers, uppercase and lowercase letters and maybe a punctuation mark or two. They’ll never guess it – maybe not even with a quantum computer.

Security is an ongoing job, it is never complete. There are other ways using file permissions,  .htaccess with IP restrictions that can further secure your blog but these are a little more technical. So, be on the look out for part 2.
We hope you enjoyed this article and found the information useful. Happy blogging!

WordPress Error: Unable to create directory /wp-content/uploads/

Re: Wordpress Error: Unable to create directory /wp-content/uploads/

To resolve errors uploading to WordPress eg. new themes, please try the following steps:

  • In WordPress Settings/Media (or Settings/Miscellaneus depending on your version) change upload folder from “/wp-content/uploads” to “wp-content/uploads” – ie. remove the leading forward slash.
  • Set wp-content to 775
  • Set wp-content/uploads to 777

That should solve the problem.

WordPress upgrade fails, “Could not copy file: /var/www/wordpress/wp-activate.php”

Have you logged into WordPress and you get the message “WordPress update available, click here to upgrade”, you click “here”, wait and then the upgrade fails?

This is a common problem so we would like to post the solution for our clients:

1) Ensure that your FTP user is the owner of your WordPress install directory, this is most likely not the problem unless you have your own dedicated server and installed WordPress using root user.

2) Ensure that your WordPress directory has the correct permissions, it should be 755. This is the most probable problem. Change the permissions to 755 and then try the WordPress upgrade again.

If your FTP user is not the owner of your WordPress directory OR your WordPress directory has permissions other than 755, your WordPress install/upgrade will fail with the message “Could not copy file: /var/www/wordpress/wp-activate.php”.