How Far Do You Take Blog Security?
When it comes to blogging, more and more of us are doing it. Not only is it a great way to communicate with your readers, but search engines love them! And if everyone else can do it, then why shouldn’t you be able to join them too? – Keeping it updated regularly with new content is one thing though!
The other?… Security!
Because WordPress is Open Source, it means that the script is available to everyone to download for free, and this includes hackers! The developers work hard to provide a script with many benefits for people like ourselves. During the time I’ve used WP, there have been numerous security fixes, and also updates.
Just how many people think about how secure their blog is? Chances are that it slipped our mind, or we just don’t know what to do to make it secure?!
So here’s a few things that you can easily do, that will hopefully prevent any potential hacker from wanting to hack your blog. Don’t give them an easy way in!
1 – Remove The WordPress Generator Tag
If you’ve never taken a look at the source code of your blog, then why not go and do that now? Depending on what theme you are using, this could vary, but around line 10 you should see something like this?…
Talk about making it easy for a hacker to see if you’re running on the latest version or not. However it’s easier than you thought to solve! – Just delete it!
In the header.php file of your Theme Editor just find the code, remove it, and hit save. Nothing will happen with the result of you deleting the code, as it says, it’s only there for some kind of stats?!
You’d think that was it, but you would be wrong. Go have another look at your source code and see if you can spot it? Now this IS going to vary, but for me at the time of writing, on line 34 I could see the same thing. The only difference this time was the fact it didn’t display the bit about stats!
Over in your themes functions.php file, we just need to add one line of code. At the end of the file, just hit return (enter) twice and paste the code in, remembering to save the changes.
<?php add_filter('the_generator', create_function('', 'return "";')); ?>
Go back to your blog homepage and view the source again. If you’ve done everything correct, then you should spot the fact that the generator tag has been completely removed. That can also be confirmed by doing a search in the file too!
While I know there are plugins out there, many in fact, that do the same job. What’s the point of having more active plugins and those extra files uploaded to your server. For example, a hacker might find a exploit in the plugin? It also means you have to remember and update it, if you ever find out it needs to be.
Yes, if you decide you want to change your theme, then you will need to make sure the new themes files have this code inserted. But what’s that if it takes you an extra 30 seconds?
2 – Change The Default Admin User
Unless you’ve used Fantastico to install WordPress, there’s a good chance you’ll need to modify the database. At least that what most would think. There are in fact a couple of other ways you can achieve the same result, or a similar one.
The easiest option by far is to create another user from within the admin area, and make sure you assign it with administrators privileges too. With that done, logout, and then log back in again with the new details.
What we are going to do is delete the other account with the username ‘admin’ that WordPress always seems to use by default?! I don’t know how they can’t just have a field in the setup, for the user to pick their own username. There must be a logical reason that I’m not aware of.
Moving on!… When you delete the old user, you’ll be asked what you want to do with the post(s) currently assigned to the user you are planning to delete. There is an option where you can say that you’d like them moved over to the other admin. Select that, and confirm that you wish the user be removed!
If you’d rather not create a new user then you can always use a plugin. As with any other plugin, you upload it to your /wp-content/plugins/ directory and activate it withing your admin area. When you go in to edit the user, there will be another field that allows you to change the username to whatever you like! – Once the changes have been made, you can deactivate the plugin and delete it from the plugins folder again.
3 – Overloading Your Blog With Too Many Plugins
I’m not going to dispute that having plugins on your blog can be great. Most of the time they are around to solve a feature that the script currently doesn’t have. I use plugins here on Mark-McWilliams.com which can sort SPAM out (Akismet) and also one for managing my Top Commentators you can see in the sidebar.
Some plugins owners decide they aren’t going to update it anymore, which is just asking for trouble. Hackers look for all kinds of ways to ‘get in’ and having an old plugin is just what they are looking for. There might be an exploit, and absolutely anything could happen to your site.
The point I’m trying to make is, if there’s any plugins you aren’t using at the moment, then WHY are they still on your server? While I know you might want to keep then for later use, what’s wrong with taking a note of it’s name, so that when you need it you can download the latest copy? – Just a thought! 
4 – Upgrade WordPress When A New Version Becomes Available
Whenever I see the notice in my dashboard informing me of a new release, I always make sure about upgrading as soon as I can. But before I do, I’ll read the post that is normally posted on the WordPress Development blog which tells us whats new and what’s not.
If I think there could be a problem with the new version working with my theme, then I’ll get the updates for it first, before I think about updating the blogging software. Sometimes I’ve waited a couple of days, but at least it’s done, and the earliest I could make it too.
Hackers are going to find ways in through things in older versions, and they’ll go searching for blogs that still run on that particular version. Then perform whatever they do, and move onto the next one.
5 – Install The WordPress Database Backup Plugin
As with other things in life, if a hacker is going to come and hack your blog then they will. (They will try their hardest to get what they are after!) This plugin is brilliant, as it can be setup to email you a copy of the database every day at a specific time.
Say for example something did happen to Mark-McWilliams.com and it couldn’t be sorted by re-uploading the WordPress core files, or just deleting the index.html file which they have uploaded, then at least I can resort back to the last backup of the blog.
This saves me all the hassle, and I don’t have to remember about doing it all myself. Just imagine how long it could take you to do it yourself, and how long it takes the plugin. I prefer the plugin, and find it very handy! 
With this post, I hope it’s given you a little insight into thinking about your blog security. And how changing/editing some of the smaller things could just be what you need to deter a potential hacker from targeting you blog!… If you’ve got anything else to add, then please do in the comments section below!
Hi Mark,
Thanks for that post. Some interesting and very practical things we can all do.
I will certainly be reviewing my site security and applying the recommendations you suggest above.
Garry Parkes
I’m glad you enjoyed the post Garry, and found it usefull! When you first get started blogging, security doesn’t really enter your head, until the unfortunate actually happens!
Thanks for the tips. Blog security is not talked anywhere near as much as making money on a blog.
You’re absolutely right, security isn’t talked about as much as it should be! Thanks for stopping by and leaving me a comment, much appreciated!
Hi Mark,
I really enjoyed the post.
Never knew there was a thing called Blog Security – but now I know. Will definitely bookmark this link for future references.
Senze
Thanks Senze, and glad it could help! You’ll not be the only one that doesn’t think about how secure their blog is, I know I didn’t when I first set one up!
Some awesome tips on security, I never though much about the wordpress # being shown in the code as a security measure, but I can see how that makes total sense now. Because the hacker can identify the version and probably know what kind of hacks he can attempt to do.
Just thought I would add an extra comment about this… since I’ve been doing some more research, I found this pretty neat wp plugin, I am not sure how affective it is yet… but I am going to give it a shot, just thought I’d pass it along.
It’s called “WP Security Scan” http://semperfiwebdesign.com/plugins/wp-security-scan/