This is my follow up post to my today’s guest post on Daily Blog Tips about WordPress Security Mistakes. These are some additional WordPress security mistakes you should avoid. Read below and check whether you make any of these mistakes in addition to the ones mentioned in my above Daily Blog Tips guest post.
1. Doing Nothing to Secure Your Blog After Installation (Don’t act like the Pigeon in Front of a Cat)
Doing nothing will get you nowhere. It’s like closing your eyes and thinking, hackers won’t hack your blog. Like a pigeon in front of a cat, closes its eyes and thinks that the cat is not there anymore. The cat pounces on it and eats it up. If you do nothing to secure your blog, you’re like that pigeon, aren’t you?
The first thing I do whenever I install WordPress, is to delete the sample page, the sample post and the META widget. Then, install the Better WP Security plugin, which is a great plugin to secure WordPress. It’s very highly rated and on the first page of plugins. If you install it, you can do a lot of things it tells you to, on its dashboard. It has a lot of help available at each step. It can seal all of the below security holes in WordPress, plus the ones I mentioned in my guest post on Daily Blog Tips, today.
2. Not Removing the readme.html File From WordPress (Come Dear Hackers, Know my WordPress Version Easily)
This is also one of the common WordPress security mistakes, most people make. They leave the readme.html file (which comes in the WordPress installation) intact. Anyone can know your WordPress version by just adding /readme.html to your blog/site. If you run WordPress, check this by adding /readme.html, to see how it looks. If you get a ‘404 Page Not Found’ error, congratulations – you don’t have this file and don’t have to worry about. You can skip reading this point. But, if you have it, you should delete it.
Removing it is simple – just login to your webhost’s cpanel or any control panel they have, open the file manager, go to the directory where WordPress is installed (this is usually under public_html) and delete the file named readme.html. If you have and use an FTP program (like Filezilla), connect to your webhost and go into the WordPress directory. Delete the file named readme.html
After deleting this file, you can again try adding a /readme.html to your blog/site. This time, you’ll get a ‘404 file Not Found’ error, which is what we want.
Even though, these days hackers don’t seem to look for the WordPress version number unless your WordPress is too old, it’s nice to delete this readme file.
3. Using Premium Themes Downloaded From Warez Sites (Download all These Mouth-Watering $100+ each, Premium WordPress Themes and Plugins for Free)
Talk about software piracy. WordPress themes and plugins are no exception. People want to save money and get everything for free. So, why not download and use premium themes and plugins when you can get them for free?
There are many warez sites which give away loads of premium themes/plugins for free download. But, what you don’t understand is, these may contain malware, which can be dangerous to your blog/site. So, better stay off of these mouth-watering, free premium themes/plugins. How to know if these contain malware? You can check the theme using the theme check plugin from WordPress.org. I’ve tested a few myself and they contain bad code which is not allowed by WordPress within a theme.
If you really want a premium theme/plugin, it’s better to buy it from the developer. You usually get what you pay for. Free premium themes get you free malware to remove and pay for, and even lose your financial info with. Paid themes get you free support and some times, other discounts, offers and coupon codes.
If you’re using a premium theme/plugin, downloaded from a warez site, install a free theme instead, if you don’t want to pay for the premium theme. There are some great, free themes available from the WordPress repository. Themes like Customizr, Custom Community, Graphene and Suffusion are highly customizable and will let you do almost anything with a few clicks. Some even provide free support via forums etc.
If you don’t want to change your theme/plugins, but still use a premium one, downloaded from a warez site, consider purchasing it from the developer – they deserve the money and you’ll be saved from the badware/malware, your theme contains.
4. These are the Only Salts, Which can Cure Your High BP
If you have high BP, you don’t take much salt, do you? But here are some salts which will lower your high BP. These are WordPress’s salts and keys which you add to your wp-config.php file to secure it further. How do these salts lower your BP? You have one less worry about your WordPress blog, if you have these salts and keys installed.
WordPress salts are used to improve cookie encryption. Using them makes it harder for hackers to get your password. Think of them like secret language, which only your WordPress understands, hackers don’t. How do you use these salts and where do you add them? You can get them from HERE and need to paste them into your wp-config.php file. Each time you go to the above link, you’ll get different/random keys and salts. You need to edit your wp-config.php file using the online file manager in your cpanel, or using an FTP program like Filezilla. Note that WordPress will log you out after adding these, and you’ll need to login again.
5. Not Installing a Plugin to Limit Login Attempts (A Hacker Trying to get into Your WordPress? Kick him Off in Just 3 Attempts or Less)
Every few days, I get a notification that a particular IP address was blocked for repeatedly trying to log into my WordPress blog. I get such notifications from Better WP Security. I’ve configured it to block any IP which repeatedly tries to login and fails for 3 consecutive retries. It also e-mails me when this happens. If I get more than one e-mail about the same IP address, I go and ban that IP myself (by adding it to the ban list within Better WP Security).
If you don’t want to install the Better WP Security plugin (which I highly recommend installing), you can also install the Limit Login Attempts plugin. You even get an option to do this on the WordPress installation screen (if using Softaculous to install WordPress). Just checking a box will install this plugin and you’re saved from many hacking attempts.
Do you know or have experienced any WordPress security mistake not mentioned in this post or in my Daily Blog Tips guest post? Let me know in the comments about it. Also, if you have any questions about WordPress security, or need help securing your WordPress blog, I’m available for help and hire. Just contact me for a free consultation, using the below contact form. You can also e-mail me at raspal[AT]raspalwrites.com or contact me using Twitter, if you don’t like to use a contact form.