Home / Web Hosting / How to secure your WordPress installation

How to secure your WordPress installation

Wordpress administration
Yesterday, news sources and blogs announced that WordPress blogs hosted by Network Solutions were being hacked. The website owners’ credentials were stolen, and then the sites were used to redirect thousands of visitors to websites that distributed malware. Apparently, WordPress’ configuration file, called wp-config.php, stores the user’s database password in plain text. Even still, attackers would not have access to the file if the right permissions are set. The hacked sites had configuration files that were readable by the outside world, including site visitors.

Because the attack exploits user error rather than an actual bug in the WordPress code, it is important to make sure that yours or your customers’ WordPress-based sites are secure. The first thing you can do is to chmod wp-config.php to 640, which means any outside site visitors will be completely denied.

chmod 650 wp-config.php

The second is to deny access using your .htaccess file, since no one who accesses the webserver will actually need access to the file under any circumstances.

# to protect wp-config.php

order allow,deny
deny from all

That is essentially all it takes and is actually more than is probably necessary to keep everything secure.
Warning: Some web hosting providers provide automated scripts to install WordPress for you. Do not assume that those installations are automatically secure.

Photo Source: Wikimedia Commons

Check Also

servers

Importance of web hosting to business

The world of business is very ruthless and unfair in some cases. It is a …