Securing a WordPress-powered blog is one of the most pressing concerns of newbie and pro bloggers alike (several horror stories are doing rounds here). I have done my own research on this topic, and here put together a list of some of the popular suggestions and tips to secure your WordPress blog.

First thing you must do, before getting to the list, is carefully read Hardening WordPress. Needless to say, many of the suggestions below are already included there.

Now to the list:

1. Upgrade. This is the most important word in WordPress security. Because WordPress does not release bugfix patches, all fixes are incorporated in the next full version release (which causes frequent new releases, to stay current with the latest security issues). So, it is usually a good idea to download and install the most recent version as soon as it is released. You can even automate the process with automatic upgrade plugin.

Unfortunately, many WordPress users (including me) find it hard to keep up with such frequent upgrades, mainly because plugin authors do not always release compatible plugins fast enough, and such mismatch can break your otherwise smoothly running blog. (Matt Mullenweg has something to say about this though.)

Another thing is that after each major version release of the type 2.x.x—>2.y (like 2.3.3—>2.5), there is a spike in reporting new bugs, and the next “minor” release 2.y.x usually fixes them (like the latest 2.5.1). It is a good idea to wait for this bugfix version, instead of grabbing the version 2.y itself.

Do keep in mind, though, that while upgrading helps prevent future hacking of your blog, it can do little to cure an already hacked blog. So, you must take additional precautions.

2. Back up. This is the second-most important step in securing your blog. You must back up your entire blog, including databases and web site files, at least once a week. This will allow you to revert back to an older version if the blog is hacked. You will, though, lose the new posts and any site changes that you made since the last backup.

There are several options available for backing up your blog. Most blog hosting companies provide various backup services, and you should also take regular backups yourself and keep them on your local computer. For database backup, you can either use phpMyAdmin or database backup plugin. You can also use this plugin to back up both your database and web site files.

Besides upgrading and backing up, there are a number of little things you should do to further protect your blog:

3. Remove version string from “header.php”. From the admin panel, go to Presentation–>Theme Editor–>Header, and delete the generator line containing “<?php bloginfo(‘version’); ?>”. This will remove the WordPress version number from the page source file, and can delay a hacker from exploiting any known security loophole in this version.

If you want to be more cautious, you may also remove the generator line from “wp-includes/feed-*.php” files, so that the version number does more cautious not show on your WordPress feed either.

Even easier, use this plugin instead to do the job for you.

4. Change default “admin” username. This is an important point, and yes, you can do this without touching your database, as I have discussed in this post.

5. Copy .htaccess to /wp-admin directory. Use the FTP program of your hosting server’s file manager to copy the .htaccess file in your root directory to the /wp-admin directory. This sets the same access permission to your blog admin panel as your server login access, making sure that only the server owner/user can access this directory.

You can also use this plugin, which adds an extra layer of security by requiring a username and password (different from your blog username) to access the wp-admin directory.

6. Drop empty index.html file in /plugins directory. Create an empty “index.html” file in your text editor (make sure to set the file type to “All files”), and upload it to the wp-content/plugins directory. This will hide the content of this directory, and hence the plugins used by your blog, to any snooping outsider.

7. Check all links in your blog. One way to know if your blog has been hacked is to check all outbound links for any spam redirection. You can do this by searching for “http://” in the source file of every page in your blog, making sure there is no funny link lurking anywhere. Firefox makes this job easy with Tools–>Page Info–>Links.

8. Avoid sponsored themes. An easy way to get spam links in your blog is by installing an unknown 3rd party theme, instead of getting it from reliable sources (such as the WordPress theme repository). Advertisers often pay theme developers to add outbound links promoting their sites, which can have all sorts of bad effects on your blog. Matt wrote about it here.

I’ll add to this list if I come across any more security tip.

A common question of many WordPress users is how to change the default “admin” username that WordPress assigns during installation, so that a hacker cannot easily break into the account. The standard “admin panel->users->edit user” does not let you do this, because your username is tied to your MySQL database access, and you need to make changes in the database itself. The steps are nicely explained here.

But some of you, like me, are probably squeamish about fiddling with databases, no matter how easy it seems. So I did some digging around to see if there is an even easier way, like doing it from inside the admin panel itself without worrying about databases. Everyone, including WordPress, seems to say this is not possible. But I found out that someone already posted a smart solution here, and wanted to share this with you.

This is all you need to do:

1. Create a new user (panel->users->add user) with the username you would like, and give it “Administrator” privilege. You should also assign it same email address, website etc, if you are replacing the admin user with it.
2. Log out of the admin panel, and log back in with the new user.
3. Delete the “admin” user (panel->users->delete user). At the last step you will be reminded to switch all posts and links to the new user (you do not want to delete them too!). That’s it!

If you want, you can confirm the new user in the database (phpMyAdmin->Databases->your database->wp_users->Browse).

They will serve partly as a bookkeeping for me so I do not have to go searching for these tips on the Net again, and partly for those of you who would like to try them out on your own blog (the usual disclaimer “You are responsible so do not blame me” blah blah… holds).

These tips are mostly the stuff I pick up on Internet from other (and smarter) WordPress bloggers, and my own occasional hacks, about issues of security, design, optimization, and so on.

Here they are:

1. How to change your WordPress “admin” username.
2. How to secure your WordPress blog.
3. …

This list will grow as more posts are added.

As you notice, there is a significant lull in my posting activity (I wrote the last one on October 29, 2007). This is only a temporary break, let me assure you, while I am sorting out other more immediate priorities in my life. I promise to get back here as soon as possible, so please keep checking back.