Video transcription
Today’s question comes from ConroyDave in Boston, Massachusetts. He asks:
“I just visited your blog. I noticed it was built with WordPress. How do you keep it safe from hackers? Ever since I got PR 5 last month, I’ve got dozens of hack attempts a minute.”
That’s a very good question. And the fact is that since WordPress is so popular, and so widespread,it is subject to a lot more attempts by hackers, especially people that have figured out that there are old versions of Word Press that are a little easier to exploit.
So the very first thing that I do, is I try to make sure that I always have my server patched up-to-date;you want to be running the latest version. I think as of this video it’s 2.9.2, but already they’re out testing version 3.0. I’m sure that will have a lot more security as well.
The other big thing that I do, is you can change your HT access file, .htaccess, which is in wp-admin, and you can basically say, you know what?…only a small number of IP addresses, the ones that I basically– what are called whitelisting, listing out explicitly,are allowed to access my wp-admin directory.
So what that does, is it says, if you’re just coming from the general internet, you can’t log-in; you’ll get a 403, you’ll get a forbidden error. But, if you’re coming from, say my home ip address, or Google’s corporate IP address, or maybe a small number of IP addresses that I’ve very deliberately chosen, then you are allowed to log-in. You’ll still need a password, and I try to pick a relatively long password.
So that is the number one way that I protect myself. Besides being patched, try to make sure that you set something so that the hackers can’t get to your admin directory, unless they’re are coming from a specific small set of IP addresses.
That might not be perfect, for example if you’re web host happens to get hacked, and people can read database passwords of other customers, or stuff like that, that’s not going to protect you very much.
But I would at least do those two things, and that will help keep your WordPress, or any other piece of software, from potentially being hacked.
Quick Answer: Keep up to date and restrict /wp-admin/ folder to good IP addresses