Jan 19
Quick links
What is the problem?
Wordpress prides itself on its 5 minute install allowing you to essentially upload the core files, create a database and then run a script to join the two together. Easy. But secure it isn’t…
A hacker with limited knowledge of Wordpress knows that the login screen is generally found at the following path of http://blog.domain/wp-login.php and also that Wordpress by default sets up an admin account during the installation stage. You would hope the first thing the user then does is logs in with the auto-generated details and changes the password to something memorable and hard to guess right? You would have thought so.
The problem is most people then rush on creating posts, adding plugins, changing themes and so on because good content equals a good blog that makes people want to come back yet at the same time anybody searching for <meta name="generator" content="WordPress 2.9.1" /> finds (at the time of writing this article) 5,780 results in Google of which many of them could be unprotected admin accounts or with very simple, easy to guess passwords that could be obtained with brute force.
So how do I go about fixing it then?
There is no magic wand process you can use to secure Wordpress it all depends on the type of blog you have and how secure you want it. There are many guides already available such as Hardening Wordpress from the Wordpress codex and many blogs scattered around the internet but the easiest thing you can do is to deactivate the admin account and set up a harder to guess user account with the same permissions as an admin. Sounds so simple! Even if you do nothing else to your Wordpress installation may I suggest that you at least do this because it will eliminate any security issues later on.
Add a new user account with admin role
Log in with your admin account and create a new user account by going to Users > Add New and setting up a new account with all your personal details. You are not able to use the same email address twice so you might have to edit your admin account and change the email address to a dummy one such as dumb-admin@blog.domain to free up your email address.
Log in with new user account and dumb down the admin account
Once you have added the account, log out of the admin account and log in with your new user account. Go to
Users > Authors & Users and click on the admin account to edit it. Locate the Role dropdown which is in the Name section and change it to subscriber and then save the changes.
Secure the admin account to deliberately make it harder for hacking attempts
To make it even harder to guess the password I suggest you go to http://www.passwords.org.uk/different-length.php and copy the 14 character generated password from this page and change the password to the admin account which of course you will be able to do with your new-found admin privileges!
That’s all there is to do!
You will now have a much more secure Wordpress installation without getting bogged down with security and permissions. This should certainly be enough to get you started. Have fun blogging!
Dec 22
A couple of days ago I wrote a post on my blog about implementing a backup strategy for archiving the website files and database related to this blog. Although I was happy with the result and they do work well I was still a bit concerned because the files were still on the server which meant I had to manually retrieve them off the server to be sure of having a suitable backup should something happen to the server.
I decided to try out Amazon S3 which allows you to store files in “buckets” located in America and Ireland. Authentication is used to secure your data and it uses standards-based REST and SOAP interfaces to allow developers the ability to hook on to the service. They operate a “Pay For What You Use” pricing model of $0.15 a month per GB hosted which is about £0.09 a month. Currently all data transfer is free until 30th June 2010 but even after then it is only $0.10 a month per GB which is about £0.06 a month. The prices change after 50TB of data is being hosted but that is unlikely at present. If this trial is successful then I intend to roll it out across my other websites.
Read the rest of this entry »
Dec 19
I have used Mozilla Firefox for many years now when I have been developing websites and also for personal use too. It may not be the fastest browser around but I am willing to sacrifice speed for usability in this case as the add-ons available for Firefox are some of the best around. I am going to go through some of them and why I use them and hopefully help someone else to discover a useful add-on they might not have heard of before.
Read the rest of this entry »
Dec 18
PRINCE2 is a process driven project management framework that has 40 different activities organised into seven processes.
These processes are:
- Starting up a project
- Initiating a project
- Directing a project
- Controlling a stage
- Managing stage boundaries
- Closing a project
- Managing product delivery
Read the rest of this entry »
Dec 15
I have been very complacent about implementing a backup strategy for my blog files but after reading about codinghorror.com and haacked.com amongst others recently falling foul to a hardware failure on the server that hosted their blogs and the struggles they had to try and retrieve their content again I realised that something needed to be done. In fact Phil Haack sums it up quite nicely in this tweet.
Read the rest of this entry »
Dec 08
First thing I did was downloaded the latest PRINCE2 2009 Process Model diagram which is available in PDF on the PRINCE2 website.
Next I loaded up Microsoft Project 2010 and entered the high level task I am going to use which in this case is the ‘Starting up a project’ stage.
Read the rest of this entry »
Dec 05
If you are a project manager dealing with any size of project then you will more than likely have come across Microsoft Project and quite possibly use it on a regular basis.
Recently Microsoft announced on their Project Team blog that the public beta of Project 2010 was available for download. They have also produced a website where they call this version of Project the most significant release in a decade.
Read the rest of this entry »
Nov 22
Hello and welcome to my new blog. If you have got this page but you were expecting something else on my site then apologies it is unlikely the page exists anymore.
A short while ago I went to log in to my old blog to find that I couldn’t. After more investigation I found the database was corrupted so a fresh install was required.
I am not too upset by this because I let my old blog slip a bit but this time round things will be different. No really they will.
I hope you stick with me because I have a few interesting posts lined up. Save my RSS feed in your favourite news reader and it will be updated soon.
Cheers, Ian.
Recent Comments