0Wordpress LogoThe WordPress Guide

1.2 Secur­ing the site & deal­ing with spam

Pre­ven­tion is bet­ter than cure

1.2.1 Keep word­press (and plu­gins) up-to-date

This should be obvi­ous! Keep your word­press install­a­tion and all plu­gins as up to date as pos­sible. Word­Press will notify you when updates are avail­able. If you cus­tom­ise any files, it is best to do this with a child theme so your changes aren’t lost when you update. Where-ever pos­sible make any other changes via functions-user.php which will also not be over-written.

1.2.2 Enable akismet

Akismet is an excel­lent tool for block­ing spam, and it’s included with Word­Press as stand­ard. All you need is a free API key to use it. Go to the plu­gins page in your word­press admin. Click on the link Sign up for an Akismet API key, sign up for a key, go back to your word­press plu­gins page, activ­ate the plu­gin, fol­low the link to the Akismet con­fig­ur­a­tion page and enter the key.

1.2.3 Pre­vent dir­ect­ory viewing

Edit (cre­ate it if it doesn’t exist) the file .htac­cess in the web root and add a single line…

Options All –Indexes

1.2.4 Change the default username

You will need to edit this in the data­base — the easi­est way is with phpmy­ad­min which should either be already avail­able, or install­able, via your con­trol panel, or if neces­sary, manu­ally. Once installed, login to phpmy­ad­min, click on the “data­bases” but­ton, and then click on the data­base for your word­press site. In there click on the “wp_users” table. Click the “edit” but­ton at the left hand side of the top row (which should have the user­name admin by default). Change the value for the user_login field which should be the second row. Click go and then logout or close phpmyadmin.

1.2.5 Block bruce force attacks

Bruce-force attempts are always pos­sible, and pre­vent­ing them is easy. Install the login-lockdown plu­gin which blocks login attempts after a num­ber of failed attempts.

1.2.6 Inter­cept spamTin full of spam

Whilst akismet will block spam, it requires manual inter­ven­tion. You can require regis­tra­tion which will pre­vent all spam. If you choose this route then you can also get plu­gins to enable log­ging in with google, face­book and other accounts.

If you don’t wish to require regis­tra­tion then you can increase the auto­ma­tion of spam fil­ter­ing with vari­ous plu­gins includ­ing con­di­tional captcha, which presents a captcha when it detects a com­ment is prob­ably spam, with the plu­gin com­ment e-mail veri­fic­a­tion, which sends a veri­fic­a­tion e-mail to a user, enabling them to verify their details and thereby approv­ing the com­ment auto­mat­ic­ally. Users who have pre­vi­ously veri­fied their e-mail address will have their com­ments approved automatically

1.2.7 Back-Up

Use one of the many plu­gins avail­able to back-up both your data­base and your site.

1.2.8 Pri­vacy

Include a pri­vacy state­ment on your site some­where, prob­ably on the about page. Cre­ate a P3P.xml file to spe­cify your pri­vacy policy to browsers and search engines. The guide on SixRe­vi­sions will help you do this.

What do you think? Drop us a comment below! If you would like to subscribe please use the subscribe link on the menu at the top right. You can also share this with your friends by using the social links below. Cheers.

Leave a Reply

Fill in your details below or click an icon to log in: