0Wordpress LogoThe WordPress Guide

1.2 Securing the site & dealing with spam

Pre­ven­tion is bet­ter than cure

1.2.1 Keep wordpress (and plugins) up-to-date

This should be obvi­ous! Keep your word­press install­a­tion and all plu­gins as up to date as pos­sible. Word­Press will noti­fy you when updates are avail­able. If you cus­tom­ise any files, it is best to do this with a child theme so your changes aren’t lost when you update. Where-ever pos­sible make any oth­er changes via functions-user.php which will also not be over-written.

1.2.2 Enable akismet

Akismet is an excel­lent tool for block­ing spam, and it’s included with Word­Press as stand­ard. All you need is a free API key to use it. Go to the plu­gins page in your word­press admin. Click on the link Sign up for an Akismet API key, sign up for a key, go back to your word­press plu­gins page, activ­ate the plu­gin, fol­low the link to the Akismet con­fig­ur­a­tion page and enter the key.

1.2.3 Prevent directory viewing

Edit (cre­ate it if it does­n’t exist) the file .htac­cess in the web root and add a single line…

Options All ‑Indexes
[google_adsense]

1.2.4 Change the default username

You will need to edit this in the data­base — the easi­est way is with phpmy­ad­min which should either be already avail­able, or install­able, via your con­trol pan­el, or if neces­sary, manu­ally. Once installed, login to phpmy­ad­min, click on the “data­bases” but­ton, and then click on the data­base for your word­press site. In there click on the “wp_users” table. Click the “edit” but­ton at the left hand side of the top row (which should have the user­name admin by default). Change the value for the user_login field which should be the second row. Click go and then logout or close phpmyadmin.

1.2.5 Block bruce force attacks

Bruce-force attempts are always pos­sible, and pre­vent­ing them is easy. Install the login-lock­down plu­gin which blocks login attempts after a num­ber of failed attempts.

1.2.6 Intercept spamTin full of spam

Whilst akismet will block spam, it requires manu­al inter­ven­tion. You can require regis­tra­tion which will pre­vent all spam. If you choose this route then you can also get plu­gins to enable log­ging in with google, face­book and oth­er accounts.

If you don’t wish to require regis­tra­tion then you can increase the auto­ma­tion of spam fil­ter­ing with vari­ous plu­gins includ­ing con­di­tion­al captcha, which presents a captcha when it detects a com­ment is prob­ably spam, with the plu­gin com­ment e‑mail veri­fic­a­tion, which sends a veri­fic­a­tion e‑mail to a user, enabling them to veri­fy their details and thereby approv­ing the com­ment auto­mat­ic­ally. Users who have pre­vi­ously veri­fied their e‑mail address will have their com­ments approved automatically

1.2.7 Back-Up

Use one of the many plu­gins avail­able to back-up both your data­base and your site.

1.2.8 Privacy

Include a pri­vacy state­ment on your site some­where, prob­ably on the about page. Cre­ate a P3P.xml file to spe­cify your pri­vacy policy to browsers and search engines. The guide on SixRe­vi­sions will help you do this.

You might also like...

Leave a Reply