0Wordpress LogoThe WordPress Guide

1.2 Securing the site & dealing with spam

Pre­ven­tion is bet­ter than cure

1.2.1 Keep wordpress (and plugins) up-to-date

This should be obvi­ous! Keep your word­press install­a­tion and all plu­gins as up to date as pos­sible. Word­Press will noti­fy you when updates are avail­able. If you cus­tom­ise any files, it is best to do this with a child theme so your changes aren’t lost when you update. Where-ever pos­sible make any oth­er changes via functions-user.php which will also not be over-written.

1.2.2 Enable akismet

Akismet is an excel­lent tool for block­ing spam, and it’s included with Word­Press as stand­ard. All you need is a free API key to use it. Go to the plu­gins page in your word­press admin. Click on the link Sign up for an Akismet API key, sign up for a key, go back to your word­press plu­gins page, activ­ate the plu­gin, fol­low the link to the Akismet con­fig­ur­a­tion page and enter the key.

1.2.3 Prevent directory viewing

Edit (cre­ate it if it does­n’t exist) the file .htac­cess in the web root and add a single line…

Options All ‑Indexes

1.2.4 Change the default username

You will need to edit this in the data­base — the easi­est way is with phpmy­ad­min which should either be already avail­able, or install­able, via your con­trol pan­el, or if neces­sary, manu­ally. Once installed, login to phpmy­ad­min, click on the “data­bases” but­ton, and then click on the data­base for your word­press site. In there click on the “wp_users” table. Click the “edit” but­ton at the left hand side of the top row (which should have the user­name admin by default). Change the value for the user_login field which should be the second row. Click go and then logout or close phpmyadmin.

1.2.5 Block bruce force attacks

Bruce-force attempts are always pos­sible, and pre­vent­ing them is easy. Install the login-lock­down plu­gin which blocks login attempts after a num­ber of failed attempts.

1.2.6 Intercept spamTin full of spam

Whilst akismet will block spam, it requires manu­al inter­ven­tion. You can require regis­tra­tion which will pre­vent all spam. If you choose this route then you can also get plu­gins to enable log­ging in with google, face­book and oth­er accounts.

If you don’t wish to require regis­tra­tion then you can increase the auto­ma­tion of spam fil­ter­ing with vari­ous plu­gins includ­ing con­di­tion­al captcha, which presents a captcha when it detects a com­ment is prob­ably spam, with the plu­gin com­ment e‑mail veri­fic­a­tion, which sends a veri­fic­a­tion e‑mail to a user, enabling them to veri­fy their details and thereby approv­ing the com­ment auto­mat­ic­ally. Users who have pre­vi­ously veri­fied their e‑mail address will have their com­ments approved automatically

1.2.7 Back-Up

Use one of the many plu­gins avail­able to back-up both your data­base and your site.

1.2.8 Privacy

Include a pri­vacy state­ment on your site some­where, prob­ably on the about page. Cre­ate a P3P.xml file to spe­cify your pri­vacy policy to browsers and search engines. The guide on SixRe­vi­sions will help you do this.

Found this useful? Please do let us know by dropping a comment below. If you would like to subscribe please use the subscribe link on the menu at the top right. You can also share this with your friends by using the social links below. Cheers.

You might also like...

Leave a Reply