Adding More Security To Your Wordpress Sites
By Andy Beard
Expert Author
Article Date: 2009-12-09
It is no huge secret that I have had this WordPress blog hacked twice this year but some consolation is that I am not alone.
Helpful resources
Alex recently launched a DVD course on WordPress security that is available for FREE + shipping
Stop - I know what you are thinking - FREE + Shipping these days normally comes with lots of strings attached, forced continuity often hidden etc. Whilst Alex does cross-sell a few related products, the main offer is genuinely free.
Michael VanDeMar has a useful plugin to lock down your login process
SEO Egg Head offers a WordPress firewall
Donna has a useful script for monitoring your files
Of course you should also keep backups which you have total control over - this includes both database and files and you shouldn't rely on claims that your webhost has a backup. With a VPS I find being able to "roll back" to a previous version useful, but backup with shared hosting plans supposedly made by admins isn't a solution when you need to fix things in minutes.
Keep WordPress up to date, plugins up to date etc
Part of security is controlling what bots can crawl and index on your site, so some pamphlets would be useful as well
Getting URLs outta Google - the good, the popular, and the definitive way
Handling Google's neat X-Robots-Tag - Sending REP header tags with PHP
Nasty Bots & Users
A lot of security relies on identifying nasty bots, detecting rogue activity such as failed logins or preventing access to all but approved users using an additional layer of password protection, or only allowing access to a server from a specific IP or range of IP addresses.
Also it is important to realise that different WordPress implementations require different levels of access control. With WordPress frequently being used for membership sites, you need to allow access to members. This reduces the number of security options available.
SEO Benefits
Lots of the pages you want to block from being crawled for security purposes also need to somehow be blocked or removed from indexation for SEO purposes, so tightening up security using the right methods will have natural SEO benefits.
Robots.txt isn't the best option because you end up with lots of blocked pages appearing in search results and potentially indexed instead of pages you want in the index. As Sebastian explained, you have to let the bots in to crawl a URL before you can redirect them.
Not all bots can be identified, and not all bots obey robots.txt, though you can trap the naughty ones. If you are serious about your bot control you might also consider Fantomasters Searchbot Database.
User Agent Access Control For Total Lockdown
Lots of security and SEO methods rely on identifying various bots and kicking them somewhere else with 301 redirects, or denying them access to areas they are not wanted.
Far better would be to only allow access to one specific user agent, and globally kick out anything that doesn't match - this is the user agent equivalent to restricting access to only a single IP address.
But how could this be achieved?
Many SEOs would already be familiar with User Agent Switcher for Firefox. This allows you to wander around the web pretending to be someone else, or something else such as Googlebot.
Unfortunately User Agent Switcher has a nasty problem - you often forget you have it switched to something different and then suddenly realise when a website starts misbehaving, refusing you entry, redirecting you to funny places etc.
If you created a custom user agent for security purposes, it wouldn't be very secure if there was a chance you could broadcast it to lots of other webmasters by mistake. It is bad enough that user agent is broadcast "in the clear" unless you use SSL connections.
Then I came across an article discussing how to fake your user agent specifically for itunes but not other sites.
The Header Control Firefox plugin allows you to set your User Agent specific to a domain.
This would allow you to set a specific unique or relatively obscure user agent, and for it to only be used when accessing your own websites.
Even more useful this can be set up in multiple locations, work with variable IPs etc.
Experimental
This is something I am still experimenting with - I haven't decided whether it is best to use .htaccess, php or a combination of both, and I am convinced the best option is to 301 redirect everything rather than deny access.
The best option might be to use a combination htaccess > php so you can do some enhanced logging.
The user agent doesn't have to be unique, it could just be an obscure out of date version of Firefox or Chrome.
Example .htaccess to deny access
view source print?
1.RewriteEngine on
2.#
3.RewriteCond %{HTTP_user_agent} !^RareUserAgent
4.RewriteRule .* - [F,L]5.#
Example .htaccess to 301 redirect
view source print?<
1.RewriteEngine on
2.#
3.RewriteCond %{HTTP_user_agent} !^RareUserAgent
4.RewriteRule ^ http: |
