Securing Your Blog 101

One of the easiest ways of tightening up your WordPress blog security is by working on your usernames,  login, passwords, and registration approval process.  Hackers can obtain access to your blog simply by logging in under one of your valid usernames.

WordPress has some known username enumeration vulnerabilities that should be addressed.

Some people advise that you should not allow user registrations at all.  While others suggest that users must be registered before they are allowed to comment.  So, I see no strong need to block user registrations entirely, provided you are using the appropriate security related plugins.

Username Enumeration Vulnerabilities

All blogs should delete the username admin that WordPress originally issued to all new bloggers.  Every hacker is familiar with that username.  In addition, admin is User ID #1 in WordPress.  Simply delete that username entirely after you have already successfully added one or more other usernames as administrators.

Next, you should not be using any other obvious user names to login with.  And, if you are then they should at least not be setup as an administrator.  All your administrator user names should be rather hard to guess.  And, really should be just as cryptic as a password.  Furthermore, you should never be displaying your actual username publicly on your blog. Thus, all those posts made by admin are only advertising to hackers that their blog is easy to hack.

For those running their own blog, your login password should always be very long and secure.  On this blog, I am using passwords that are at least 30 digits long.  Some hackers are actually still using  brute force methods to obtain access to blogs.  So, both your usernames and passwords should always be difficult to guess.

Security Blog Plugins

Your blog security in these areas can really only be secured by the use of good security related plugins.

Bloggers should look into using plugins that cover the registration process, the login process, and determining what new users to your blog can and cannot access, as well as what they can and can cannot do.

Last but not least, you are supposed to be keeping secrete exactly which version of WordPress you are running, as well as the identify of all your plugins.  Googling these topics with a search string like, WordPress Plugin login OR registration OR “user management”, will turn up exactly what you need to be using.