Although there are several popular CMS other than WordPress, such as Joomla, Drupal, Movable Type, etc.. WordPress seems to be the most widely used platform in the blogosphere.

That derives a new problem. People tend to get jeolous or start to cultivate mischievious ideas when you are getting popular. WordPress, naturally became the target for hackers. It doesn’t mean that other blogging platforms is far from hackers. WordPress, in this case, has a higher percentage of being targetted by hackers.

Now, a question for you as the title suggested:

How secure in your WordPress blog? (if you are running your blog under Wordrpess)

Quoting what Matt Mullenweg, founder of WordPress, once said:

The best thing you could do to make sure your blog is secure is to stay up to date with the latest stable version of WordPress.

With the released of WordPress 2.5 last month, I have read some comments from my blogger friends that they don’t wish to upgrade to 2.5, not until it is really stable. On the other hand, few days after the release, I started the upgrade for one of my blogs first (this is the blog which I upgraded first). Before upgrading, to make sure everything work fine, I installed 2.5 in my local machine to test out some of the newly implemented features.

It is really improtatnt to keep your WordPress blogs updated with the latest security fix. Keeping a blog is not as easy as it seems, especially when you start your own domain and host your own blog. Although WordPress is free, it has some hidden cost that you won’t notice until some security issue threaten you.

What sort of hidden cost?

1. You have to update your WordPress everytime there’s an update.
2. You have to update your plugins. This is where security leaks most often. [Check plugin compatiblity for 2.5]
3. You may need to update your theme for compatibility. [Check theme compatibility for 2.5]

In conclusion, you have to pay extra attention on the maintenance costs.

These are what you can do to secure your WordPress blogs:

1. Secure your /wp-admin/ directory – Lock down your wp-admin folder so that only certain IP addresses can access that directory
2. Make an empty wp-content/plugins/index.html file – This is to prevent others to access to your plugins folder. Creating a blank index.html is very easy. Just open up a new file in Notepad and save as “index.html” including the double quotes (“”), and upload this blank index.html file to your plugins folder.
3. Keep an eye on WordPress Development blog – I know some of you have some plugins installed to keep away those “useless” widget/announcement appear in the dashboard. But it’s always good to keep an eye on the WordPress development blog or any updates or simply, subscribe to it.
4. Hide your WordPress version - Most WordPress themes display the current version of WordPress that you used. This tracking code can be found in the header.php. You want to hide your WordPress version, imagine if your blog is not running the latest version and you are showing the version information, it will then be open to hackers. Just open your theme’s header.php file and look for the following line <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> and remove the <?php bloginfo(’version’); ?>

Other than those, you can also install a variety of security plugins. Check out the top 10 security and protection plugins for WordPress. I’m going to check out those plugins myself later.

If you want more extra readings on WordPress security, this is a very good one.
[via Metaphorics Lab, JohnTP]