I hate to be the one to burst your bub­ble but the, ‘how to make Word­Press hack proof’ ebook that you just bought was a com­plete waste of money. Why do you ask — because you can’t make Word­Press (or any other web appli­ca­tion for that mat­ter) lit­er­ally ‘hack-proof’.

First, lets define the terms Hack and Hacker before we get started:

• ‘Hacker’ — while the more appro­pri­ate term in this con­text would be cracker, we’ll use hacker instead because it’s inferred mean­ing is more socially under­stood (albeit a mis­un­der­stand­ing). Regard­ing Word­Press, a hacker would in sim­plest form, be some­one who causes your blog to do some­thing that it isn’t sup­posed to. Hack­ers may find a way to ‘spam’ your blog or cause your blog to make unin­tended posts/comments, they may find a way to over­write impor­tant sys­tem files in your blog soft­ware that ren­ders the blog unus­able and many other nasty activ­i­ties which can all be exam­ples of hacks (actu­ally the bet­ter term here would be cracks).
  • Out­side of a per­sonal vendetta, one com­mon rea­son for a hacker to attack your blog would be to spam it with the hack­ers own mes­sage (i.e. affil­i­ate links … etc).  By the time you real­ize the hack occurred, the hacker has already enjoyed some free click-thru traf­fic cour­tesy of you.

The World Wide Web is dri­ven by web servers, every blog that we use phys­i­cally resides some­where in the world on a real server that is acces­si­ble to the Inter­net. If you have a blog, that blog sits on a server some­where in the world and is prob­a­bly shared by many other peo­ple, blogs and var­i­ous Inter­net appli­ca­tions. The sad but true fact about web servers that you must embrace is, “the only 100% secure web server is the web server who’s power is turned off”. Unfor­tu­nately that isn’t very prac­ti­cal given that with­out power, your blogs couldn’t be found on the Internet.

So if we can’t secure the web server 100%, that means we can­not  secure the con­tents of the web server 100%. The only option left is to real­ize that the web server and the con­tents will be a tar­get of attack on the Inter­net and the best most prac­ti­cal way to secu­rity is to mit­i­gate threats and make the exposed areas (to the Inter­net) of the server as invalu­able as pos­si­ble. In most cases, there will be lit­tle that you can do for server-level secu­rity because in most cases you are not going to be the admin­is­tra­tor of the server (third party host­ing sit­u­a­tions). In third-party host­ing sit­u­a­tions, the best you can usu­ally do is exer­cise cau­tion when select­ing a server provider for your blog. At any rate you can always con­tact your server provider and ask them about their secu­rity pro­ce­dures and what secu­rity mea­sures are in place on the web server.

You can how­ever take sub­stan­tial secu­rity mea­sures on the blog soft­ware level that can dra­mat­i­cally improve secu­rity on your blog. In par­tic­u­lar I am talk­ing about self-hosted blogs;‘free blog ser­vices’ like blogger.com or wordpress.com won’t leave many options for secu­rity to the blog­ger indi­vid­u­ally and you will have to rely on the organization’s admin­is­tra­tion for security.

If you host your own blog you can employ plu­g­ins that may help secure your blog.  Bel­low, I have listed some of my favorite plugin’s for var­i­ous blog software:

b2Evolution | Plu­gin Site: http://plugins.b2evolution.net/

• Tur­ing Test (e.g. CAPTCHA)
• Akismet
• Com­ment Moderation

TextPat­tern | Plu­gin Site: http://textpattern.org/plugins

• YAB_Email
• MEM_Akismet
• NKO_SpameURL_Blocker
• RAH_Comment_Spam

Mov­able Type | Plu­gin Site: http://plugins.movabletype.org/

• Type­Pad
• CAPTCHA
• MT Pro­tect
• MT Akismet
• Approval

Word­press | Plu­gin Site: http://wordpress.org/extend/plugins/

• AskA­pache Pass­word Protect
• Login Lock­Down
• Chap Secure Login
• SI Secu­rity CAPTCHA
• Akismet

No mat­ter what soft­ware you choose as your blog­ging plat­form, no amount of plu­g­ins can match the effec­tive­ness of com­mon sense and prac­ti­cal­ity. This is a list of ‘good rules of thumb’ that extend beyond the use of plu­g­ins and when used in con­junc­tion with plu­g­ins can prove to be very effective.

1. Less code = more secu­rity. The less code lying about on your blog the less poten­tial there is for code to be exploited. If your not using a plugin/theme/widget on your blog, deac­ti­vate it and then remove it. Do not leave it lying about wait­ing to be exploited. As plu­gin ver­sions change and updates are pub­lished you may for­get to update the ones your not using.
2. Keep the core blog soft­ware updated.  I am not a fan of the ‘bleeding-edge’ so I wouldn’t nec­es­sar­ily rec­om­mend being on the lat­est ver­sion as soon as it is released. New releases can always have unfore­seen flaws. I rec­om­mend stay­ing 1 full ver­sion behind the lat­est sta­ble ver­sion.  Upgrade only when secu­rity patches are released or when a new sta­ble ver­sion is released and it makes your blog 2 full ver­sions behind the lat­est sta­ble version.
3. Take advan­tage of the built-in mod­er­a­tion con­trols of the soft­ware. Don’t allow pub­lic com­ment­ing with­out some type of con­trol (i.e all com­ments are held for approval, only com­menters that have been approved can com­ment … etc)
4. Log into your blog at least once per day just to give every­thing a glance, quickly scan new com­ments, look at the file-size of the blog on your server and note any changes, look at your post count and note any changes … etc

Happy Blog­ging!

Ryan Huff, C.E.O & Founder

RTH Con­sul­tants