Firewalling and Hack Proofing Your WordPress Blog « Lorelle on W. Blog Security is one of the top security blogs out there keeping an eye on all things blog security and WordPress.
They’ve just released two great articles WordPress fans need to check out. First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon. The second is “How to Firewall Your WordPress Blog” by Jaimie Sirovich of SEO Egghead guest blogging on BlogSecurity. He covers options to help you make your WordPress blog more secure with a variety of WordPress Plugins. Don’t forget that the best line of defense protection for your WordPress blog begins with a strong password, followed by regularly upgrading your WordPress blog, especially after mandatory security alerts.
There is a lot of misinformation on the web about blog and WordPress Security. Here are some reliable articles on blog and WordPress security: Subscribe Like this: Three tips to protect your WordPress installation. Here are three easy but important ways to protect yourself if you run a WordPress blog: Secure your /wp-admin/ directory.
What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic order deny,allow deny from all # whitelist home IP address allow from 64.233.169.99 # whitelist work IP address allow from 69.147.114.210 allow from 199.239.136.200 # IP while in Kentucky; delete when back allow from 128.163.2.27I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 64.233.169.99 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access.
I’d just go ahead and delete that line or at least the bloginfo(‘version’). Hat tip to Reuben Yau and Shoe. Perspectives in Process. In a recent post, enterprise architect James McGovern wondered whether BPM products, like Lombardi's, support XACML.
So I replied with a comment discussing BPM and security mechanisms: With respect to security there are two fundamental issues: who are you? And what do you have access to? In general, the OASIS SAML specification deals with the former, and the OASIS XACML specification deals with the latter. Lombardi Teamworks explicitly supports SAML as a means of identifying who you are and passing that around.