This article is English version of WordPressを安全に使うためにする事.
This site uses WordPress. With this tool, you can create site easily. I like this tool. However, this software has often security problems. For example, WordPress の脆弱性対策について：IPA 独立行政法人 情報処理推進機構 etc…
Indeed, making website with static files is more safe than using WordPress. My friends use this method.
But, I… I want to use WordPress. There is no reason.
So I will write down this article. It contains tips to improve the safety of site create with WordPress.
II,What to do
1,Change the login user ID
As you know, Popular WordPress attack method is dictionary attacks to administration page.
From the experience of this site attacked, Attacker uses ‘admin’, ‘administrator’ and ‘sysrigar'(this site name) for login-ID.
Therefore, It’s good to change the user ID to unusual name such as “CPP_and_Perl”.
Please refer to the following pioneers’ article for changing or adding WordPress user ID.
- 管理画面/ユーザー/新規追加 – WordPress Codex 日本語版
- WordPressのユーザー名（admin）を変更・削除する方法 | WordPress資料一覧 | はっちゃんの初心者 向けWordPressセミナー
2,Install the plug-in
(1)CAPTCHA(completely automated public Turing test to tell computers and humans apart)
Using CAPTCHA, the WordPress can defend easily login attacks for bot.
Many plugins can provide this function.
This site uses SiteGuard WP Plugin for addition this function.
To install this plugin, CAPTCHA will be added to the administration page.
If I were to install this plugin, My site would be safe. But It is bother so I didn’t use it on this site.
Please refer to the following pioneers’ article for installation of Google Authenticator for WordPress.
3,Craft the theme file of WordPress
Even if you attempt the above security method, cracker tries to attack the WordPress administration page and many login failure records are accumulated.
In order to avoid such a thing, I changed WordPress theme file in reference to pioneers’ articles.
By doing this, It’s difficult to access the administration page except from a specific address.
Please refer to the following pioneers’ article.
This method may difficult for the beginner a little, but I like this method.
This article method can defense only the brute-force-attack to the administration page.
And This method can’t defense against bugs in WordPress itself.
But, I think that it’s important to prevent script-kiddie attacks.
I hope this article will be good for you.