I’ve had a few emails from people asking me how they can secure and protect their WordPress install from all of the comment spam and what steps they can take to reduce the change of getting hacked. WordPress is one of the largest blogging platforms in the world and it is open source. Because of this it has become a prime target for comment spam and hackers. Luckily there are some relatively simple things you can do to help reduce spam and secure your WordPress install.

How To Reduce WordPress Spam

WordPress comment spamming has become a huge issue among blog owners and authors. The reason that blogs get so much spam these days is that SEO (Search Engine Optimization) people are trying to get your website to link to theirs – increasing their page rankings in Google. Because WordPress is open source and so common, virtually every WordPress site uses the same commenting system that the spammers are now exploiting. Here are some ways you can change the way your comment system works – foiling the spammers evil plans of dropping a penis enlargement link on your website.

Akismet

Akismet is a plugin that comes with WordPress, but you need to pay a monthly fee to subscribe to their services.

Aksimet works by checking the commenters IP Address against it’s own database of known spammers. If the commenter’s IP is listed by Aksimet, then the comment gets rejected. There are only two problems with this service. 1) It’s not free 2) Although it significantly reduces spam, it’s not 100% effective in stopping comment spam and can sometimes block a genuine comment by mistake. 

Download

NoSpamNX

Another great WordPress plugin is NoSpamNX. This plugin is completely free and is very successful at stopping automated spam bots from commenting on your site.

NoSpamNX works by inserting an empty text box on your comment form that is invisible to a human but a spam bot will be able to see. Most spam bots will see this extra box and decide to fill it out with random junk. So basically if it is a human adding a comment, we will leave the extra text box empty (as we cant see it and don’t know it’s there) but a spam bot will fill it out. If the comment is submitted with that extra box filled out then the comment gets rejected!

Download

Functions.php

Be very careful if you decide to implement this. I would recommend against doing this if you are not particularly tech savvy or do not know basic coding. Before you do anything, please, please, please, make a backup of your functions.php – just in case. Place the following code inside your functions.php.

function verify_comment_referer() {
    if (!wp_get_referer()) {
        wp_die( __('You cannot post comment at this time, may be you need to enable referrers in your browser.') );
    }
}
add_action('check_comment_flood', 'verify_comment_referer');

Basically this works by checking the referral of the commenter before deciding to accept the comment or not. Most spam bots will have a ‘poor referrer’ and will be denied. This options is far from being 100% successful, but I find it helps prevent the odd comment that the first two options miss.

How To Secure and Protect Your WordPress Website

Now I’ll talk about all of the ways you can protect your install from unwanted access and hacks. Some of them are easy, others are more complicated with lots of options and should be implemented with care. I’ll start off by listing the easier and safer methods of protecting and securing your WordPress website. And of course, always keep your install updated when possible.

Removing Unimportant Files From Your Server

There are many ways you can do this: FTP or maybe just through your hosts file manager. Either way all you have to do is delete these files:

/readme.html
/license.txt

The reason for this is that those two files are not important in any way to run your site, but contain the WordPress version that you have. This information could be used by hackers to help gain access to your site!

Secure WordPress

This plugin comes with multiple ‘minor’ security features, but there are two that you should be most interested in. The first is the ability to create an index.html in each sub folder. This stops a random person from browsing and being able to access files in the directories of your site. The second is the ability to remove default WordPress headers such as the WordPress version. It is important to hide what version of WordPress you are running from hackers so that they don’t know how to exploit your site if you are using an outdated version. The plugin also does multiple other things to keep your install protected such as blocking any bad and malicious queries that could be harmful to your WordPress website and removing plugin-update information for non-admins. 

Download

Semisecure Login Reimagined

This simple but nifty plugin secures your login information by encrypting it from the client side using JavaScript. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.

Download

Limit Login Attempts

You don’t have to be a computer wiz to know what this plugin does. This is most useful in stopping some random hacker from just trying to guess what your username and password is. Many customization features such as email notification are available as well.

Download

WebsiteDefender WordPress Security

This WordPress plugin/service constantly scans your server to make sure nothing malicious finds it’s way onto your install. It also has a very important feature that allows you to change the prefex of your WordPress tables away from the default _wp. Furthermore this plugin also gives suggestions on how to further tighten up security on your site and will email you if anything important happens.

Download

Which analytics app do you use and why? Read on to see if there’s anything more fitting for your needs or if you have something you’d recommend.

Mint
	Every time I’ve looked into analytics apps several people always tell me they much prefer Mint over Google Analytics. Mint is self-hosted, so you have more control in that respect, but also offers real-time tracking and is extensible. Mint’s interface is clean and easy to read and navigate, so it’s a breeze to use. Price: $30 per site WordPress Plugin: Yes Mobile App: Third-party iPhone app (iTunes) Real-time data: Yes Requirements: Self-Hosted (PHP, MySQL) Developer: Shaun Inman
Reinvigorate
	Reinvigorate is one of my favorites and actually my personal analytics app of choice. The app offers real-time tracking, visitor “NameTags” (great for seeing who’s on your site), a desktop app and even heatmaps. The app design is fantastic and it’s a breeze to use; although it can be addicting watching your real-time data flow in. Price: $10 per month, 14-day free trial WordPress Plugin: Yes Mobile App: No Real-time data: Yes Requirements: None Developer: Sean McNamara
Clicky
	Clicky probably offers the most features of any app listed here, including real-time tracking, various plugins, mobile apps, website widgets and a whole lot more. Along with piles of great features, Clicky also offers more price plans than other apps to best fit your needs and your budget. Clicky’s interface design wasn’t too appealing for me, but it does a great job at accomplishing its goal. Price: Free, $6.99-$19.99 per month WordPress Plugin: Yes Mobile App: Yes Real-time data: Yes Requirements: None Developer: Clicky
chartbeat
	Chartbeat, like several of the other apps here, also offers real-time tracking but features an interface that’s more enjoyable to look at than just a pile of numbers or the typical line graph. It’s a clean looking and easy to use app that will be much more appealing to the average user rather than hardcore analytics users. Price: $9.95 per month, 30-day free trial WordPress Plugin: Yes Mobile App: iPhone app (iTunes) Real-time data: Yes Requirements: None Developer: Chartbeat Inc.
Woopra
	Woopra takes a different approach to analytics and requires that you download a desktop client to handle your site’s incoming data. The app offers real-time tracking and a dark color scheme for its interface, making heavy use of icons and vibrant colors. With the features offered, Woopra is a great choice, especially since it’s free. Price: Free WordPress Plugin: Yes Mobile App: iPhone app (iTunes) Real-time data: Yes Requirements: Desktop compatible with desktop client Developer: iFusion Labs, LLC.
Piwik
	Piwik is an open source analytics app that you’ll have to host yourself but offers everything from real-time tracking to mobile apps for iPhone and Android and is even offered in over 30 languages. It’s directly intended to be an alternative to Google Analytics and does a pretty dang good job of it. Price: Free (open source) WordPress Plugin: Yes Mobile App: iPhone (iTunes) or Android app Real-time data: Yes Requirements: Self-hosted (PHP, MySQL) Developer: Piwik

Source – Article Provided by appstorm.net

1. DEFINITIONS.

1. 1. “CONTENT” means all text, pictures, sound, graphics, video and other data supplied by Customer to Provider.
   2. “USER CONTENT” means all text, pictures, sound, graphics, video and other data provided by Website users.
   3. “WEBSITE” means the user interface, functionality and Content made available on pages under the Domain Name.
   4. “SPECIFICATIONS” means the Customer’s requirements for design and functionality.
   5. “WORK PRODUCT” means all HTML files, Java files, graphics files, data files, scripts, all documentation and any other deliverable prepared for Customer by Provider in accordance with the terms of this Agreement.

2. WEBSITE DEVELOPMENT.

2.1 DELIVERY OF INITIAL CONTENT. Customer shall source all Content in accordance with the intended purpose of the sourced material before giving to Provider.

2.2 DEVELOPMENT. Provider shall provide design, programming and other consulting services for the fee agreed upon.

2.3 SHADOW SITE; ACCEPTANCE. Provider shall make complete versions available for Customer’s review and acceptance. Customer shall have 7 days to review and evaluate (the “Acceptance Period”) to assess whether it meets the Specifications. If Customer rejects the Shadow Site during the Acceptance Period, Customer may elect to: (a) extend the time for Provider to provide revised Work Product for acceptance; (b) revise the Specifications and negotiate an appropriate reduction in the Design Fee to reflect the revised Specifications; (c) complete the Work Product and deduct the costs of completion from the Design Fee; or (d) terminate this Agreement, in which case Section 6.2 applies.

2.4 BACK UP OF WORK PRODUCT. Prior to initial acceptance of the Work Product, Provider shall back up its work at least once every three days and to store such back-up materials in a secure site at a separate location.

3. MODIFICATIONS.

If Customer desires to modify the Website (including the Requirements) at any time during the term of this Agreement, Customer shall describe the additional services or deliverables to Provider (the “Change Notice”). Within seven days of such Change Notice, Provider shall submit a change order proposal (the “Change Order”) which includes a statement of any additional charges. On Customer’s written approval of the Change Order, the Change Order will become a part of this Agreement. Any additional deliverables or changes to the Website described in the Change Order shall be subject to acceptance testing at the Shadow Site as described in Section 2.3.

4. WEB HOSTING.

SERVICES. Following Customer’s initial acceptance of the Work Product pursuant to Section 2.3, Provider shall provide the following web hosting services:

(A) DOMAIN NAME. Unless otherwise specified it is hereby acknowledged that Customer shall own all right, title and interest in and to the Domain Name and all Intellectual Property Rights related thereto.

(B) CONTENT CONTROL. Customer shall have control over the Content. Provider shall not supplement, modify or alter any Work Product which has been accepted or approved by Customer or any Content (other than modifications strictly necessary to upload the Content to the Website) except with Customer’s prior written consent.

5. PAYMENTS.

5.1 FEES. Except as otherwise specified, Provider shall invoice all fees monthly, and payment is due 30 days from delivery of the invoice.

1. 1. EXPENSES. Customer shall reimburse Provider for all reasonable out-of-pocket expenses which have been approved in advance by Customer, including but not limited to travel and lodging expenses, long distance calls, and material and supply costs, within 30 days after Customer’s receipt of expense statements including appropriate receipts or other evidence of the expense.

6. TERM AND TERMINATION.

6.1 TERMINATION FOR CAUSE. Except as otherwise provided for herein, either party may terminate this Agreement upon the material breach of the other party, if such breach remains uncured for 30 days following written notice to the breaching party.

6.2 TERMINATION DURING INITIAL WEBSITE DEVELOPMENT. In the event that Customer terminates the Agreement prior to initial acceptance of the Work Product pursuant to Section 2.3, Customer shall return all Work Product to Provider and Provider shall return any Initial Content and refund to Customer any portion of the Design Fee previously paid to Provider (minus deposit) hereunder.

6.3 TERMINATION DURING WEBSITE HOSTING. In the event of expiration or termination of this Agreement while Provider is providing Web hosting services pursuant to Section 4, Provider shall download all materials on the Website to a medium of Customer’s choosing and deliver such materials to Customer within 5 business days. In addition, at no cost to Customer, Provider shall: (a) keep the Website publicly accessible for a period of 7 days following the date of termination of this Agreement; (b) if the transfer requires a change in the Domain Name, immediately upon the date that the Website is no longer publicly accessible, and for a period of 3 months thereafter, maintain the Website’s URL and at such URL, provide 1 page (including a hypertext link) that Customer may use to direct its users to its new Website or some other URL of Customer’s choosing.

6.4 EFFECT OF TERMINATION. Sections 1, 6.4, 8, 9, 10 and 11 shall survive termination of this Agreement. Subject to Provider’s obligations pursuant to Section 6.3, Provider shall remove all copies of the Content from servers within its control and use reasonable efforts to remove any references to Customer or the Content from any site which caches, indexes or links to the Website.

7. CUSTOMER COVENANTS.

During the period that Provider provides Web hosting services pursuant to Section 4, Customer shall not distribute on the Website any Content that: (a) infringes on the Intellectual Property Rights of any third party or any rights of publicity or privacy; (b) violates any law, statute, ordinance or regulation (including without limitation the laws and regulations governing export control, unfair competition, antidiscrimination or false advertising); (c) is defamatory, trade libelous, unlawfully threatening or unlawfully harassing; (d) is obscene, child pornographic or indecent; or (e) contains any viruses, trojan horses, worms, time bombs, cancelbots or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information.

8. OWNERSHIP OF CONTENT AND WEBSITE.

As between Provider and Customer, any Content given to Provider by Customer under this Agreement or otherwise, and all User Content, shall at all times remain the property of Customer or its licensor. Provider shall have no rights in such Content or User Content other than the limited right to use such content for the purposes expressly set forth in this Agreement.

9. CONFIDENTIAL INFORMATION.

Customer’s “Confidential Information” are any passwords used in connection with the Website (or the Shadow Site), all Server Logs, all Work Product and documents related to the Work Product, any Content which Customer designates as confidential, and any other materials of Customer which Customer designates as confidential or which Provider should reasonably believe to be confidential. Customer’s “Confidential Information” also includes the Website itself until such time as Customer decides to make the Website publicly available to users. Provider’s “Confidential Information” is defined as the source code of any Work Product.

10. LIMITATIONS ON LIABILITY.

Except for breaches of sections 4 and 11.1, in no event shall either party be liable for any lost profits or special, incidental or consequential damages (however arising, including negligence) arising out of or in connection with this agreement.

11. GENERAL PROVISIONS.

11.1 COMPLIANCE WITH LAWS. Provider shall ensure that its Website design and its web hosting services will comply with all applicable international, national and local laws and regulations.

11.2 SEVERABILITY; WAIVER. If any provision of this Agreement is held to be invalid or unenforceable for any reason, the remaining provisions will continue in full force without being impaired or invalidated in any way. The parties agree to replace any invalid provision with a valid provision which most closely approximates the intent and economic effect of the invalid provision.

11.3 HEADINGS. Headings used in this Agreement are for reference purposes only and in no way define, limit, construe or describe the scope or extent of such section or in any way affect this Agreement.

Except as otherwise specified, Provider shall invoice all fees monthly, and payment is due 30 days from delivery of the invoice.

TERMINATION FOR CAUSE.

Except as otherwise provided for herein, either party may terminate this Agreement upon the material breach of the other party, if such breach remains uncured for 30 days following written notice to the breaching party.

In the event of expiration or termination of this Agreement while Provider is providing Web hosting services pursuant to Section 4, Provider shall download all materials on the Website to a medium of Customer’s choosing and deliver such materials to Customer within 5 business days. In addition, at no cost to Customer, Provider shall: (a) keep the Website publicly accessible for a period of 7 days following the date of termination of this Agreement; (b) if the transfer requires a change in the Domain Name, immediately upon the date that the Website is no longer publicly accessible, and for a period of 3 months thereafter, maintain the Website’s URL and at such URL, provide 1 page (including a hypertext link) that Customer may use to direct its users to its new Website or some other URL of Customer’s choosing.

EFFECT OF TERMINATION.

Subject to Provider’s obligations pursuant to Section 6.3, Provider shall remove all copies of the Content from servers within its control and use reasonable efforts to remove any references to Customer or the Content from any site which caches, indexes or links to the Website.

CUSTOMER COVENANTS.

During the period that Provider provides Web hosting services pursuant to Section 4, Customer shall not distribute on the Website any Content that: (a) infringes on the Intellectual Property Rights of any third party or any rights of publicity or privacy; (b) violates any law, statute, ordinance or regulation (including without limitation the laws and regulations governing export control, unfair competition, antidiscrimination or false advertising); (c) is defamatory, trade libelous, unlawfully threatening or unlawfully harassing; (d) is obscene, child pornographic or indecent; or (e) contains any viruses, trojan horses, worms, time bombs, cancelbots or other computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information.

OWNERSHIP OF CONTENT AND WEBSITE.

As between Provider and Customer, any Content given to Provider by Customer under this Agreement or otherwise, and all User Content, shall at all times remain the property of Customer or its licensor. Provider shall have no rights in such Content or User Content other than the limited right to use such content for the purposes expressly set forth in this Agreement.

CONFIDENTIAL INFORMATION.

Customer’s “Confidential Information” are any passwords used in connection with the Website (or the Shadow Site), all Server Logs, all Work Product and documents related to the Work Product, any Content which Customer designates as confidential, and any other materials of Customer which Customer designates as confidential or which Provider should reasonably believe to be confidential. Customer’s “Confidential Information” also includes the Website itself until such time as Customer decides to make the Website publicly available to users. Provider’s “Confidential Information” is defined as the source code of any Work Product.

LIMITATIONS ON LIABILITY.

Except for breaches of sections 4 and 11.1, in no event shall either party be liable for any lost profits or special, incidental or consequential damages (however arising, including negligence) arising out of or in connection with this agreement.

To view the entire policy in it’s fully click here.