I recently came a cropper to a hacker on a WordPress Blog I was setting up – luckily I’d backed everything up, but what if I hadn’t? Well, I’d have likely lost everything.
Now the hacking was partly my own fault for not putting the right measures in place. This got me wondering about how many other webmasters fail to implement basic security measures that could save them a lot of trouble in the future.
So without further ado lets look at my top WordPress security tips. I’ll also point you in the direction of a few WordPress Security plugins that I’ve discovered that do a great job of adding that second line of defence.
Don’t Use Admin as a Username
Let’s start simple – the default username in WordPress is “admin” – don’t use this! It’s the first username that all hackers will try, and allows them to a launch a brute force attack, which simply means a bot that tries multiple attempts at guessing your password.
This is probably one of the most common types of hacks out there and it still works. As a second line of defence I’d install a handy plugin called Login Lockdown, basically it records IP addresses of all failed login attempts, if a lot are cropping up in a short time frame it bans all IP addresses from that range. It also goes without saying use a strong password.
Change the WordPress Table Prefix
This involves changing another WordPress default that makes it harder for a hacker to attack your blog via a SQL injection. The table prefixes are defaulted to wp_ – they are easy to change in your wp-config.php file prior to installation.
However, if you have a site that’s already installed and you’re trying to secure that – I recommend using the WP Security Scan Plugin to do so. Remember to take a backup before you change anything – it’s good practice! The WP security scan has a number of cool features (such as removing the WordPress version in the source code) so it’s definitely worth installing.
Don’t forget to use secret keys
I have a friend who works for a hosting company – and he revealed it’s amazing how many people forget to use secret keys. Now if you’ve installed WordPress via Fantastico or some other quick install tool that your hosting company provides they should automatically include these.
The hashing salt keys make your password even more secure. To make sure you’re using them – visit https://api.wordpress.org/secret-key/1.1 to generate your keys, and then put them in your wp-config.php file – you’ll spot them easily.
Secure your wp-admin folder
I missed this out when installing my blog and it’s another security tip that many webmasters fail to implement. The wp-admin folder is very important and if a hacker gets into that then they’re going to cause some serious damage.
This involves using a .htaccess file to prevent access. You have two options here – you can prevent access by only allowing certain IP addresses (which isn’t ideal if you have a dynamic IP or work form multiple locations or on the move) or you can use a .htpassword file.
To use the IP address method simply create an .htaccess file and paste in the code below (switching the xxx for your IP address) then upload it to your wp-admin folder:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
You can add multiple lines of IP addresses if you want. If your site has multiple writers posting – like Technology Bloggers or accepts guest posts then it’s unlikely this method is viable.
If that’s the case use the .htpassword method – there’s a useful tutorial here: htaccess Files and WordPress Security.
Keep WordPress up to date
This seems obvious but a lot of people forget to upgrade their WordPress. Maybe through fear of breaking something or perhaps just laziness.
The majority of WordPress upgrades are made to increase security and patch up known vulnerabilities. So backup your install and upgrade to the latest version when they’re available.
Keep regular backups
Sometimes no matter how many security measures you have in place, a hacker it still able to get through, maybe through a plugin that contains an exploit.
In this case, you have to take regular backups as the last line of defence. Perhaps through the use of a plugin, or via your host. You can schedule them to run on a daily basis and then be emailed to you.
Having to restore a backup is probably a worse case scenario, but believe me, it’s far easier than having to re-setup your entire blog and redo blog posts from Googles cached pages.
What are your favourite WordPress security methods? Are there some great plugins that I’ve missed? Please let me know in the comments section below.