Are you sure your website is secure enough to hold down a hacker attack? The better your website becomes – the more interest it can generate for a hacker. So you should secure WordPress before the bad things happen. Check out our tips and tricks on how to secure WordPress and harden the life for hackers. A word of caution. Don’t become one of those hackers while reading the post. And if you do, at least buy me a beer. 🙂
You most definitely want to consider using the server security checklist because it allows you to stay safe when it comes to the security of your server, which is the basis of your whole online business.
Keep in mind that any website can be hacked. Our goal is to cut off those self-taught hacker-kids. In case a professional hacker picks your site as a victim – then it’s a 99% success 🙂 but that’s not the end of the world, and we’ll learn why.
Update WordPress
This is probably the most basic and easy-to-do advice. Updates for the WordPress engine are published regularly. You don’t even need to visit www.wordpress.org daily, as the dashboard will notify about released updates. The same applies for plugins updates.
Backup, backup and backup
It’s too late and your site has been hacked? No problem. Of course if you did backups of your website 🙂 ALWAYS backup the database and the files on the server. And don’t forget to change all your passwords – Hosting Cpanel, FTP, WordPress admin panel.
It’s also a good idea to contact your host provider and report about the hack, and maybe ask them to scan your FTP for malicious scripts. There are a lot of excellent backup plugins for WordPress, so just install them and enjoy your life.
Move your wp-config.php file
Did you know that you can move the wp-config.php file outside the web-root folder? Say, if your WordPress is installed under the /home/username/public_html folder you can move the wp-config.php file one folder up (one level up), right into /home/username/ So no one will be able to read the content of that file.
Why do you want to secure that one small file? Well, you want to secure WordPress and that file stores credentials to your database. With access to the database, it’s only a matter of time to get access to the WordPress admin panel and then your server.
Username and password
First thing to do after installing WordPress is to delete the default user. Keeping the admin user drastically reduces your changes against a brute-force attack.
Create a new user with some freaky name, and delete the default admin user.
Strong admin password – it’s incredible how many people don’t follow this piece of advice. Passwords like 123456, password, abc123, admin123, qwerty and so on. You are just begging to be hacked 🙂 And the attacker does not need to be a pro-hacker. A simple brute force or dictionary attack and he will gain access to your WordPress admin panel and after that full access to the server.
So, keep your password strong. Try this password strength meter tool http://www.passwordmeter.com and if you’re curious about how fast your password can be cracked, check this website http://www.lockdown.co.uk/?pg=combi&s=articles
Use Secret Keys in your WP-Config File
Open the wp-config.php file and find these lines of code
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
WordPress has a generator for this, which you can find here https://api.wordpress.org/secret-key/1.1/salt/ Simply copy the result from that page and replace the default block of code with it.
Change the WordPress table prefix
You can specify the prefix during your WordPress engine installation. In case you have the site up and running, you’ll need to get your hands dirty with some database stuff. So, let’s see what we need to do:
First, open wp-config.php and find this line of code
$table_prefix = 'wp_';
Change it to something not that obvious, for example mwsp5_ NOTE: Use only lowercase characters, digits, and underscores.
Now open your Hosting Control Panel and launch the PHPMyAdmin tool. We should make a backup of the current database, just in case anything goes wrong. Click the Export tab and then the GO button.
Once you have the file downloaded, make a copy of it. Now open the file with some text/html editor. Do a “Search and Replace” – usually it’s the CTRL+F hotkey.
We should search for the “wp_“phrase , which is our default prefix, and replace it with our new one “mwsp5_“. When it’s done, save the updated file and go back to PHPMyAdmin.
Now drop all the tables of your WordPress database. Click the Import tab, and browse to the updated .sql file. Hit the GO button and wait for the import to finish. If you did everything correctly, your site should be up and running.
So, the bottom line is SECURE WORDPRESS 🙂
Have you ever had an issue with your blog security? I’d love to hear your story in comments.
