How to Strengthen the Security of Your WordPress Install
As tremendous a software as WordPress is, it is not immune to security breaches or hacking, much like all software and programs out there today.
There are, however, some measures which can be taken to prevent, or at least make it that much harder, for your blog to be hacked. Some measures can be implemented before installation of WordPress, others after WordPress has been installed.
Note: The first security measure is to always ensure your instance of WordPress is updated to the newest version of the software.
In this tutorial, we will go over the steps to help prevent security breaches.
Measures Which Can Be Taken Pre-Installation
To do this, locate the “wp-config-sample.php” file in your WordPress package, and find the following line:
$table_prefix = ‘wp_’;
This is the WordPress database default prefix. Hackers know this and can use it to try and hack into your database. For this reason, it is best to change the value to something random.
Replace the line above with something like this:
$table_prefix = ’5ttpx_’;
But use a different prefix that only you know.
Once that line in changed, rename “wp-config-sample.php” to “wp-config.php”.
You can then go ahead with your WordPress installation.
Measures Which Can Be Taken Post-Installation
To help an already existing instance of WordPress be more secure, do the following:
By default, your WordPress administrator username is “admin”. Many users keep this unchanged, which makes their blog susceptible to attacks. If you haven’t already done so, change your username to something else.
To do this:
Log in to your blog’s dashboard, then hover your cursor over “Users” and click “Add New”, as shown by the red arrows below:
In the following page, fill in the necessary information. Pick a unique username. From the “Role” drop-down menu, select “Administrator”, and click “Add New User”
This will create a new user with a unique username.
Next, log out of your dashboard and log back in under the new user, then delete the old user; the one with “admin” as a username.
To delete the old user, do this:
Once you’ve logged back in to your dashboard under the new user, click “Users”, hover your cursor over the “admin” user, and click “Delete”.
Protecting your “wp-admin” folder with a password will enhance your blog’s security. To do this;
Log in to your web host cPanel and click “Password Protect Directories” under “security”.
Then, click your blog’s folder.
In the next screen, create a user and a password, click “Add/modify authorized user”, and then click “Save”.
An efficient way to keep other parties from accessing the admin section of your WordPress blog is by restricting IP access. You can set your blog to only allow access from your IP. This can be done by adding an “.htaccess” file, with a snippet of code, to your “wp-admin” folder.
To do this:
Open up Notepad, and type the following:
Deny from all
Allow from 194.12.15.1
The 194.12.15.1 part should be replaced with your IP address.
Save the file. (Give it any name, you will be changing the name in the next step).
Next, you will need to rename the file to “.htaccess”, and upload it to your “wp-admin” folder.
You can deny access to files in the “wp-includes” and “wp-content” folders by creating and placing an “.htaccess” file in each of the two folders. The “.htaccess” file needs to contain the following piece of code:
Order Allow,Deny
Deny from all
<Files ~ “\.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
This will block anybody from accessing all files within the two folders except for images, stylesheets and javascripts, which need to be accesses by the browser in order to properly display web pages.
Implementing the above measures will greatly enhance the security of your blog.
