Whether you’re starting an online business or setting up a personal blog, there are several security priorities you better look at if you want to reduce the risk of getting website robbed online. Below you’ll find 9 steps of what I consider to be the most important security actions to take if running WordPress.

If you’re all new to WordPress, this guide will take you through in the right order, step by step, and at the end you’ll come out with a much better WordPress setup than what you had when you first started. So settle up and we’ll get started.

Before we start, always remember to backup your WordPress database if you already got WP installed.

Step 1: Start with your database

• The first step you should take is by installing WordPress on its OWN database. The reason is simply a step to avoid other information been on risk if someone manages to gain access to one of your sites if you’re running several sites or applications on the same server.

• Create one user for your WordPress database and set user privileges to only “SELECT, INSERT, UPDATE, DELETE and ALTER“. That’s enough privileges to make WP run and at the same time make things really hard for someone unauthorized to control your database.

Depending on your host, this should normally be a simple task to accomplish through CPanel.

Step 2: Modify wp-config.php

As default, the wp-config-sample.php must be renamed to wp-config.php

Before we upload the config file, its recommended that we add a little more security. Open up your wp-config.php in your text editor (notepad works great) and follow the 2 important steps below:

1. Generate unique keys using https://api.wordpress.org/secret-key/1.1/ Simply copy the 4 lines of code, past and replace them with those within your wp-config.php. You can change these keys at any time without any problem. If any users are logged in at the time you do the change, they will be forced to log in again.
2. To avoid attackers guessing your WordPress database prefix, we should add our own little prefix modification. Instead of using WordPress default prefix wp_, we should  add a more random name like for example 7i64u_. This makes it more difficult for an attacker to guess your database prefix. Simply locate $table_prefix = 'wp_'; inside wp-config.php and add your own random name.

Example – Instead of:

$table_prefix = 'wp_';

Choose your own random name:

$table_prefix = '7i64u_';

Step 3: Change default “admin” username

By default WordPress chooses “admin” as the administrator username. While Fantastico users are able to pick a different username when installing, manually installations of WordPress will have to do this by modifying the database.

There are several ways to get this done, so pick the one that suites you best.

• While logged into your WordPress Dashboard, click on “Users” and “Add New”. Then create a new user with all administration rights. Now log out as “admin” and log in with your new username. Go to “Users” again and delete the original “admin” user.
• If you know your way around in phpMyAdmin you may do the change simply by editing the user_login value to the username you prefers.
• You may also use a WordPress Plugin to change your username. There are several plugins out there that will help you do this. The plugin I recommend: http://w-shadow.com/blog/2008/07/24/change-admin-username-in-wordpress/

Step 4: Hide your WordPress Version

By default, WordPress themes displays the WordPress version in the meta tag. This makes it extra easy for hackers or others to discover what version of WordPress you’re using.

Displaying your version number might lead to attacks. So prevent yourself from been a target for specific wordpress attacks.

There are several ways hide your WordPress version, but the best way is to add this line of code inside your themes function.php – if you ain’t got any functions.php inside your themes folder, simply add a new file and name it functions.php

I’ve seen many who just add the code you see below, including myself, but without proper checking they don’t realize that the feed is leaking the wordpress version! So to clarify, the line of code below ONLY removes the version from the meta tags – NOT from the feed generator!

//Removes WordPress version from Meta Tag
remove_action('wp_head', 'wp_generator');

To completely remove the WordPress version, add the following code to your functions.php

//Stops WordPress from leaking the version number
add_filter( 'the_generator', create_function('$a', "return null;") );

Step 5: Block public directories browsing

There are two simple ways to prevent someone from the public browsing your directories, and that is to:

• Make an empty index.html file inside each folder

or

• Add the following line of code to your .htaccess file located in your server root.

Options All -Indexes

Step 6: Restricting your wp-content and wp-includes directory

Add .htaccess to restrict files and only accept images, css, and javascripts. Thanks to http://blogsecurity.net.

The following line of codes helps from restricting access to your directories. Add the code to a new .htaccess file and upload it to your directories.

Order Allow,Deny
Deny from all
<Files ~ ".(css|jpe?g|png|gif|js)$">
Allow from all
</Files>

On the other hand, if you want certain files to gain access, you may do so by adding the following to your /wp-content/.htaccess file.

<Files ".php">
Allow from all
</Files>

Note if you’re using several plugins – you might need to spend a little time tweaking before it works correctly.

PS. I had some problems getting this to work under the wp-includes folder without disabling some of the WP toolbar features. If you’re having the same problem, skip to add the .htaccess file inside the wp-includes, but make sure you include it in your wp-content folder.

Step 7: Security scanning your site

WordPress scanner allows you to measure security on your site. It’s a free plugin ready to be uploaded to your server.

There are 2 ways to run the scann. Choose the one that suites you.

1. Download the plugin, extract and upload to /plugin/ directory
2. Login to your WordPress admin and activate plugin.
3. Go to BlogSecurity.net and type in your website url as well as the security code.
4. Click “Start Scan”

The scanner will then connect to you site to check if it got the permission to do a scan. It will then prompt you with recommendations if any security issues are located.

The scanner also supports text-file for scan verification.

1. Download the text file and upload it to your blog directory /wordpress/wpscan.txt directory
2. Go to BlogSecurity.net and type in your website url as well as the security code.
3. Click “Start Scan”

As same as the plugin version, the scanner will then connect to you site to check if it got the permission to do a scan. It will then prompt you with recommendations if any security issues are located.

Remember to disable the plugin when finish scanning. Otherwise, other people would be able to scan your site as well.

Step 8: Habit of picking strong passwords

With password all over the place, we have all been tempted to choose a password we easily remember. Sound familiar…? Then please take your right hand and give yourself a big security slap!

Do yourself a favor from now on and choose a strong password containing both uppercase, lowercase as well as some numbers. If you want to go extra deep, add a few special tags like brackets, question marks etc.

Try Microsoft’s password checker to test the strength of your passwords.

To generate strong passwords, try Strong Password Generator web generator for free.

If you want a software to manage, auto-fill and generate passwords for you, I recommend checking out RoboForm’s password manager for free.

Step 9: Update update update

Keep your WordPress well updated on security releases, updates and plugin updates by simply using the Automatic Update from your WordPress admin or manually download WordPress 2.8.x.

Final Word

If you have followed every step, you’ve now taken a huge step in making you WP more secure. Congratulations! Remember to keep it updated.

Want to be the first to comment? »