6 Things You Can Do To Secure Your WordPress From Hackers

Ads by Google

muo 6wpsecure intro   6 Things You Can Do To Secure Your Wordpress From Hackers Running a WordPress-based website is often a pleasure, enabling you to focus on content and building relationships with readers and other websites.

However, not everyone on the web is as friendly as you. Somewhere out there is a list with your blog’s name on it, where it sits, waiting to be targeted by hackers. When they get around to your blog, they’ll try various tactics to gain access to it, perhaps with the aim of selling legal drugs or infecting your visitor’s computers with malware.

Fortunately, there are various ways in which you can protect your WordPress blog from hackers.

Regularly Update WordPress

One of the most powerful but oft-overlooked solutions for keeping WordPress safe from hackers is to make sure it is regularly updated.

Obviously there is a down-side to this – some of your best WordPress plugins might stop working if WordPress is updated – but at the same time it should be looked upon as an opportunity to refresh your plugins, find replacements that themselves are secure and reliable and basically tighten up your website or blog. Sticking to plugins that are found in the WordPress directory is also a good way to keep things under control.

Updating WordPress is possible from within the Dashboard, but always take a backup of your database before doing so.

Ads by Google

Keep Regular Backups

An important procedure for all WordPress blog owners is to ensure that backups are made regularly and that they can easily be restored should the worse happen.

Solutions are plentiful, but Cloudsafe365 is one of the most powerful, combining cloud backup (Dropbox can be used) with various secure protection tools against techniques such as cross site scripting, SQL injection, and even monitors content theft.

Cloudsafe365, available from the WordPress plugins site , comes in three flavors. A free option covers the things listed above, while the paid options offer further features such as protection against code injection and brute force attacks.

Install an Encrypted Login Plugin

Protecting the actual act of logging on to your WordPress-based website is best effected by using an encrypted login plugin, as the website software doesn’t have this facility by default. Probably the best solution for this – perfect for protecting your blog login details from packet sniffers on wireless networks – is Chap Secure Login, which uses the SHA-256 algorithm to protect your username and password.

muo 6wpsecure4   6 Things You Can Do To Secure Your Wordpress From Hackers

Meanwhile the Login Lockdown plugin is a useful way of blocking IPs that record repeated failed attempts to access your site.

Other login protection steps you can take includes installing a strong CAPTCHA  plugin. RetinaPost is a particularly impressive plugin, requiring users to enter highlighted characters from a phrase rather than try and decipher screwed up text images or do maths challenges. Any attempts to disrupt your blog using the comments system can be markedly reduced using this plugin.

Hide “Powered by WordPress”

Hackers have a different tactic for each of the various types of website software that is in use, but you can make things tougher for them by not advertising the fact that your website is “Powered by WordPress”.

muo 6wpsecure3   6 Things You Can Do To Secure Your Wordpress From Hackers

By default this information can be found in the footer.php file, reached by entering your blog’s Dashboard, selecting Appearance > Editor to edit within the browser window. Different themes will require different methods for removing this text, so you should check online to find the best approach (if plain text is used to display the legend, then delete this; if PHP code is used, tread carefully unless you know what you’re doing).

Change Admin Username

One way in which hackers can find a way into your site is by using brute force software that will attempt multiple logins using common words and phrases as passwords, coupled with a selection of obvious usernames.

The administrator username in WordPress can be selected when the software is setup, but in the rush to get things done many users leave it at the default choice of “admin”. As obvious usernames go, this comes at the top of the list, which is why changing it is important.

Two ways exist for changing the admin username. First, you can create a second administrator account with a username which isn’t obvious, and then delete the original user. Note, however, that this might have an effect on any articles written under the administrator account (they’ll perhaps be unpublished until a new name is set, or display an error on the post page).

Probably the most effective way to do this is to access your site’s phpMyAdmin, select the WordPress database, find the wp_users table (“wp_”is a default prefix which may have been changed at installation) and use the Browse icon to find the “admin” username.

muo 6wpsecure1   6 Things You Can Do To Secure Your Wordpress From Hackers

Once discovered, find the user_login column, click the edit button on the appropriate row and then change “admin” to your preferred administrator account login name, clicking Go when you’re done.

Move the wp-config File

A glaring issue with WordPress is that the key security details are stored in a single, unencrypted file that can be hacked and used to take control of your blog. The wp-config.php file contains the admin login details as well as the username and password for the MySQL database.

Therefore, securing this file is paramount if you wish to protect the site from hackers.
muo 6wpsecure5   6 Things You Can Do To Secure Your Wordpress From Hackers
One thing you shouldn’t do, however, is delete wp-config – this would leave your site unusable (and rather blank). So how do you protect your site from this bizarre vulnerability?

Since the release of WordPress 2.8, blog owners have had the ability to move the file to the root web directory on the server. What this means, for instance, is that if you have your site installed in www.mysite.com/wordpress, the wp-config.php file can be moved up a level, to the mysite directory.

Conclusion

Regardless of how technical or non-technical you are, if you run a WordPress blog there is no excuse not to implement any or all of these tools to protect your website from hackers.

After all, what is the point in putting in all of that hard work only to find that someone has taken over the site and is now costing you your regular visitors by advertising Viagra?

These steps can be implemented in just a couple of hours – perhaps a single weekend morning if you’re pressed for time – so don’t ignore, act now.

Ads by Google

11 Comments - Write a Comment

Reply

Ankur

I have a doubt. What if my site is xyz.com and I want to protect wp-config.php. I cannot move it up another level

Ewebpedia

yah, this trick seems to only be applied in site where wordpress is installed in sub-domain or sub-page but not in main domain.

Christian Cawley

There are various ways of doing this, from taking the bulk of the contents and using an include to point to a new file in a new location, but if you’re on the most reason of WP it *should* (and I’m not a WP developer so don’t shoot me if it doesn’t work!) allow you to you move it.

You should also clear this with your hosting provider, however, as:

*They should be considering offering this automatically as part of the installation (assuming you have fantastico or similar automation)
*Their a/v solution may not like having wp-config in the root directory

Ankur

Thanks for your reply. However, I am a bit confused at what you have said. You mean there is a way of moving wp-config one directory up when you have xyz.com as WordPress site

Reply

Joshua Lockhart

Thanks for writing this, Christian. A site I help run was recently attacked. This would have been nice to know.

Reply

Dave Jackson

”Hiding” or deleting the “Powered by WordPress” does nothing. It is a quick peek at the source code which will tell you WP is being used … the theme, the CSS location, etc.

Christian Cawley

Hiding or deleting the phrase does an awful lot for protecting your site against any targeting bot that searches the web for the phrase “powered by WordPress”.

Reply

Jamie VanRaalte

I think the hiding powered by wordpress and not having the admin username as ADMIN are probably the two most important!

Reply

Access control Cape Town

great tips provided and really helped me to market my product. thank you for the product

Reply

Liza

Just a hint/tip, hiding “Powered by WordPress” actually doesn’t help, as there are many other ways to know right off the bat whether a website is WordPress-powered.

Reply

Aung Thu Htet

I use wordpress for now and your post is very useful for me.

Your comment