WordPress security should be a top priority for all developers. Many clients have come to me with a WordPress blog that was set up by a friend or cheap freelance developer, and 100% of the time it was set up using all the default settings for WordPress without even the slightest consideration concerning security. If you don’t secure your WordPress blog/site with some basic security plugins and modifications, there is a good chance your blog/site will be hacked or targeted by people who have nothing better to do with their time but make your life more difficult.
In this article, I will address some basic, easy to do security settings for WordPress, so you can be assured your blog is not floating around the internet with giant loop holes in it’s security settings. While no method or plugin is 100% guaranteed to stop all attacks, implementing these basic rules will significantly reduce your chances of getting hacked.
WordPress Security Tip #1: Change your database table prefixes from wp_
If you’re not familiar with databases, then this one may be a little confusing. I promise I’m trying to avoid using ‘technical jargon’ as much as possible, so here’s a quick explanation of what this means. When you’re setting up WordPress for the first time, you go through 2-3 steps to get the basic site installed and running. One of these steps involves connecting WordPress to a MySQL database on your hosting package, which is the ‘brain’ of your blog. A MySQL database consists of tables which contain all your data. These tables have prefixes (usually 2 characters) which distinguish different installations of the same script, which are running on the same MySQL database. The default prefix for WordPress is ‘wp_’.
So now you must be wondering why it is important to change this, and the answer is very simple. Any ‘baddie’ or hacker searching for sites to hack will try and identify the database table prefix, to get an sense of what platform you’re using. As soon as they see ‘wp_’ they yell ‘aha! this clown is using WordPress, so now I know how to get in and mess around with it’ (they may not literally yell this; I’m sure they have their own catch phrases while twisting their curled up mustache ends).
How do you get around this? When you’re installing WordPress, change the table prefixes from ‘wp_’ to something else. This at least has more of a chance of throwing off hackers, as they won’t see the default ‘wp_’ table prefix.
WordPress Security Tip #2: Re-name default WordPress directories.
WordPress, unfortunately, has some dead giveaways that you’re using the platform, which is easily seen in the source code. Go ahead and try it on your WordPress blog: right click in the page body and select ‘view source’. Close to the top of the code, you will see paths like ‘content’ and includes’. That’s the problem (I know, again with the wp!). Re-naming these directories is a little more complicated than you may think. If you simply change the name of the directories, chances are you will break the path to many important plugins, themes, and functions. However, it is still easily done by a developer who knows their stuff. It involves changing the paths in the actual plugin files from ‘includes’ to whatever you decide to name the directory. It shouldn’t take too long to complete, but this depends on how many plugins you’re using and how complex the code is. I know from experience that plugins using flash will be a lot harder to update to the new directory names.
WordPress Security Tip #3: Install WordPress security plugins.
WordPress being an open source application, has a billion plugins (not literally a billion, but lots!) available for free (and paid) to help secure your blog. Some essential ones (in my opinion) are:
- WP Security Scan: helps identify security holes in your blog.
- WordPress Firewall: monitors your site for suspicious activity and blocks many attacks, include ‘brute force’ attacks
- Stealth login: this one re-names your admin folder, so you can set your own admin url and not use the standard ‘wp-admin’
There are probably more out of there, but I find these ones do an excellent job of securing your blog.
In short, make sure you or your developer considers these security points when setting up WordPress. I have seen far too many developers who ignore these basic security points and the client ends up suffering in the end. Your blog is one of the biggest online marketing assets you have, so make sure to take the time to secure it properly to keep it running!