WordPress Security – How to Protect Your WordPress Installation From Hackers

There are some simple steps that you can take to protect every WordPress installation you set up. But why worry about security?

This is why:

I have had two WordPress blogs hacked into in the past. That was at a time when I was doing very little internet marketing, and until I found time to address the situation (months later), these sites were penalised in the search engines. They were not removed, but the rankings were reduced.

I fixed it in the end, but I did not deal with it for several months. For a good amount of time, I was unaware even of the problem.

The result? I estimate that I lost out on a couple of hundred pounds of advertising revenue.

Much of WordPress security is simply common sense. Are you using a strong password? Are you using a different password for every website?

For years, I did not do that. I had three or four passwords I commonly used. But there are two ways which you can always generate a good, strong password for every site you register with. (Of course, this includes your WordPress blogs.)

The weaker approach (but still pretty good) is to start with a common password; add some numbers to it that you are likely to remember, such as the house number of your first address; then add the first few, say, five letters of the domain name. For example, if the password you were starting with was reindeer230, if you were using a site called example.com, that would become reindeer230examp. That is a pretty strong password. This technique protects against dictionary attacks where an attacker may repeatedly try to log into your account using English words, words of other languages, names, and so on.

The stronger approach, and the one I personally recommend, is to use one of the password generation and storage plugins available for your browser. Many people like RoboForm, but I think after a free trial period, you have to pay for it. I use the free version of Lastpass, and I recommend it for those of you who use Internet Explorer or Firefox. That will generate secure passwords for you; you then use one master password to log in.

Now we are getting into things specific to WordPress. Whenever you install WordPress, you have to edit the file config-sample.php and rename it to config.php. You need to install the database details there.

There are a few other changes you should do as well.

There is a section of config-sample.php that is headed “Authentication Unique Keys.” There are four definitions that appear within the block. There is a hyperlink within that section of code. You need to enter that link into your browser, copy the contents that you get back, and replace the keys you have with the unique, pseudo-random keys provided by the site. This makes it harder for attackers to automatically generate a “logged-in” cookie for your site.

The next step is to change the table prefix from the default “wp_”. This is in the WordPress Database Table Prefix section. It does not really matter what you change it to; you can use alphanumeric characters, hyphens and underscores. This should thwart so-called SQL injection attacks, where an attempt is made by an attacker to cause WordPress to run some SQL code that has an undesirable effect on your site. That code could add a new user with superuser privileges to your WordPress site.

Note that you should only do this last step for new installations. If you want to do it for existing installations, you will also have to change all the table names in the database.

Finally, installing the WordPress Security Scan plugin will check most of this for you, and alert you to anything that you might have missed. It will also tell you that a user named “admin” exists. Of course, that is your administrative user name. You can follow a link and find instructions for changing that name, if you wish. I personally believe that a strong password is good enough protection, and since I followed these steps, there have been no successful attacks on the numerous blogs that I run.

Finally, WordPress Security will also tell you that there is no htaccess in the wp-admin/ directory. You can put a.htaccess file into this directory if you wish, and you can use it to control access to the wp-admin directory by IP address or address range. Details of how to do that are readily available on the net.

However, I recommend that you install the Login LockDown plugin in place of any.htaccess controls. That will stop login requests from being allowed from a specific IP address for an hour after three failed login attempts. If you do that, you can still access your admin panel while away from your office, and yet you still have good protection against hackers.