Make Your WordPress Site Hack-Proof
Securing a WordPress site is something that many website owners don’t pay enough attention to – they believe the chances of their blog ever getting hacked is very low and that it’s the sort of thing that only ever happens to other people.
However, sooner or later you’re going to have problems if you don’t take precautions – in this post I cover the importance of securing your site along with eight tips that you can implement straightaway to immediately make your site more resilient and secure.
Why Does Your WordPress Site Need Securing?
This may seem like an obvious question, but it’s worth considering the risks that are posed to your site. The main risk is largely from spammers and malware hackers – the spammers want to display thousands of comments on your site that all link to adult material, online gambling, and other shady sites. Malware hackers are often interested in stealing your traffic – they want to add “redirects” to your site so that anyone visiting will be instantly redirected back to their own site. Other hackers simply want to install viruses on your site that will remove everything from your WordPress database and essentially delete your blog.
You might think that this could never happen to you, but it happens everyday to lots of site owners. Even some big well-known sites within the WordPress community have recently been hacked – for example, read this post at ThemeShaper. If it could happen here, it could potentially happen to you too – especially if you’ve taken no steps to secure your site.
Think for a second – what might happen if your site got hacked today? Would you have a backup you could use to get your site up and running again? If not, you’ve potentially just lost your whole site – if so, how recent is your backup? How much content would you lose? Also, if your site makes you money, how much cash might you lose if your site is down for a few days whilst you’re trying to recover? Consider also that if your site does go down it may have a negative impact on your search rankings which may have taken months and years to achieve!
WordPress Security Tips
Now that you know some of the risks associated with your site getting hacked, what steps can you take to make it more secure? Here are some simple tips that will help reduce the risk of your site being compromised:
Backup Regularly
This is perhaps the most important tip here – backing up your site on a regular basis (and storing that backup somewhere secure) means that even in the worse case scenario you can get up and running again. Without any backups of your site, you’ll potentially lose everything. You can learn how to quickly perform a WordPress backup on this post: Easily Complete A WordPress Backup In Less Than 5 Minutes
Update Your WordPress Version
It can be very easy to delay upgrading your WordPress installation when a new one becomes available – however, it’s important to update relatively soon after it’s released as any major or immediate security issues will likely have been fixed in the update.
Ensure That You Use A Secure Password
This is an obvious, but fundamental security tip that we all hear again and again – but many people still do not use strong enough passwords! Ensure that you use a mixture of uppercase and lowercase characters and include numbers and punctuation. Also, try and make sure that the password you use for your WordPress Admin panel is unique from any other password you use.
Delete The Admin User
All WordPress installations come with an Admin user by default – this may well be one of the first things that hackers look for when targeting your site. Therefore, to make your site more secure you’ll want to remove this user – to do this, first create a new user with a unique username – then login using your new username and then delete the Admin user. When deleting this user ensure that you pass all of the posts over to the new one you’ve created – that way you don’t lose them all!
Install Security Plugins
There are lots of WordPress security plugins that you can install to help keep your site more secure – some such as WP Security Scan and WordPress Exploit Scanner help to check your site for any vulnerabilities. Others aim to protect your site through the use of a firewall (e.g. WordPress Firewall) or through Anti-Virus (e.g. WP AntiVirus). Finally, you might also want to limit the number of attempts to log into your admin panel – the Limit Login Attempts will help here. This can be useful to block out bots that will try and guess your password through a “brute-force” approach.
Restrict Access Using .htaccess
Another effective method for making your site more secure is to restrict access to important areas. For example, you might want to restrict access to your wp-admin files to stop hackers from altering them and causing problems. You can learn more about doing this at: Hardening WordPress with htaccess.
Update Your Plugins With Latest Versions
Similarly to updating your WordPress installation, you should always look to do the same with your plugins. When a new version becomes available make sure that you install it on your site. One other tip – it’s always worth backing up your site before updating plugins – they can occasionally cause some aspects of your site to break if they haven’t been tested thoroughly before release.
Hide Your Configuration File
Another way to make your site more secure is to move your WordPress configuration file (i.e. wp-config.php) up a level from the rest of your WordPress installation. This makes it harder for hackers to access the important details contained within this file – you can get more information about how and why to do this at: Hardening WordPress.
Conclusion
If you implement some of the tips above then it will go a long way in enhancing the security of your site. It only requires a small investment of time and is well worth the effort – so don’t put it off! At the very least, always ensure that you have regular backups so if the worst was ever to happen, you can get things up and running again relatively quickly.
December 15th, 2009 at 3:25 pm
Chris,
Great post! I think these tips are good – I especially like the .htaccess idea. I’ve used that for standard security on several of my website – but never thought about restricting the wp-admin files specifically.
December 15th, 2009 at 3:53 pm
Thanks David – glad you found the tips useful
December 15th, 2009 at 10:39 pm
Hi, thank you for these tips. Can you just change the admin name in phpmyadmin? Would that work?
Thanks again!
December 16th, 2009 at 3:51 am
Hi Crystal – I assume you’re referring to the tip about deleting the admin user? You could change the admin name in your WordPress database via phpMyAdmin, but I’m always cautious when it comes to making direct changes to the database. This is fine if you’re very careful, but It only takes a simple mistake in your SQL code (if that’s what you’re using to make the changes) and you can cause yourself a lot of problems. Given that WordPress makes it relatively easy to delete and create new users, I tend to manage all of this through the Admin Panel.
December 16th, 2009 at 5:22 am
Thanks for excellent post
and so i have make it a digg!
December 16th, 2009 at 6:23 am
Thanks viettel
December 16th, 2009 at 11:36 am
Thank you Chris! That’s what I was referring to, just changing it instead of creating a new and deleting the existing one. I think I’ll use your method to be on the safe side. I certainly don’t want to mess everything up. Thanks again!
December 16th, 2009 at 12:50 pm
No problem
December 16th, 2009 at 12:43 pm
I agree deleting the admin user is a good idea but I am unsure on how to go about transferring the posts to a new custom admin user.
December 16th, 2009 at 1:02 pm
Hi Sam – WordPress makes it really simple to do this – log in using your new user name and go to the “Users” section in your Admin Panel. Then select the “Delete” link under the admin user – a new page will load that provides you with the option to attribute all posts and links for the admin user to a different user. Select the user you want to attribute the posts to and then hit the “Confirm Deletion” button – all posts will then be transferred.
Hope this helps …
December 16th, 2009 at 1:40 pm
For my admin user I do not see a delete link, just a Edit link when I hover.. I checked the checkbox on the left and from the drop down menu I choose ‘Delete’ it alerted me with ‘are you sure you want to delete?…’ a bit nervous to click ‘ok’
December 16th, 2009 at 2:38 pm
Are you logged in as admin? If so, it wont display the “Delete” link – you need to log in using the new account you created – you should then see the delete link under the “User” section. I should also say that the new user you created needs to be an “Administrator” in order to delete the Admin account – you can configure this when creating a new user.
December 16th, 2009 at 3:42 pm
wow this is such a useful tutorial, thanks for sharing on your blog! I know good tutorials aren’t easy to come by these days, but following this was so easy and it’ll be useful on my website
December 18th, 2009 at 7:37 pm
Good tips. Prevention is always better.
December 20th, 2009 at 11:31 am
nice post
thanks