Secure WordPress How-To

Contact
Wordpress Security

Photo credit – m thierry

Getting your WordPress website hacked is one of the worst things that can happen to any website publisher. WordPress is a secure and robust platform but as with any tool there are things you can do to help keep your WordPress installation secure over time.

Upgrade on a regular basis

The scary truth is that, although it’s extremely easy to upgrade to new versions, most of the users don’t do this and this is by far the reason most of the websites get compromised. The same applies to plugins, try always to run the latest versions and don’t install plugins if you aren’t sure what they do and check their ratings/forums. As WordPress is now an extremely popular platform, there are people out there just looking for security related holes so they can attack and bring your website down.

Additional security

WordPress comes with lots of settings that should be turned on during the installation for additional security so lets start with a simple to do list anyone can do. Many potential vulnerabilities can be avoided with good security habits.

Username and Password

Change the default “admin” password to something else. Use a strong password in order to avoid potential attacks. There are many online password generators you can use and can be found on Google.

wp-config location

Move the wp-config.php in the directory above your WordPress install. This is especially useful when you install in your public_html or www directory as moving wp-config.php file makes the file inaccessible to visitors.

wp-config file

On lines 49-56 add unique keys and salts with the help of WordPress.org secret-key service. It’ll automatically create them for you  so just paste the lines to your wo-config file.

WordPress database table prefix should be changed to something else than wp_. Try again with the automatic password generators above.

File Permissions

On computer file systems, different files and directories have permissions that specify who and what can read, write, modify and access them. This is important because WordPress may need access to write to files in your wp-content directory to enable certain functions.

A tip from WordPress.org is all files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the web server.

There are many additional things that can be done such as using SSL or adding server-side password protection for accessing wp-admin, limiting access to certain files, etc. but they require a little bit more work and knowledge so I’m not going to go into them in this post.

These are just some of the things you can do in order to secure WordPress. You can always do more but doing the above things will make your WordPress install more secure than most WordPress websites out there.