Code Babble

"Security is a not a product, but a process." - Bruce Schneier

WordPress is one of the most popular website platforms around, but unfortunately that makes it a target for many hackers. Here are some of the easiest ways to make your WP site more secure:

Don't use "admin" as your username.

Hackers know that "admin" is the default username - and that's half of your login, so setting up your own username will make them work twice as hard to get into your site.

There are two ways to set your username. The first, and easiest, is when you first install WordPress. The initial settings screen will allow you to set your own username right there. If you've already got WordPress installed, you will need to go into phpMyAdmin instead - but I promise, it's not hard.

Log in to phpMyAdmin from your host's control panel, and if you have more than one database, click on the one for the site you're working on. Now, click on the "SQL" tab and copy & paste in this query (replace your_new_login with your new desired username):

UPDATE wp_users SET user_login = 'your_new_login' WHERE user_login = 'admin';

Move your "wp-config.php" file.

This is the file you edit to install WordPress, and it includes all the information someone would need to connect to your database. That means they could affect posts, pages, even pictures on your site. Luckily, it's easy to protect this file.

Using FTP software or your web host's File Manager, move the file up one directory. (For example, if your site is in /public_html/mysite, move the file up into /public_html.) WordPress will automatically look in this directory if it doesn't find the file where it is installed, and your file will only be accessible via WordPress, FTP, or a file manager.

Keep WordPress and its plugins up to date.

WordPress is open source, which means hackers can see exactly how every part of it works. Every time a new WordPress update is released, it includes security enhancements as well as feature enhancements.

To keep your site up to date, just log in as an administrator. WordPress will alert you if there are newer versions of WP, your plugins, or your themes. I highly recommend backing up your full website first - you can do this manually with FTP and phpMyAdmin, or use a plugin I recommend called BackWPUp which will automatically do all that for you. That way, if one of your updates breaks your site, you'll be able to go back to what you had before and figure out which update caused the problem.

Remove anything you're not using.

Themes and plugins often have security holes, but did you know that even if you're not using them, hackers can still use them against you? Anything that is installed, but inactive, is still a risk.

It's best to only keep 2 themes installed on your site at any time: the one you are using, and a backup theme such as Twenty Eleven just in case your other theme ever fails. By keeping both your themes and plugins limited, you'll be reducing the number of ways a hacker can find a way into your site.

If you allow users to register on your site, it's also a good idea to remove inactive users so that less people have logins. The more logins you have, the more likely it is that a hacker will find one that works.

Never use these plugins.

Any plugins that allow you to access your database from your WordPress admin area. You should only use phpMyAdmin to access your database. The reason is, if a hacker ever does get into your WordPress admin area, if you are only using phpMyAdmin at least they cannot modify your database directly. But if you've added a plugin like WP-DBManager, they have the power to delete your database or run their own queries. Don't make it easy for them!

Also avoid any plugins that allow you to execute PHP directly in posts. If you ever need to run PHP on a post or page, you should edit your theme or create a plugin of your own. That way, you won't need to put PHP directly in posts or pages.

Minimize uploads.

The more plugins, themes, etc. you have on your blog, the more likely it is that one of them will open up a security hole. To protect yourself, always download plugins and themes directly from WordPress.org - don't download them from other sites. (There are a few exceptions, such as premium themes like the Genesis Framework which you have to download elsewhere, but make sure you check out the site you're buying from first.)

Plugins and themes that are not hosted on WordPress.org are more likely to cause problems on your site because they may not meet WP's requirements. To get listed on WordPress.org, plugin and theme creators have to ensure their contributions meet certain standards for security and compliance.

There are many other ways to increase your security, but these tips are the simplest and easiest ones to use for your WordPress sites.