This is a beginners guide for securing a WordPress blog or website. This guide will be followed up by an intermediate level post for those of you that wish to go further for your WordPress security measures. An advanced guide will also follow for anyone running an ecommerce WordPress site or any other situation that requires the most security you can integrate into WordPress. How far you go with security depends a lot on what type of WordPress site or blog you are running. For example ecommerce and member sites require the most security probably, but also any WordPress site that receives a decent amount of traffic should also be concerned with more advanced security measures. Regardless of your needs, this guide is for the basic security needs of any WordPress site and should be followed by all.
Keep WordPress Up to Date
One of the most important and easy things to do to help keep your WordPress installation secure is to keep everything up to date. This means always updating the most current version of WordPress whenever a new stable version comes out. If you visit your WordPress admin regularly, it will always tell you when a new version is available from the dashboard when you first log in.
It is also important to update plugins, themes and your server software as often as possible to keep everything up to date and secure. The main reason this makes such a big difference is that every new release of WordPress, themes, plugins and server software have tons of new security updates with the latest protection possible against hackers and known viruses. If you keep everything up to date, you will have minimal problems with hackers and viruses effecting your WordPress website or blog.
Choose a Secure Password
This may seem elementary, but there are so many of us guilty of being lazy with our passwords that I need to stress this point here. If you take your WordPress security seriously, you should not use a password that has been used on any other account, site or other password protected objects you may own or be a member of. This is because if they get compromised, then your WordPress site is instantly vulnerable as well. Also choosing a password of the proper format, length and characters is very important as well. The minimum length should be eight characters. It needs to have at least one uppercase letter, one lowercase letter and one number. You can also use a symbol if you want to be even more secure. The reason for this is because there are password crackers freely available to the public over the internet that can crack simple passwords like myadmin, mypass, yourname, your birthdate or something similarly easy to guess for a a password cracking algorithm. Brute force password crackers will simply try every combination of letters at every length until it guesses your password correctly. Having at least eight characters alone makes brute force attacks take a lot longer to do. If you add in the upper and lower case characters and numbers, it takes brute force attacks days to complete sometimes which causes many hackers to lose interest in even trying. Sometimes they will let the software run for an hour or two to see if you have a simple password and then give up.
Security with Plugins
The first rule of thumb when it comes to security with plugins pertains to all plugins in general, not just security enhancing plugins. Perhaps the most important rule when it comes to plugins and security is to get your plugins from a reliable source. Probably nine out of ten WordPress sites I have worked on that had security issues and issues with running slow were doing so because of a bad plugins. There are a few reliable sources for plugins. The most reliable is probably WordPress.org. They don’t generally promote any plugin that is without a good reputation or that is not well coded. If you have custom plugins made, make sure you hire someone that knows what they are doing. If you hire a coder that is new or doesn’t know how to properly develop custom plugins, you will have issues with those plugins, especially when it comes time to upgrade. Hire professional developers with good reputations on freelance sites. Look at the developer’s portfolio and make sure they have some WordPress development experience before hiring them.
Backing up WordPress Regularly
Another way to stay secure is to make regular backups of your entire WordPress installation including the database. Since we were just talking about plugins, a good one to use for this is the Backup Buddy plugin. You can see a review I wrote on Backup Buddy. How often you backup your WordPress installation depends on the individual site. If you update your site daily, you may want to consider backing it up daily as well. On the other hand if you rarely update your blog or website, you should probably still back it up once a week to be safe at least. That way if you site’s security is ever compromised, you can revert to the backup which is very simple with a plugin such as Backup Buddy. Then you can see what went wrong and take the necessary precautions to not have your security compromised again in the future.
Preventing SQL Injection Attacks
One common form of security breaches in WordPress sites is the SQL Injection attach where a hacker uses the fact that almost all WordPress sites have the common table prefix of “WP_” By changing your table prefix, you can at least prevent hackers from easily compromising your site. It won’t stop the very determined hacker, but it will stop many of them and at least make it hard for them to do. Here are the simple steps to changing your table prefixes:
- First, backup your site or at minimum, the database as we will be making changes to the database. Use Backup Buddy to back up the entire site if you have it to be safe.
- Edit wp-config.php which is found in your WordPress root directory. Find the line that reads:
$table_prefix = ‘wp_’;
Change it to:
$table_prefix = ‘newPrefix_’;
Where “newPrefix_” is whatever you want it to be with the underscore in place.
- Change the table names using either command line or if you are not familiar with command line SQL, use PHPMyAdmin which makes it easy. All you have to do to change the table names in PHPMyAdmin is go to each table, click on “Options” in the main navigation bar at the top of the page. Sometimes you might have to click the “More” link to get to options depending on your PHPMyAdmin’s setup. After you get to the options page, find the “Table options” dialing box and use the field named “Rename table to” to enter your new prefix and existing table name. For example, if you are renaming wp_posts, using the prefix in our above example, you would simply enter “newPrefix_posts” as the new table name.
- While still in your PHPMyAdmin interface or from the SQL command line, you need to edit the former wp_options table which should now be renamed to something like newPrefix_options. Find the “option_name” column and look for any values of “wp_user_roles” and change them to something like, “newPrefix_user_roles”, making sure to make “newPrefix” whatever prefix you renamed your table prefixes to. You may not find any in the first page of the table results of you have an extensive WordPress site. Make sure you make this change however or you will not be able to log in afterwards.
- Edit the old wp_usermeta table which should now be renamed with your custom prefix. Change the values in the meta_key column. Find any instance of “wp_” and change it to the new prefix you have selected for all the tables above.
There, now your WordPress site should be at least a little more secure against SQL Injection attaches which you have probably heard some buzz about on the internet by now.
This tutorial was one of a series I will be writing on WordPress security. These are some of the first steps you should be taking to secure your WordPress site against security issues. Once you have completed these steps, look for other tutorials on this site about security and each subsequent one will have slightly more advanced technique. Good luck locking down your WordPress site against hackers and other common security threats. The more careful you are with your security measures, the more stable your blog or website will be for the effort. Security measures are a must for sites with higher traffic and any type of ecommerce website.