With the past few weeks, we’ve seen a large number of WordPress and WordPress plug-in vulnerabilities come up. And while most have been corrected with updates, there are still ways that attackers can get access to your website. Because of this, we at x10Hosting thought it would be a great time to go over some simple things that you can do to increase your WordPress web site’s security. WordPress security is a big deal, even if you don’t think your website will ever be targeted by attackers. Many WordPress vulnerabilities can give attackers complete control of your website. Once they have access to your website, they will be able to access sensitive information, such as user’s names, addresses, credit card information, as well as easily shut your website down.
WordPress security when setting up an install
Some ways to increase security start at the very beginning: when you’re setting up the initial installation of WordPress. If you’re looking to create a new WordPress website, keep these tips in mind when setting up everything to start off with a more secure website. However, if you already have your website set up and created, you can still make these easy changes to your WordPress settings.
The first is very easy: when creating the admin account choose a username besides the default “Admin” name. If you already have your website set up, you can create a new admin account and then delete the default “Admin” account. You should also make sure that the password for any admin account is secure. You can use websites, such as Strong Password Generator, to generate secure passwords.
The second thing you can do while setting up your WordPress website is change the default database name so that it does not include “WP”. Making this change with a website already set up requires a bit more work, but can still be done relatively easily.
To make the change with an existing WordPress install, you will need to have access to your databases, phpMyAdmin, and your wp-config.php file. When making changes to your website’s database, you will have a small down time. I would suggest that you make these changes during an off peak time. Once you are ready to make the changes to your database, you will need to access your database via phpMyAdmin. Under the Operations tab, you will see the “Rename database to:” section. Type in the new database you would like to have for your website, and click on “go”.
After the operation is complete, you will need to make a few more changes. First, you will need to update your wp-config.php file to reflect the new changes. To do this, access the directory that WordPress is installed in and you will see the wp-config.php file in the main directory. Open the file and look for the following:
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'user_databasename');
Once you have found these lines, you will need to change the
'user_databasename' to the new database name. Please note that you should not remove the user part of the database name. If you would also like to change the database username, you will find the settings for it and the password below the database name.
Now that you have updated the wp-config.php file, you will need to make sure that the database has the right “Privileged User”. You can do this via cPanel under Databases > MySQL Databases . Find your database in the list of databases you have on your web hosting account, and you will see a list of “Privileged Users”. If you do not see the right user, or no user at all, you can add the user to the database below the list, under “Add a User to a Database”.
There are a few changes to your files and directories that you can utilize to enhance your website’s security. Keeping your file permissions to the “default” that is set by WordPress, and changing the permission for your wp-config.php file, can help keep your website secure. To make permission changes to your files and directories, you will need to have access to your files, either via SSH, FTP, or cPanel’s File Manager. Check to make sure all of your files and directories permissions are set to the following:
- Directories should have their permissions set to 750 or 755
- All files should have their permissions set to 640 or 644
- Your wp-config.php file should have its permission set to 400 or 440
Another great tool at your disposal that can help with security is your .htaccess file. With it you can block any IP addresses that have been blacklisted, or have caused issues to your website previously. To do this, add the following lines in your .htaccess file in WordPress’s installation directory:
Order Deny,Allow Deny from 220.127.116.11
Where the IP address 18.104.22.168 is the IP you would like to block. This will prevent anyone using that IP address from accessing your website.
You can easily block anyone from accessing your wp-admin log in page with the
deny from all rule in your .htaccess file. To do this, you will need to create an .htaccess file in your /wp-admin directory and add the following rule to it:
Order Deny,Allow Deny from all Allow from $yourIPaddress
With this rule, only those accessing your wp-admin log in page from your IP address will be to see the page. Everyone else will be denied access to the page. If you have mutliple admins for your website, you can easily allow more IP addresses to access the wp-admin page by adding the
Allow From $IPaddress on another line with their IP address(es).
If you have old plug-ins you no longer use for your website, they should definitely be deactivated and removed from your WordPress website. If you do not need the plug-in, don’t have it installed on your website. And finally, keeping everything related to your WordPress up to date will help tremendously with your WordPress security.