Site icon Search Engine People Blog

How To Secure WordPress Against Disasters & Being Hacked

Alysson Fergison

With so many publishers large and small running on the WordPress platform it is a natural target for hackers. The overall security of your site depends on a lot of factors, including the security protocol your hosting company implements at the server level. Some hosts are more secure than others. You should investigate your host for yourself.

Don't take their, "we take the security of your site very seriously" corporate nonsense at face value. If lots of people complain about their sites being hacked and the common denominator is their host, well - that pretty much speaks for itself.

That said, there's a lot you can do to help to protect your site from hacking attempts by malicious douchebags. Here are a handful of things I believe anyone running WordPress should do to help better secure a site and reduce the chances of it being hacked (or, at the very least, make it more difficult to hack).

Installing WordPress

If at all possible DO NOT use a tool like Fantastico or Softaculous (both of which are often provided by your hosting service to streamline the installation process).

While those tools make installation SUPER easy, their cookie-cutter installation settings can also make WordPress installations more vulnerable.

The software is easy to install manually by following the simple installation instructions in the WordPress Codex.

If you can't follow those simple instructions you probably should not be doing any of this on your own to begin with.

Always Create a New Database

If your host provides cPanel access creating a new database is very easy. Use a little common sense when naming your database (i.e. don't name it "wordpress", "wrdp", etc.) Create a name you will be able to remember is associated with that particular website, but something a hacker or automated attack program wouldn't easily identify with a specific domain. For example, the database name for www.domain.com should not be "domain". You can use both letters and numbers in the database name. And I suggest you do.

Once your new database has been created you will need to assign a database user to it. You should always create a new user for each database. Using the same user for every database is asking for trouble. In the event that someone gains access to your hosting space they could potentially gain access to every database that exists there using the same user information. That would be bad. As with naming the database, use some common sense. The username shouldn't match your domain or your database name. Again, you can use both letters and numbers. And again, I suggest you do.

You will also have to assign a password to your new database user. I use the password generator from Strong Password Generator. The tool offers two recommended password lengths, 7 and 14. Never use recommended password lengths. Why? Because most people do. And when it comes to securing your WordPress installation, the last thing you want to do is what most people do. Choose another password length. The longer, the better. The database user password can contain letters, numbers and symbols. For the best security, make sure it contains all three.

Editing Your wp-config.php file

Now that you've created your new database and database user (I sure hope you kept copies of the names and password, because you'll need them now), it's time to make some changes to your wp-config.php file. NOTE: when you upload WordPress the name of that file will be wp-config-sample.php. Follow the instructions for making the necessary changes to the file in the "WordPress Famous 5-minute Install" and don't forget to delete the "-sample" part of the file name once you're done.

There are also more detailed instructions for editing the wp-config.php file, but you will likely never need them. If too much information makes your head hurt, I suggest you not even look at the more detailed instructions. I've done LOTS of WordPress installations and never needed to do anything more than what is explained in the 5-minute install.

Before saving your shiny new wp-config.php file, you'll want to do one more thing: change the $table_prefix value. By default the value is "wp_". For some extra protection against hacking attempts, change it to something less generic. You can change the values that come before and/or after the underscore (i.e. "wp_e8x1am4p5le", "e9x_a31pl7e", etc.) Once you've properly configured your wp-config.php file, you're ready to actually install WordPress by heading to http://www.domain.com/wp-admin/install.php - obviously you need to replace "domain" with YOUR domain information, but if you didn't know that already you should stop reading now and never attempt to install or secure a WordPress site yourself. Seriously.

Upon visiting the www.domain.com/wp-admin/install.php URL, you'll be greeted by a WordPress setup page. In WordPress releases prior to 3.0 the "admin" account was created by default during the installation process. Thankfully that's no longer the case. You will be prompted to enter the name of your site, a brief description and - most importantly - the username and password for the initial administrator user account.

You don't have to input your own password. If you don't, WordPress will generate one for you. I don't recommend allowing it to do that. Head back over to Strong Password Generator and create your own password. Remember not to use recommended lengths. Do I really need to remind you of that? I didn't think so. WRITE DOWN OR COPY/PASTE YOUR PASSWORD INTO A FILE! The "New WordPress Site" e-mail will not include your password if you do not allow WordPress to generate one for you.

WordPress Security Plugins

There are several plugins I install on every new WordPress site I build. No single plugin covers all the bases, but combined they offer about as much security for a WordPress installation as is possible.

Keep Your WordPress Software Up-To-Date

ALWAYS keep your WordPress core software updated to the latest version. While WordPress often makes significant changes to the functionality and usability of the software with major releases, incremental upgrades are often released to plug identified security vulnerabilities and resolve reported issues. You're tempting fate by keeping older versions up & running. You have been warned.

An Added Layer of Security

Donna Fontenot (a.k.a. "DazzlinDonna" has developed a great tool called "MonitorHackdFiles". It's a cron script that will help to alert you to files that are changed or new files that are added. It won't stop such an attack, but it will alert you via e-mail if it happens so you can immediately take action. Learn more about how to install and use Donna's indispensable tool.

BACKUP, BACKUP, BACKUP!

There's no way to secure your site 100%. If you fall victim to a hacker, you damn well better have a backup of your site. Having access to regular backups of your site can not only prevent catastrophe, but make reverting back to a "clean" version of your database quick and virtually incident-free. There are several WordPress plugins available to help you backup your data and protect yourself against data loss in the event of an attack. Here are three you should take a closer look at:

Better Safe Than Sorry

Seem like a lot of effort? Trust me when I tell you that protecting your site is much less time consuming and infuriating than trying to figure out what the hell to do after your site has been attacked. Not to mention the fact that you usually don't even know your site has been hacked until it is kicked out of Google. That is NOT a lesson you want to learn the hard way. BELIEVE ME!

Do everything you can to prevent an attack to begin with any you'll never have to experience first hand what it's like to cross into that whole new realm of monumentally screwed. 🙂