Over 25 Million websites run on WordPress and no matter if you are running a blog, membership service, eCommerce website or any type of WordPress site the most critical part of your business is to simply keep your website running. (btw..if you are just starting out and need help getting your own WordPress website setup, checkout my step-by-step WordPress basics tutorial.)
1. Create a unique Administrator user and remove the default “admin” user
Leaving the default WordPress Administrator user name set to “admin” is the #1 security exploit hackers use to gain access to a WordPress site. If you don’t change it a hacker is already 50% of the way into your website and thats puts you at a huge disadvantage.
The good thing is that its easy to change right away when your are installing WordPress with either the standard WordPress Installation Wizard (screenshot below) or in a 1-step installation script from a hosting provider like Bluehost. Just look for the field labeled username or admin username and choose something unique.
**Extra security tip**: The username field is also case sensitive so you can even use Capitals and Punctuation symbols to make the name more secure!
Now if your Administrator username is already set to “admin” you can change this easily by following these steps:
- Login as the “admin” user.
- Go to the “Users” menu and click on “Add New”.
- Pick a unique username and email (the email must be unique and different than the existing admin user email), set your role to “Administrator” and click the Add New User button.
- Log Out of the backend (Go to the top right corner of your backend and hover the “Howdy, admin” text and choose “Log Out”).
- Log back in as the new Administrator user you just created.
- Go to the “Users” menu and click on “All Users“
- Select the checkbox next to old “admin” user, and look for the drop down labeled “Bulk Actions” and select “Delete” in the list, click on “Apply”
- You will have the option to delete all posts by the old user or move existing posts to another user from a dropdown list. If you already have content you should choose to move your posts to the new Administrator user you just created.
2. Install Wordfence Security
Wordfence is a free security plugin that actively scans and protects your website from malware, viruses, and hackers. It is the best free WordPress security tool available and has the following key features that make it indispensable:
- Actively Scans your WordPress theme, plugin, and core files for malware and viruses.
- Login Lockdown: It can automatically Lock out Hackers after X number of login failures in X minutes.
- Alerts you by email whenever anyone logs into your website.
- Hides the WP Version Number in your header.
- Removes login messages so hackers can’t see if they guess any part of your user account.
- Scans comments for malware and phishing URL’s
- Lets you know if updates are available for all of your plugins or WordPress core
Search for “Wordfence Security” in the plugin area of your WordPress backend and after you download and activate the plugin you’ll have a new section added in the bottom left called “Wordfence“.
That’s it, your done! You can stick with the standard options or click on the “Options” link to customize the protection to your own scrutiny level.
**Bonus Tip**: Like any anti-virus software the added scanning can take extra server resources so I recommend you push up your WordPress memory limit to at least 128MB. This can be done easily by adding the following line to your wp-config.php file.
3. Automate the backup of your Database
- Click on the section called “Database” in your WordPress Dashboard (look for it near the bottom of your left of your dashboard)
- Inside the “Database” section click on the text link labeled “DB Options“
- The first two fields labeled “Path to mysqldump” and “Path to mysql” should be already be filled out to something like /usr/bin/mysqldump or /usr/bin/mysql, if not click on “auto-detect” button next to the empty field.
- At the bottom of this same page (DB Options) you can choose how often you want automatic backups and repairs made in days, weeks, months, even minutes. The standard options are good for most, but adjust them to how often you feel is appropriate for your business.
- Enter in your email address so have the backups automatically sent to you.
- When you are done click on the “Save Changes” button.
- Click the “Backup” button on the bottom of the page, and check your email for your backup file.
4. Protect access to directories and sensitive files such
There are certain vital and sensitive files that ensure your WordPress site functions properly. One such file is the wp-config.php file which is the main WordPress configuration file and handles the database connection and security credentials. If this file is deleted, renamed, or removed your website will display the “white screen of death” (blank page) or a hacker could even rerun the setup wizard, create another administrator user, and lock you out of your own website!
Files that contain configuration information should not be directly accessed from a web browser and should be blocked or redirected through your .htaccess file. For example by adding the following lines to your .htaccess file you can easily redirect any hacker trying to access your configuration file to the FBI website….a nice surprise :).
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / #Redirect access to your WordPress configuration file Redirect 301 /wp-config.php http://www.fbi.gov </IfModule>
At the BARE minimum, you should always block directory browsing access to your web server files. This is an easy 1 liner and you just put this at the top of your .htaccess file. Please take the 30 seconds to do this as most 1-step installation scripts from hosting companies leave this out.
There are many more .htaccess tricks and ways you can protect access to sensitive files (checkout the .htaccess tricks guide at Perishable Press) but be warned the .htaccess file is a sensitive file itself. If you don’t know what you are doing and mistype any of the directives or commands you can cause your site to go down. If you are not that comfortable with directly add .htaccess commands you should talk to your hosting provider to get some help.
Remember to Stay up to Date
Online Security is a constant game played by hackers and users, remember to stay up to date with your version of WordPress and key plugins (such as Wordfence) so your website can continue to be secure.
Now feel free to ask any questions you have about any of the tasks I mentioned in the comments section below, or share any of your own experiences, tips, and tricks you use to protect your WordPress website with others.
All the best!