4 Essential Security Tasks for any WordPress Website

Over 25 Million websites run on WordPress and no matter if you are running a blog, membership service, eCommerce website or any type of WordPress site the most critical part of your business is to simply keep your website running. (btw..if you are just starting out and need help getting your own WordPress website setup, checkout my step-by-step WordPress basics tutorial.)

Staying on top of security can seem like a huge challenge and overwhelm many website owners, however this is an easy list of 4 essential tasks you should do (and I do) immediately to any WordPress website to protect it from a majority of attacks and vulnerabilities. There are many more security best practices and advanced measures I can list, but these 4 essential and simple steps will shield your website from numerous hacks, keep your site running, and should help you sleep better at night. :)

1. Create a unique Administrator user and remove the default “admin” user

Leaving the default WordPress Administrator user name set to “admin” is the #1 security exploit hackers use to gain access to a WordPress site. If you don’t change it a hacker is already 50% of the way into your website and thats puts you at a huge disadvantage.

The good thing is that its easy to change right away when your are installing WordPress with either the standard WordPress Installation Wizard (screenshot below) or in a 1-step installation script from a hosting provider like Bluehost. Just look for the field labeled username or admin username and choose something unique.

**Extra security tip**: The username field is also case sensitive so you can even use Capitals and Punctuation symbols to make the name more secure!

WordPress wizzard installer custom name

WordPress DIY Wizard Installer

Now if your Administrator username is already set to “admin” you can change this easily by following these steps:

  1. Login as the “admin” user.
  2. Go to the “Users” menu and click on “Add New”.
  3. Pick a unique username and email (the email must be unique and different than the existing admin user email), set your role to “Administrator” and click the Add New User button.
  4. Log Out of the backend (Go to the top right corner of your backend and hover the “Howdy, admin” text and choose “Log Out”).
  5. Log back in as the new Administrator user you just created.
  6. Go to the “Users” menu and click on “All Users
  7. Select the checkbox next to old “admin” user, and look for the drop down  labeled “Bulk Actions” and select “Delete” in the list, click on “Apply”
  8. You will have the option to delete all posts by the old user or move existing posts to another user from a dropdown list. If you already have content you should choose to move your posts to the new Administrator user you just created.

 2. Install Wordfence Security

Wordfence is a free security plugin that actively scans and protects your website from malware, viruses, and hackers. It is the best free WordPress security tool available and has the following key features that make it indispensable:

  • Actively Scans your WordPress theme, plugin, and core files for malware and viruses.
  • Login Lockdown: It can automatically Lock out Hackers after X number of login failures in X minutes.
  • Alerts you by email whenever anyone logs into your website.
  • Hides the WP Version Number in your header.
  • Removes login messages so hackers can’t see if they guess any part of your user account.
  • Scans comments for malware and phishing URL’s
  • Lets you know if updates are available for all of your plugins or WordPress core

Search for “Wordfence Security” in the plugin area of your WordPress backend and after you download and activate the plugin you’ll have a new section added in the bottom left called “Wordfence“.

That’s it, your done! You can stick with the standard options or click on the “Options” link to customize the protection to your own scrutiny level.

 **Bonus Tip**: Like any anti-virus software the added scanning can take extra server resources so I recommend you push up your WordPress memory limit to at least 128MB. This can be done easily by adding the following line to your wp-config.php file.

define('WP_MEMORY_LIMIT', '128M');

3. Automate the backup of your Database

Part of any good online security plan is not only preventing an attack, but also having a backup of your data should any issue come up. WP DB Manager is a free plugin that you can install that will automatically backup your database on any time interval you choose and will even automatically email you an offsite copy of the backup file just incase you can’t access your web server.
Search for “WP DB Manager” in the plugin area of your WordPress backend and after downloading and activating the plugin take the following steps to setup the email automation.
  1. Click on the section called “Database” in your WordPress Dashboard (look for it near the bottom of your left of your dashboard)
  2. Inside the “Database” section click on the text link labeled “DB Options
    • The first two fields labeled “Path to mysqldump” and “Path to mysql” should be already be filled out to something like /usr/bin/mysqldump or /usr/bin/mysql, if not click on “auto-detect” button next to the empty field.
    • At the bottom of this same page (DB Options) you can choose how often you want automatic backups and repairs made in days, weeks, months, even minutes. The standard options are good for most, but adjust them to how often you feel is appropriate for your business.
    • Enter in your email address so have the backups automatically sent to you.
    • When you are done click on the “Save Changes” button.
  3. Final step, create your first backup. In the same Database section click on the text link labeled “Backup DB“.
    • Click the “Backup” button on the bottom of the page, and check your email for your backup file.

4. Protect access to directories and sensitive files such
as wp-config.php

There are certain vital and sensitive files that ensure your WordPress site functions properly. One such file is the wp-config.php file which is the main WordPress configuration file and handles the database connection and security credentials. If this file is deleted, renamed, or removed your website will display the “white screen of death” (blank page) or a hacker could even rerun the setup wizard, create another administrator user, and lock you out of your own website!

Files that contain configuration information should not be directly accessed from a web browser and should be blocked  or redirected through your .htaccess file. For example by adding the following lines to your .htaccess file you can easily redirect any hacker trying to access your configuration file to the FBI website….a nice surprise :).

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#Redirect access to your WordPress configuration file
Redirect 301 /wp-config.php http://www.fbi.gov
</IfModule>

At the BARE minimum, you should always block directory browsing access to your web server files. This is an easy 1 liner and you just put this at the top of your .htaccess file. Please take the 30 seconds to do this as most 1-step installation scripts from hosting companies leave this out.

Options -indexes

There are many more .htaccess tricks and ways you can protect access to sensitive files (checkout the .htaccess tricks guide at Perishable Press) but be warned the .htaccess file is a sensitive file itself.  If you don’t know what you are doing and mistype any of the directives or commands you can cause your site to go down.  If you are not that comfortable with directly add .htaccess commands you should talk to your hosting provider to get some help.

Remember to Stay up to Date

Online Security is a constant game played by hackers and users, remember to stay up to date with your version of WordPress and key plugins (such as Wordfence) so your website can continue to be secure.

Now feel free to ask any questions you have about any of the tasks I mentioned in the comments section below, or share any of your own experiences, tips, and tricks you use to protect your WordPress website with others.

All the best!

-Belsien

Speak Your Mind

*