I am often asked what I do to secure my WordPress websites, for myself and my clients…
There are many layers of security that you can enact in order to secure your website below are just a few of the basics that I religiously adhere to on every WordPress install that I have input with:
- UPLOAD: Start securing your website right from the initial file upload! N
- ever user /wordpress/ as the directory for your install; if your WordPress is not being installed in the root directory of your website create a directory with a user-friendly name for your site visitors.
- DATABASE: When creating your database, don’t use wp for the database name, use creative db names, db user-names and ensure your password is secure (use letters (upper & lower case), numbers & special chars)
- WP-CONFIG.php: This is probably the #1 place where most security is compromised.. When filling in your wp-config.php file pay close attention to the options!
- take the time to acquire the Authentication Unique Keys and Salts: https://api.wordpress.org/secret-key/1.1/salt/
- be sure to change the WordPress Database Table prefix from wp_ to something different
- after uploading be sure to delete your wp-config-sample.php file
- Creating Login: Please when you create the initial Admin login for your WordPress install do NOT use the default of ‘Admin’ for your username, it’s a bit obvious and does half the job for any potential hackers.
- Users: Once created edit the user so that your username is NOT used as the posted by:
- Passwords: I think most of us are catching on these days, but I have to put it here, please make sure that you and any other admins use secure passwords, letters, numbers, different cAse, special char$ AND change them !!!
- Plugins: Do some research, there are quite a few excellent security plugins out there! You want something that helps fight comment spam, a blocklist plugin which will deny known hackers, and a firewall to catch and block attacks – as with all plugins, take time to look at the history of the plugin (does it get updated regularly), the number of downloads, and the reviews
Those are the bare-bones basic security measures everyone should take on a WordPress install.
If anyone has any additions or suggestions to add, please comment below!
Oh I forgot to mention.. Don’t forget to check out WordPress.org’s recommendations for Hardening (making secure) your WordPress install! http://codex.wordpress.org/Hardening_WordPress