How to Secure Your WordPress Website – The Basics

In my book review WordPress 3 for Business Bloggers I told you that I missed one piece of content, which was options to secure your WordPress website, and that I would give you some tips on how to secure your WordPress website.

WordPress is a very popular Content Management System and as such is always under attack by hackers and crackers.

Most of the hack attempts are not focused on WordPress core security holes but rather plugin or theme security weaknesses.

Basics on how to Secure Your WordPress Website

WordPress security starts with the installation of your website and these steps can help:

• choose a good web host
• create a cryptic database and database username for your MySql database
• create a highly secure password
• don't use the standard wp_ prefix for ou tables
• don't use the standard Admin user name but create a more difficult username and matching secure password

After installation use the permalinks option to create a .htaccess file in the root of your website.

Advertisements

Once the installation is done you can remove the following files:

• wp-config-sample.php
• readme.html (contains information on what version of WordPress you are running)
• wp-admin/install.php
• wp-admin/install-helper.php

Secure your files by changing the permissions on:

.htaccess to 404 (or 604)

wp-header.php tot 400 (or 600)

if possible move your wp-config.php file one folder up and set the security to 400 or 600 if your hosting (aff) company won't allow 400.

Secure Your WordPress Website Plugin Options

There are four plugins I always install on my WordPress websites:

WordPress Firewall 2 monitors web request to your website and blocks obvious attacks.

File Monitor Plus this plugin will send you an email if a file has changed on your website and which file(s) are changed.

WP Security Scan will let you know if you already are under attack and will give you extra tips and aids to block some standard attacks.

Login Lockdown looks at login attempts that fail from a certain IP address and shuts down login functionality for a certain amount of time for that address preventing further brute force attacks.

All of the above measures have helped me to secure my WordPress websites from attacks on several occasions.

WordPress 3 Cookbook

I also got a chance to read WordPress 3 Cookbook, a fun concept that gives you “recipes” that you can use on your own WordPress website.

Here is a short overview of the chapters in this fine book:

Chapter 1: The WordPress Cook's Tools
Chapter 2: Installing and Customizing Themes (aff)
Chapter 3: Working with Plugins and Widgets
Chapter 4: Customizing Content Display
Chapter 5: Building Interactivity and Community
Chapter 6: Implementing Online Sales and Advertising
Chapter 7: Making an SEO Friendly Site
Chapter 8: Enhancing Usability and Accessibility
Chapter 9: Managing Maintenance and Improving Security

And yes this one has a chapter on security :-) but the rest of the book is also a very good read and gives you over 100 short practical articles that you can use.

I really enjoyed reading and implementing several of the recipes on my own WordPress websites and I really suggest you take a look at the WordPress 3 Cookbook
as it has some nice pearls in it … but that said you need to be aware that you should have a code editor and FTP program. I recommend PSpad and FileZilla

Advertisements