WordPress is a fast growing platform that is now powering over 20% of websites on the Internet (think about that!). With such a huge stat, it starts to get the attention of hackers just because of the sheer number of websites they can target.

To win against the odds, below are 10 steps to harden your security of your WordPress website both during the installation of WordPress through to running WordPress to help protect your website.

When self-hosting WordPress

When manually installing / self hosting WordPress on your server (that is, going to www.wordpress.org and installing WordPress rather than www.wordpress.com), there are a few key steps you can take to make sure the core of your WordPress install is secure.

WordPress pre-installation security tip 1: use strong username and passwords for FTP and Database accounts

When first setting up your server FTP accounts, you will generally be given a default login username and password by the hosting company. It’s always best to reset the default password that was given to you and if possible, change the default username – you never know who else has access to those details and if by chance your emails gets hacked, they will then have access to your login details. Next step is to do the same for your database details, select a domain specific username and password when creating the database and user. For passwords I always suggest using a 20 character password with mixed cases, numbers and characters.

WordPress pre-installation security tip 2: when installing WordPress always change the database prefix

When you run through the famous 5min install of WordPress you will get to a step that asks if you want to change the database prefix. The database prefix is the first few letters of each database table e.g. Default is “wp_” WordPress requires an “Options” table. By default it will be called “wp_options”. If you keep this default, hackers will know the name of database tables, which causes them to have one extra variable when attacking your website.

WordPress pre-installation security tip 3: NEVER install WordPress with the username Admin and always use a strong password

WordPress by default give the first user the username “Admin” which once again gives hackers one less variable to think about. The latest versions of WordPress now gives you the ability to change the initial username to something else. I highly recommend you change it to something unique for that website. When settings up multiple websites, always use a unique username and password for each website.

WordPress pre-installation security tip 4: change Salt Keys in wp.config.php file

Salt Keys are an encryption key that encrypts your WordPress installation – always update the keys for each website. In the wp-config.php file you will see a URL that will help you generate new salt keys as needed: https://api.wordpress.org/secret-key/1.1/salt/

WordPress pre-installation security tip 5: use a security plugin

I always recommend adding a security plugin that will help monitor and harden your website’s security. A lot of the steps in this blog can be achieved using the iThemes Security plugin but there are a number of other options out there such as website protection services like Siteguard.


5 things to do after installation


WordPress security tip 1: avoid bad/free themes – they can contain insecure code

No matter how secure your website and server is, having a bad theme can undo all your hard work. Avoid free themes unless they are from reputable sources such as oBox or WooThemes who constantly update and patch their themes. There are services like themecheck.org which will scan your theme and verify your themes code for seucirty and quality if you are ever unsure.

WordPress security tip 2: limit the use of plugins

Plugins can have the same problem. When installing plugins always check their star ratings, reviews, how many people have installed them and when their last updates were. You want to make sure the plugin is well maintained as we’ve found over the past few months when a vulnerability is found, popular plugins will be patched within a few hours and updates pushed out. A poorly maintained plugin may not be as quick, or even release a patch at all, which can leave your website vulnerable.

Another thing to consider is the amount of plugins you install. The more plugins you install, the greater the odds are in installing a plugin with a vulnerability.

WordPress security tip 3: make sure you wp-config.php and .htaccess files are not writeable.

This step can be a bit tricky but always try and limit access to your .htaccess and wp-config.php file. The main focus is the wp-config.php file as this will have your username and password to your database. General rule is to set this file’s permissions to “660”, plugins may have some conflict issues if it needs to write to the file so be caution when changing permissions.

WordPress security tip 4: limit login attempts

Limiting the amount of attempts a username or IP address can attempt to log into your WordPress website is crucial. Not setting a limit will allow a hacker to try endless combinations of usernames and passwords to try and log into your website. My personal general rule is to limit 3 attempts within 30min before locking the username or IP address out of the website for at least a week or indefinitely. Depending on how much traffic you receive, you may need to tweak these options. It can be helpful to whitelist your clients and your own IP address.

WordPress security tip 5: have automated backups and store the backups on a different server or offline

Backup, backup, backup! Nothing is ever 100% guaranteed so it’s always best to have a backup of your website as a failsafe. I recommend using BackupBuddy to set scheduled backups for both the database and for all the website files. Depending on how active your website is you may do this daily, weekly or monthly – I generally backup the database daily for e-commerce website and set a minimum of a full database and files backup monthly. With BackupBuddy you can set to send the backups to a remote server. There is no point keeping your backups on the same server as your website because if the server is hacked chances are you won’t have access to the backup. I recommend using Amazon S3 as your remote server option because of it’s price point. With BackupBuddy you can set it to automatically send each backup to the remote server.

Hopefully these few steps will help keep your WordPress website secure. If you are using a security plugin (as recommended), always turn on email notifications or summaries just to keep an eye on the activity and make adjustments as needed. If you’d like to talk about how we can improve your own WordPress website, contact our team of savvy WordPress developers today.