Keeping Your WordPress Site Secure
Hide the Username from the Author Archive URL
Or better yet, don’t make public posts from your admin account at all. If your admin name is published with posts or comments that you make on your site, this will be visible to hackers as well. This is like having your admin username be “admin”.
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress will create an author archive under the URL http://yoursite.com/author/myblogs, using your username myblogs. This is essentially the same security hole as described in last weeks post having the admin username be “admin”.
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.
Disable file editing via the dashboard
In a default WordPress installation, you can go to Appearance > Editor and edit any of your theme files in the dashboard. If a hacker has cracked your WordPress login, they will have access to these files, and upload whatever files or scripts that they wish.
To disable this method of file editing, add the following to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
Use a Security Plugin
As well as all of the measures above, there are many plugins you can use to strengthen your site’s security and reduce the chance of being hacked.
Here are a handful of popular options:
- http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
- http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
- http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
- http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
- http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
- http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
- http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
Change the wp_ Table Prefix
By default, each table in the WordPress database begins with wp_
. Just like the other default features already mentioned, if you leave it as is, it makes it easier for hackers to infiltrate your site and database tables since the table names are the same across most WordPress installs.
Changing this to something more customized and memorable to you means it will be less accessible to hackers.
There are many plugins that can change the table prefix to something else you choose and here are some of the most popular ones:
https://wordpress.org/support/topic/secure-wordpress-change-table-prefix-after-installation
Check Your File Permissions
If you’re hosting your site on a Linux or Unix server (all of our servers are Linux), files have permissions for owners, groups, and all users. Permissions are grated for files to be readable, writable and executable. If your file permissions on important files and directories are too open, almost anyone could have access to these files on the server.
The WordPress Codex has a great guide that explains file permissions in-depth.
Limit Access to Important Pages
Your admin dashboard and login page are among the most important pages since they can grant access to your entire site. Limiting access to these pages means you and your users will be the only ones that will be able to access your site, keep you all a little safer.
Click here to learn how you can limit access to a specific IP address.
Tags: account security, advanced hosting