This guest post is by David Wang of The ClickStarter.
Hacktivist groups Lulzsec and Anonymous are on the prowl again. Their actions have generated lots of attention for hacking, and you can be sure that many bored kids and shady characters are interested to start hacking too.
What if your blog was the target of a rookie hacker, honing his skills to make it to the big leagues? All of your hard work building a better blog, growing traffic and readership, and making money with your blog would be jeopardized—or, worse, lost forever.
Thankfully, WordPress is pretty secure out of the box and they provide frequent security updates. Even better are the following super-simple actions that you can take to make WordPress ten times more secure. (Not scientifically verified! Your mileage may vary.)
wp-config.php up one level
wp-config.php file contains all of your WordPress configuration information and settings. It’s game over if hackers gain access to this file—they would be able to inject malware into your blog pages, or *gulp* delete all of your blog content.
A little-known feature of WordPress is that you can move the
wp-config.php file one level above the WordPress root. On most Linux servers,
wp-config.php would be located in:
Simply FTP into your server, and then move
wp-config.php above the
public_html directory so that it is located in:
wp-config.php is outside of the public-facing web root, and no longer accessible to scripts and bots that hackers may employ over the Web.
There are no other settings to configure—WordPress will automatically know to look for
wp-config.php one level above. Easy, right?
Caveat: This tip will not work if you install your blog in a subdirectory (e.g.
public_html/blog) or as an add-on domain in cPanel (e.g.
Time required: 1 minute
Delete the ‘admin’ account
The default Administrator account on WordPress has a username of ‘admin’. Every n00b hacker would know that, so using ‘admin’ as the username is like having a back door to your house that every thief knows about. Do not ever use this as the main account. Choose a different username when installing WordPress.
If you have been using the ‘admin’ username, go into the Dashboard » Users » Add New User screen. Create a new user with the role of Administrator. Now log out, and log back in as the new user.
Go to the Users screen again and delete ‘admin’. You can transfer all of the content created by ‘admin’ to your new user account before confirming deletion.
Time required: 1 minute
Update WordPress, plugins, and themes
WordPress makes it so easy to update itself, plus plugins, and themes, to the latest version. It’s so easy that you (almost) deserve to get hacked if you don’t stay updated. Spending one minute installing updates will save you hours or days of frustration and headaches if you ever do get hacked.
Plugins and themes should also be updated regularly. All plugins and themes from the WordPress directory integrate with the automatic update feature. Many premium plugins and themes also have automatic updates, which is another great reason to invest in a high-quality theme framework for your blog.
Time required: 1 minute
Install WP Security Scan and Secure WordPress
Finally, plugins that deal with security are another great way of reducing the likelihood of your blog getting hacked. Two really good plugins that do this are WP Security Scan and Secure WordPress by WebsiteDefender.
WP Security Scan comes with several tools to help make your blog more secure:
- The Scanner checks the permissions of the WordPress files and highlights any with the wrong permissions. FTP into your server and change the permissions accordingly.
- The Password Tool tells you the strength of your password, and also generates random and super-strong passwords that you can use.
- The Database tool allows you to backup the WordPress database and change the database prefix. Use it to change your database prefix to something like ‘
7yhj2_’. This makes it difficult for hackers to guess your database table names when trying to perform SQL injections.
Secure WordPress takes a different approach and helps improve security by removing clues that can help hackers detect vulnerabilities in your system. The plugin’s settings screen is a simple list of checkboxes that do everything from removing login error messages, removing WordPress version numbers and even blocking malicious URL requests. I recommend activating all the checkboxes, unless you have a specific need for one of the features that it blocks.
Time required: 2 minutes
The steps above will drastically improve your blog security and prevent it from becoming a target of opportunity for rookie hackers. However security is an ongoing process, and also involves practicing security as a habit.
Stay vigilant and make it a point to keep up with the latest security news for WordPress, especially if you use it to run your business. You should also learn as much about security as you can. The ProBlogger archives are full of great posts that contain much more information on keeping your blog hacker, spammer and spyware-free and even planning for a blog disaster!
Now, please take five minutes and perform all of the steps above. I wish you good luck and hope your blog stays hacker-free!
David Wang blogs about his journey to generate the majority of his revenue online at The ClickStarter. He is also a WordPress evangelist and recently launched a free online course called Getting Started with WordPress. Follow David on Twitter – @blogjunkie