Main menu


WordPress Security - How to Protect Your WordPress Installation From Hackers

 There are some simple steps you can take to protect any WordPress installation you set up. But why worry about security?

Here is why:

I have had two WordPress online journals hacked before. This was at a time when I was doing very little internet marketing, and by the time I found time to take care of the situation (months later), these sites were penalized in search engines. They were not taken out, however, the rankings were diminished.

WordPress Security - How to Protect Your WordPress Installation From Hackers

I ended up fixing the problem, but I did not take care of it for several months. For quite a while, I was not even aware of the problem.

And the result? I guess I lost a few hundred pounds in advertising revenue.

A lot of WordPress security is just common sense. Do you use a strong password? Do you use a different password for each website?

For years, I did not. I had three or four passwords that I used frequently. But there are two ways you can always create a good, strong password for every website you log into. (That goes for your WordPress blogs, too, of course).

The weaker approach (but still pretty good) is to start with a common password; add some numbers you are likely to remember, such as the house number of your first address; then, at that point, add the initial not many, say, five letters of the area name. For example, if you start with the password reindeer230 and use a website called, it becomes reindeer230examp. This is a pretty strong password. This technique protects against dictionary attacks, where an attacker repeatedly tries to log in to your account using English words, words of other languages, names, etc.

The stronger method, which I personally recommend, is to use one of the password generation and storage plug-ins available for your browser. Many people like RoboForm, but I believe after a free trial period you have to pay for it. I use the free version of Lastpass, and I recommend it to anyone using Internet Explorer or Firefox. It generates strong passwords for you; you then use a master password to log in.

Now we come to the specifics of WordPress. When you install WordPress, you need to edit the config-sample.php file and rename it to config.php. There you need to install the database details.

There are a couple of different changes you ought to make.

In config-sample.php, there is a section titled "Authentication Unique Keys". There are four definitions in this block. There is a hyperlink in this section of the code. Enter this link into your browser, copy the content you get back, and replace the existing keys with the pseudo-random unique keys provided by the website. This makes it harder for attackers to automatically generate a "logged in" biscuit for your website.

The next step is to change the table prefix from the default value of "wp_". This is done in the WordPress Database Table Prefix section. It does not matter how you change it; you can use alphanumeric characters, hyphens, and underscores. This should thwart so-called SQL injection attacks, where an attacker tries to get WordPress to execute SQL code that has unwanted effects on your site. This code could add a new user with superuser privileges to your WordPress website.

Note that you should only perform this last step on new installations. If you want to perform it on existing installations, you will also need to change all the table names in the database.

Finally, when you install the WordPress Security Scan plugin, it will scan most of it for you and alert you to anything you may have missed. It will also tell you that there is a user named "admin". This is, of course, the name of your administrative user. If you want, you can follow a link and find instructions on how to change this name. I personally feel that a strong password is sufficient protection, and since following these steps, there have been no successful attacks on the numerous blogs I run.

Finally, WordPress Security will also advise you that there is no access to the wp-admin/ directory. If you want, you can put a .htaccess file in that directory that will allow you to control access to the wp-admin directory by IP address or address range. You can find out about how to do this on the Internet.

However, I recommend installing the Login LockDown plugin instead of the .htaccess controls. This will disallow login requests from a specific IP address for one hour after three failed login attempts. If you do that, you can still access your admin panel even if you are not in the office, and you still have good protection against hackers.