Anyone who’s had a website for a while knows that you will ultimately end up having someone try to hack your site or do something malicious. Over the past months, we have been asked more than usual to consult companies on improving their WordPress security or fixing sites that have been hacked.
Luckily, protecting your site doesn’t have to be rocket science and involve a lot of technical know-how. With just a few simple steps your site’s security can be dramatically increased.
Plugin Recommendation: Better WP Security
Before getting into the details on what I am going to recommend that you do, I want to throw a WordPress plugin recommendation out there. We have had great success in using Better WP Security to help secure WordPress. What is nice about this plugin is that it does a lot of the tweaks very quickly that one wants to do.
The downside of course is that it is a plugin that needs to be loaded. While this has a slight effect on the load times, it shouldn’t be enough to worry about.
Hiding Login Error Messages
By hiding the login error messages that WordPress automatically displays when there is a failed login attempt to the backend, you can at least make things a bit harder for the hacker. Instead of showing exactly whether it was the username or the password that didn’t work. Hiding the message completely will make it just a little bit harder for whomever is trying to misbehave.
Remove Unnecessary “Guiding” Information
Why should we be displaying which version of WordPress that’s running on our site to the general public? I mean, you are not putting the info publicly displayable on the site, so why have it in the code? While hiding all unnecessary meta generator tags or other header information bits won’t automatically turn your site into Fort Knox, you won’t be giving the hacker helpful information.
Keep Your Site Up To Date
I can hear you say, “This one’s a given, why are you even including it?”. You would be surprised at how many people have never thought about the fact that WordPress as a platform needs to be updated and maintained. Despite you telling them how important it is, it just never happens. So please, do me a favor here and keep your site up to date. That means both core, plugin and themes.
Remove the Default Admin Account
Would you voluntarily select the same username as everyone else? Not changing the main admin user’s username in WordPress is the equivalent. Please make sure that your username isn’t simply “admin”. It is going to be the very first thing that a hacker tries, and if your password isn’t secure, they are in!
Furthermore, also change the user id of the first user so that it isn’t 1. This is another way to gain access, primarily via code, by trying to access the site as user 1. If it doesn’t exist: Bravo you!
Changing The Table Prefix in the Database
By default when you install WordPress, it is going to prefix all database tables with wp_ just so that you could have more tables in the database without any conflicts. Guess what. This is public knowledge. Anyone who wanted to harm your site could easily run a script that targets the standard tables. But! If your tables are named differently, that will not work.
This is a very quick fix with something such as Better WP Security and protects your site greatly against being hacked that it is foolish not to do it. Just remember to make a database backup before you go ahead.
Ban Troublesome IP Addresses from the Start
Most people never think about this step. There are many online databases (Better WP Security comes with on) filled with IP addresses that are known to be of a malicious nature. Why not block these right away instead of letting them access your site? Chances are that they are never going to be any legitimate visitor, so this will do you much good.