Guide To Securing WordPress 2014
Securing your WordPress blog should be one of your main goals after installation. By following the steps I have outlined below, you can ensure your blog is protected from hackers, bots, etc. The steps below are easy to follow and do not require anymore than a general knowledge of working in WordPress. Lets Begin.
Rename Database – During installation you will be given the opportunity to change the default wp_ database prefixes, it is a good idea to do this. Simply name them as you like such as “blogwp_” etc.
Hide Login Error Messages – Adding the following code to your functions.php file will hide login error messages which hackers can use to attack your site.
add_filter('login_errors',create_function('$a', "return null;"));
(How to edit functions.php: Access the file through FTP, use any text editor to add the entry and save the file. Overwrite the original file. Presto!)
Remove Default Admin Account – Remove any default admin accounts created during installation. Never use “admin” as your username for admin account as this is targeted by bots and hackers.
Remove unused Themes and Plugins – Remove any default plugins or themes you are not going to use.
Use A Strong Password – You can use this site to generate a secure password for your admin account https://identitysafe.norton.com/password-generator, make it strong!
Check how secure your password is http://howsecureismypassword.net
Install Essential Security Plugins
Lets install some plugins. The following plugins should be installed with your initial setup of WordPress. They install easily and provide great documentation and instructions.
Optional Security Plugins
These plugins I consider as optional. They add additional security features, but can sometimes be a bit overwhelming to some users.
Secure Wp-Admin SSL
Purchase SSL Certificate – Can be purchased through your hosting provider and installed. See your provider for assistance.
Add entries to Wp-Config file through FTP:
To Use an SSL with Your WordPress Admin Control Panel
1. Using your hosting account’s editor, open your WordPress installation’s wp-config.php file.
2. Select your wp-config.php file, and then click Edit.
3. Find the following line:
/* That’s all, stop editing! Happy blogging. */
4. Direct above it, type these two lines:
So, after you’re done editing, your wp-config.php file should look like this:
/* That's all, stop editing! Happy blogging. */
Now when you log in to your admin page, you should see https in your browser’s address bar.
Upload your site to Cloudflare Account
CloudFlare protects and accelerates any website online. Once your website is a part of the CloudFlare community, its web traffic is routed through our intelligent global network. We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.
The FREE account is more than enough to get you started and will provide adequate performance and protection. Up to a 60% increase in performance as well as added security.
Signup or Compare Plans: https://www.cloudflare.com/plans
Maintenance and Updates
The main reason blogs are usually compromised is outdated plugins and core files. You need to login to your admin panel on a regular schedule so that you can apply any updates and handle security alerts. Many plugins today can update themselves automatically if allowed.
Feel free to comment below and add anything I may have overlooked. Thanks for reading!
Guide to securing wordpress 2014 – Eric Tompkins