Basic steps to secure your WordPress Blog
WordPress is one of the most popular pieces of Blog software and CMS software in the world. As a result it unfortunately is one of the most targeted scripts online for exploiting. However there are a number of things you can do in order to secure it. You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress installation.
When you install WordPress do not have the main account called admin. If you are installing fresh you can either pick a admin account login if you installing via Fantastico, or create a new admin level account and delete the account called admin.
Another good way to protect your site, especially from SQL injections is to change the database prefix. If you use the default wp_ this will make it easy for any SQL injections to succeed. It is a good idea to pick a random prefix on a new installation, or alternatively if you have already installed WordPress and want to change it, then you can still update the prefix by updating the wp-config.php file and running a number of SQL commands in phpmyadmin.
First thing to do is to make a backup of your Database and of your wp-config.php file.
Once you have done this change the prefix field in the wp-config file.
$table_prefix = ‘wp_’;
to something like
$table_prefix = ‘randomtxt1_’;
Go to phpMyAdmin in your hosting space and choose your WordPress database. Click on sql menu item and enter the command to rename all your tables. Do it one table at a time.
RENAME table wp_commentmeta to randomtxt1_commentmeta;
RENAME table wp_comments to randomtxt1_comments;
RENAME table wp_links to randomtxt1_links;
RENAME table wp_options to randomtxt1_options;
RENAME table wp_postmeta to randomtxt1_postmeta;
RENAME table wp_posts to randomtxt1_posts;
RENAME table wp_terms to randomtxt1_terms;
RENAME table wp_term_relationships to randomtxt1_term_relationships;
RENAME table wp_term_taxonomy to randomtxt1_term_taxonomy;
RENAME table wp_usermeta to randomtxt1_usermeta;
RENAME table wp_users to randomtxt1_users;
UPDATE `randomtxt1_usermeta` SET `meta_key` = REPLACE( `meta_key` , ‘wp_’, ‘mysite_’ );
UPDATE `randomtxt1_options` SET `option_name` = ‘randomtxt1_user_roles’ WHERE `option_name` =’wp_user_roles’ AND `blog_id` =0;
Replace randomtxt1 to your own random set to characters, otherwise everyone using randomtxt1 as a prefix would be a waste. 🙂
The next thing you can do in order to secure your WordPress site is to use a couple of security based plugins on your WordPress installation. First one to install would be a captcha plugin such as SI CAPTCHA Anti-Spam. This would instantly make it difficult for spambots to automatically post to your site, and slow down or stop attacks. There are a number of other security plugins for you to pick from in order to secure your site.
First plugin you could use which says that it can stop all XSS and SQL injections, plus doing a number of other techniques to secure your site is Bulletproof Security. Another plugin you can use is called Ultimate Security Check which checks your site and gives you a score of how secure your site is. It also provides a link to their “pro” version which you can use to help secure your site. From what I can see it doesn’t cost anything to use the Pro version. If want to have basic steps to secure and make it difficult to identify the version of WordPress you are using is to use the plugin called Secure WordPress. It appears to be one of the most popular plugins of this type, though is missing some of the features of Bulletproof so may be worth running one or more of these plugins.
One of the most important things to do regardless of any of the other things I have described is to make sure you keep WordPress, plugins, and the themes up to date, also if you are not using a plugin is to deactivate it and to delete it completely from your hosting space, to avoid any exploit which may be found in an inactive plugin being used. WordPress since 2.7 has the feature to update it and the plugins to the latest versions built in, so there is no excuse for having an old insecure version.
All these hint and tips will work on hosting supplied by Fyrewire UK Hosting and Cheap Ass Hosting. Some of the plugins use mod_rewrite functionality, so require Apache hosting and will not work on Zeus or Windows hosting. Both Fyrewire and Cheap Ass Hosting provide migration packages should you need to move from your current hosting company. The guide and SQL code is provided as an example. We can no be held responsible for any damage, or loss of earnings, or death caused directly or indirectly from ever using or viewing the instructions or code listed on the page.