Securing Your WordPress Blog

The following is a guest post about securing your wordpress blog. If interested in submitting a guest post, please read my guest post policy and then contact me.

Check out my new guide for tips on starting a blog to learn how to go about properly creating your own blog.

This week’s blogging tips post is something that I’ve been meaning to cover myself for a while now. As several bloggers happened to ask me about this lately, I knew I needed to stop procrastinating.

Luckily for you, one of my good blogger friends volunteered to cover this topic. He’s a lot more knowledgeable than me when it comes to this stuff. So thank you for the awesome post Grayson! I’m sure this will be extremely useful for fellow bloggers.

If you’re new to this series, check out some of the previous blogging tips posts:

Hello everyone, it’s Grayson from Debt Roundup. Jeremy asked me to provide a write-up about how to protect your wordpress blog in order to give you guys a little more security. I hope this guide helps.

I have been using wordpress every since it came out. I have been blogging for quite some time. There are many things that I love about using wordpress. It is really easy to start a blog and get your thoughts down. WordPress really does make it easy. One of it’s big problems is that hackers know how to break in. It is unfortunate, but part of the game. So, instead of just hoping that your site doesn’t get hacked, let me show you how to secure your wordpress blog.

Securing from the Start

If you are just thinking about starting a blog and want to use a self-hosted version of wordpress, then first, congratulations! Second, let’s get your site secure from the start. It is much easier to secure your blog when you first install it, than worrying about it later.

If you have a hosting provider that uses cPanel, then you can easily setup your wordpress blog with only a few clicks of a mouse. I love the convenience, but this process also only gives your site the basic setup. Here are some simple changes you should make when you are installing your blog.

Change Table Prefix

The table prefix is just about how the tables are named inside of your database. If you don’t know much about databases, than that is OK. Not many people understand how the wordpress database works. There is one thing that you can do when installing wordpress that can really reduce headaches later on. Change the table prefix.

WordPress defaults to having it’s table prefixes as “wp_”. While this makes sense, it is widely known in the hacking community. One way to make your site more secure it by changing the table prefix names. You can do it when you install your wordpress site like shown below:

Wordpress Table Name

As you can see from this screenshot, the default installation just comes with “wp_” as the table prefix. Many people say it should still start with “wp_”, but you can add on top of it. Here is an example:

Old: wp_
New: wp_xh7583i_

You can just create some crazy combination of letters and numbers to change your table prefix. When you do this during the install, then you don’t have to go back and change anything afterwards. It is super easy and very efficient. With the table names being changed, your site will be less likely to be hacked with simple SQL injection, which is a popular form of wordpress hacking.

Don’t Use “Admin” As Username

When you are setting up your blog, it asks you what you want to use as the administrator username. The default is “admin” and most people don’t change this. BAD Idea!!

If someone wants to try to log into your site, then they will first try “admin” as the username. If you don’t change it, then they already have 50% of your login information. Now, they only have to figure out the password. This is how many sites are hacked. Change it when you are installing wordpress.

Admin Username

It is up to you to create a good username and password. Don’t use “admin” and don’t use “password”. If you do, I am sure you will get hacked one day.

Securing After You Install WordPress

If you already have a wordpress blog, but want to add some more security, then it can be done. There are a few things that you can do in order to tighten up the security. You can also change your table prefixes after you install wordpress, but it is a very different process and much more technical. I don’t recommend it unless you know how to mess with databases and phpMyAdmin. If you want to learn how to do it, I am going to break down the process now.

Renaming Table Prefixes

**Important** – Backup your wordpress database before you do any of these steps.

Change the table prefix in wp-config.php

Download the wp-config.php file from your server. Open it in a text editor and then look for a line like this:

Table Prefix

As I indicated before, it will default to “wp_”, so in this file, you can change it to something like shown above.

Change All Database Table Names

Log in to your web host’s cPanel and then go to phpMyAdmin. If you don’t know what you are doing, please don’t mess around in phpMyAdmin. This is your database and you can cause some real problems. Once you get into phpMyAdmin, it will show all of you table structures for your wordpress database. You will pick the “SQL” tab as shown below:

SQL Table Names

On the SQL tab, you will enter a SQL query in order to change all of the table prefixes. Here is some sample code:

SQL Table Renaming

Now, you probably see more tables in your database structure and that is usually because of your plugins. So, you will need to get those table names and add them using the same code as above. You will put all of your table names into the same format as above and then execute it.

Checking the Options Table

You will need to check the options table to make sure there are no instances of the old table prefix “wp_”. Here is a SQL query that will look for you.

SQL Options Table

This query will return some results and you will have to go one by one and change the wp_ to the new table prefix. This could take some time.

Checking the UserMeta Table

You will need to check the UserMeta table as well for anything with reference to “wp_”. Here is the SQL query for this as well:

UserMeta Table

You will also have to go one by one through each result and change “wp_” to the new prefix.

Once you are complete, go to your website and make sure everything works. You can see now that it takes much more effort to change your table prefix after you install wordpress. Either way, changing the table prefixes is a great way to keep your site safe from hacking.

Limit Login Attempts

Do you know if people are trying to login to your site? Have you installed any log in analyzing plugins to see if people are brute forcing their way into your site? No? Well, you should!

Brute force attacks are simple, yet effective. Your wp-login.php file is a default for wordpress and hackers know this as well. They can create scripts that will continuously go to your login page and try to force their way into your site. If you don’t lock down how many times they can try to login, then they can keep trying. I have seen some scripts try to login every 10 seconds. It can do a number on your web hosting server.

Luckily for you, there is a simple plugin that can help. I use it on all of my wordpress sites. Limit Login Attempts is a great plugin that you can install right now. You can choose how many times people are allowed to login and how long they will be locked out. Here is a screenshot of the settings:

Limit Login Attempts

With this plugin, you can lock people down that repeatedly try to log into your site. You can see from the above screenshot that there are a few options. This plugin has been tested on wordpress 3.6 and it still works just fine. One of the better features is that you can get emails depending on how many lockouts people have. You will be able to see what username they tried to use and how many attempts they made. It gives you a wealth of insight into what is happening on your site.

Lock Down Your Login Page

If you don’t allow people to register on your website, then you should make sure that you uncheck that setting in the General settings within wordpress. If this is the case, then one of the best ways to make sure people can’t login to your site with brute force attacks is to password-protect your wp-login.php file. There are quite a few articles on the web that tell you to password-protect your wp-admin folder, but I strongly discourage this. There are many plugins that use the wp-admin folder location and when you password-protect it, the plugin will break.

If you notice when you try to login to your site by going to domain.com/wp-admin/, you will be redirected to wp-login.php. So, you need to lock down your wp-login.php file and I will show you how.

To start this, you need to create a file called “.wpadmin”, which will need to be uploaded to your home directory. Make sure there is a period before the “wpadmin”.I recommend doing this via FTP, since it is much easier. Now, what do you need to put in this file? Simple…..

Go to this htpasswd generator site to create your username and password. This should NOT be the same as your wordpress admin login and password. This site will encrypt your password, so if someone found this file, they wouldn’t be able to crack your password.

Copy the line of text that they give you into your new “.wpadmin” file and save it. You will then upload this file to your web hosting server in the home directory. When I say home directory, I do not mean the public_html location. People can get anything in the public_html directory, but it is much harder to get anything in the home directory.

Once you upload that file, then you will need to update your .htaccess file. You can use your ftp program to download your file to your computer. The .htaccess file is located where you installed wordpress. Now, enter this into your .htaccess file:

Lock Down Your Login Page

Now, make sure that you put your username in the “username” section of the AuthUserFile. You can get this from your web host if you don’t know it. Save your .htaccess file and then re-upload it back onto your server where you wordpress installation is. Now, when you go to yourdomain.com/wp-admin/ to log in, you will have to put the username and password that you created on the website above. If correct, you will be allowed access to actually login to your site with your original wordpress admin login information.

I am sure that some of the things in this guide might be over your head, but they are really important to do. How would you feel if you have worked really hard and created a lot of posts on your site and then all of the sudden, your site gets hacked. I have had it happen to me back in the day and there is nothing fun about it. These security steps can really make your life much easier. If you have any questions or need help with this, let me know in the comments below or you can hire me to help you out.

Photo Source