Is your website or blog built on the popular open source content management platform called WordPress? There’s a good chance you are running WordPress in fact according to Wikipedia, 22% of all active websites on the Internet today are running WordPress as their core. This is because of the several tools and pure “awesomeness” WordPress delivers. But there are some downsides to WordPress being the #1 most widely used CMS.
The main downside is security. Because WordPress is so commonly used these days, it has become a target of hackers as of late. And will most likely continue to be for the foreseeable future. Hackers love to exploit over-exposed WordPress run sites and hacks are being reported at alarming and record-breaking rates. So if you run WordPress than this blog post is for you… to learn how to better protect your site from malicious hackers.
1. Move Your wp-config File
Did you know that you can move your wp-config.php file up one directory and your site will still work perfectly fine? Most webhosting companies support this functionality and it’s a very important step for security. It makes it harder for a hacker to access and/or find your wp-config file which is the most important file in WordPress.
2. Remove WordPress Version Number from the Public
Do a simple Google search for “remove wordpress version number” and you’ll come across several dozen tutorials on how to do this. It’s very simple to do and involves editing your theme’s functions.php file. This way hackers can’t know what version of WordPress your site is currently running.
3. Protect WP-Includes Files With .htaccess
Using your site’s .htaccess file you can actually protect all the core files that inside your wp-includes directory. Do a google search on this one as well to find the instructions. These wp-includes files are usually the first to get hacked.
4. .htaccess Double Protect Your WP-Admin Folder
Doing this will allow you to create a password before the login page, essentially creating a double-login. This will defeat most spammers who try to brute-force attack your login page.
5. Delete the “Admin” User
Most hackers know that most WordPress configured sites still have the default user called “admin.” Delete this user and assign a more unique username as the site’s overall administrator.
6. Keep WordPress Updated
And last but not least… keep your WordPress core and all plugin files updated at all times. This is still the major reason for most hacks within WordPress.
There are many more things that you can do to further “harden” your code, server, and WordPress site. This is really just a quick action list of items to take care of to greatly minimize your risk with WordPress. I highly recommend after following these 6 steps, learning more about WordPress security and finding new ways to improve.
It’s important to note that all the improvements in the world to WordPress cannot save your site if you don’t have a secure webserver. LAMP security and/or Linux server security is beyond the purpose of this article. If you’re not a server geek like I am, you’ll want to make sure you purchase the right web hosting service that can help create a server environment for you that’s highly protected. Services such as MediaTemple, Rackspace, and Linode are very popular services that get the job done right.
Solomon Thimothy is a writer for ONEims, a web development Chicago company that can help you create an image that will truly represent your company.