This arm keeps me safe. What will your WP keep safe if not you?
Internet security is probably the most important thing in the Internet that we should be aware of.
Recent attacks on Playstation Network or Square Enix’s Deus Ex’s Website are just a small % of all the attacks that happen every day.
As every software even WordPress has it’s own security holes, that we should be aware of. These simple steps are destined to every WP administrator and they don’t require extra programming skills.
1. Use the most recent WP installation
All the time. Forget about incompatible plugins, forget about deprecated functionality. There are thousands of similar plugins and the functionality can always be recovered. Almost every new installation comes with important security fixes and that’s the main reason of having it.
2. Get rid of the admin account.
Use some uniqe name – ‘Spyro’, ‘Snake’, ‘XXX Octopus Killer’, ‘Stinky Winky’, whatever. You can do it either during the installation process or afterwards – simply create a new account with admin privileges and remove the old fellow. Apart from that change the display name – whenever you post it will be displayed instead of the log-in name.
3. Change the default database prefix.
Instead of having the default “wp_” use something unique, as “xoq_”, “strid3r_”, anything different than “wp_”. It’s useful to give some extra layer of protection in case of DB attacks. As the one above it can be done (and SHOULD be done) upon the installation.
4. Remove the meta name=”generator” from your site’s source code.
It basically tells possible hackers which WP installation are you using, giving them hints on possible security holes (useful especially in case you DIDN’T use the most recent installation). The following can be done using simple hook. In functions.php file (which is placed under the /wp-content/themes/your_theme_name/ directory) add the following code
remove_action('wp_head', 'wp_generator'); .
5. Make constant DB and WP backups.
There’s probably no better way of being sure that your WP site is well protected than having several (probaly 3) local copies of your site. In case your site was hacked you’d simply find out the problem -> solve it and then reupload your files over again. Detailed info on how to do it can be found on WP site
6. Remove the failed login info.
It’s quite stupid, but every time there’s a failed login attempt WordPress actually tells the one who tried to login whether the typed in user exists or not… It’s idiotic, but quite simple to get rid.
The most lazy way is to add the following code to the Current Theme’s CSS file:
#login_error {
display: none;
}
Note: Steps 4 and 6 require some coding. In case your Theme would get an update they’d possibly be overwritten by the update itself, hence remember to re-add them over again or simply use a plugin, like amazing
Secure WordPress, which covers a lot more safety issues than I wrote you about.
Final Thoughts
The above is just a basic set up. And all of the WordPress.org users should know that. Personally I think that each and every user should accept that kind of licence before being able to install actual the software 🙂 It doesn’t provide 100% security and it will never do. You should always have several backups of the site. No matter how much safety plugins you’d use and how much knowledge you’d have you will never be able to defend yourself against cheeky bastards all over the World…
For those who are willing to take their WP safety knowledge one step further I advise reading these two articles:
Smashing Magazine’s Securing WordPress Site
Hardening WordPress taken from Codex
Hopefully you’ll never become a victim of hackers – I’m going to backup my blog right now 😉
