503.308.8468
Read The Blog

Simple Steps to Secure Your WordPress Site

Posted on Thursday, December 10th, 2009

Don't Let Your WordPress Site Get Hacked

I have had my Word­Press sites hacked in the past, and I have a good friend who was just hacked as well. Most Word­Press hacks are pretty harm­less, and more anno­ying than anything. But if you are trying to build your web­site and gain the trust of your visi­tors, it pro­bably doesn’t do you any favors by having a mal­ware war­ning pop up when people try to access your site. Here are a few tips to help you keep your Word­Press site safe and secure:

1. Delete the Admin Account

The default Word­Press user is named “admin”. Create a new account under a new name, assign the role of admi­nis­tra­tor to that user, then sign in under the new user and delete the “admin” account. Also, make sure to use a strong pass­word for all of your account.

2. Rename the Data­base Table Prefix

The default data­base table prefix is “wp_”. Don’t use that. This one is easiest to change when first ins­ta­lling your site. Many Word­Press ins­ta­llers give you the option to change this when ins­ta­lling your site. I use Sim­pleSc­ripts with my Bluehost Hos­ting account (affi­liate) to ins­tall Word­Press on many of the sites I do. This gives me the option to set the prefix as I am set­ting up the ins­tall. Very easy.

If you already have a blog up and run­ning and want to change the data­base table prefix, it’s a bit more work. But it can be done. Leave me a com­ment if you’d like a tuto­rial on how to do this.

3. Ins­tall the “Secure Word­Press” Plugin

This plugin is great! It is the first plugin that I ins­tall on all of my new sites. It pro­vi­des a slew of great secu­rity options. Don’t ques­tion it. Just do it.

4. Keep Plu­gins and Themes to a Minimum

Plu­gins can unin­ten­tio­nally (or inten­tio­nally) leave secu­rity holes in your site. If you don’t NEED the plugin, unins­tall it. If you’re not using the theme, unins­tall it. Don’t just deac­ti­vate them. UNINSTALL!

5. Keep Your Word­Press Up To Date

Unless you are run­ning a bunch of old school plu­gins on your site (which you shouldn’t) there is no good reason why you shouldn’t be run­ning the most current ver­sion of Word­Press. It is easy to upgrade now. It’s just 1-click and you’re done. Also, you should usually run the newest ver­sion of plu­gins as well. Some­ti­mes a plugin needs to be upda­ted because a secu­rity hole has been found in the old version.

Most of these steps (except maybe #2) could be done by any low-tech Average-Joe. Don’t let your­self get hacked. These small steps will help tigh­ten secu­rity around your blog.

Know of any other ways to pro­tect a Word­Press site? I’d love to hear about it in the comments.

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

10 Responses to “Simple Steps to Secure Your WordPress Site”

  1. Rob McGuire says:
    December 10, 2009 at 9:56 pm

    Word­press likes to inc­lude a meta tag indi­ca­ting which ver­sion of WP is ins­ta­lled. I like to take that bad boy out of there when I setup a blog.

    Reply
  2. Tweets that mention Simple Steps to Secure Your WordPress Site - VINTOM Custom Designs, Web Design, Salem Oregon -- Topsy.com says:
    December 10, 2009 at 3:23 pm

    […] This post was men­tio­ned on Twit­ter by Bo Lane, Vin Thomas. Vin Thomas said: Just Blog­ged — Simple Steps to Secure Your Word­Press Site http://bit.ly/6XZHWc […]

    Reply
  3. c2itllc says:
    December 10, 2009 at 11:40 pm

    Great entry Vin, would be inte­res­ted in info for chan­ging the data­base table prefix on an exis­ting ins­tall. Thanks for the other good info as well.

    (Side note, your affi­liate link to bluehost is broken with double http’s.)

    Reply
  4. David Jones says:
    December 17, 2009 at 3:18 am

    Vin,

    Thanks so much for this article. It is great that you have taken the time to share this infor­ma­tion with us. Obviously you could make money from us by fixing our sites after we’ve been hacked.

    Extre­mely unsel­fish ges­ture hel­ping us to be proac­tive in pro­tec­ting our sites.

    Thanks again!

    David

    Reply
  5. Vin Thomas says:
    December 17, 2009 at 3:28 am

    Thanks for the com­ment David. The way I figure it, the less time I spend wor­king on things like this the more time I can spend doing the things I am really pas­sio­nate about. Design I love; fixing a hacked site — not so much!

    Reply
  6. Geoff Pfeil says:
    December 19, 2009 at 11:23 pm

    Thanks for the tips Vin! I’ve acted on steps 1, 3, 4 and 5. Count me in as one who would love a tuto­rial for step 2. When I set up my blog (using Sim­pleSc­ripts) I didn’t think to change the wp_.

    Reply
    • Vin Thomas says:
      December 20, 2009 at 12:10 am

      Glad to hear it helped.

      The tuto­rial is in my todo list. It is a little bit of a pain in the tail, but not too bad. Look for a video tuto­rial in the next couple weeks.

      Reply
  7. BoLane says:
    December 21, 2009 at 3:18 pm

    Yeah, I’m wan­ting that tuto­rial as well. Please.

    Reply

Leave a Reply