WordPress - Security Guide

This article explains how to install the Better WP Security plugin and change the default WordPress admin username. The majority of the steps apply to any WordPress site at any web hosting company. Once your WordPress site is properly secured, your site will also be able to resist brute force login attacks. The steps in this article assume that you already have a working WordPress installation in your site. If you still need to install WordPress, please check out our WordPress Installation Guide.

 

Step 1: Update WordPress files

 

Log into the WordPress Admin section. Then select the Update option from the menu on the left side of the screen.

Force the latest update even if you recently installed WordPress. This makes sure your site definitely has all of the latest WordPress files.

 

Step 2: Install the Better WP Security Plugin

 

Select Plugins->Add New from the menu on the left side of the screen.

Type Better WP Security into the textbox and then click the Search Plugins button.

Click the Install Now link under Better WP Security. When your browser asks you if you are sure you want to install this plugin, click the Ok button.

Click the Activate Plugin link.

 

Step 3: Tweak The Security Settings

 

A new Security tab has been added to the menu on the left side of the screen. Click on the Security tab in the WordPress admin to tweak the security settings.

The first thing the Better WP Security plugin will do is offer to create a database backup. If you don't have a backup of your WordPress database, click the Create Database Backup button. If you already have a backup, click the No, thanks. I already have a backup button.

The next thing the Better WP Security plugin will do is offer to automatically do some of the most popular security tweaks. If you want to let it automatically do some of the popular tweaks, click the Secure My Site From Basic Attacks button. If you want to handle each tweak manually, click the No, thanks. I prefer to configure everything myself button. We recommend doing the automatic tweaks followed by some manual tweaking.

At this point in time, your login area is protected from brute force attacks. There is more you can do to improve security, though. The Better WP Security plugin lists all of the security related things it can tweak. The ones in red should be handled immediately. Those are the critical ones.

 

Step 4: Change the Admin Username

 

Hackers have tools that will run brute force login attacks against the WordPress admin user, because that has historically been the default username for the main admin level user within WordPress. You definitely need to rename the admin user. You can set it to your first name or a string of random letters. Basically anything you choose will be better than the word admin, since the hacker's scripts are written to try to login as admin.

Type your new username into the textbox. Then click the Change Admin Username button. This will change the admin username to what ever you type into that box. Make sure you write the username down somewhere, because this will be the username you will use instead of admin next time you log into the WordPress admin section. If you were logged in as admin, you will need to log out right now and then log back in using your new username.

 

Step 5: Additional Recommended Tweaks

 

The are still some very important security tweaks to follow. Start with all of the red ones. In this example, "A user with id 1 still exists", "Your table prefix should not be wp_", and "Your installation is not actively looking for changed files" are the three items that are currently shown in red. Click on each one of those and follow the instructions.

Click on the "A user with id 1 still exists" link. Then click on the Change User 1 ID button. There are some attacks that target the user with an ID number of 1. Once the ID number is changed for that user, those attacks will be ineffective.

Click on the Security Dashboard link to show the list of security tweaks. Then click on the "Your table prefix should not be wp_" link. Then click on the Change Database Table Prefix button.

Click on the Security Dashboard link to show the list of security tweaks. Then click on the "Your installation is not actively looking for changed files" link. Check the box next to Enable File Change Detection. Then click on the Save Options button. From now on, you will receive a report via email any time files are changed in your site.

Click on the Security Dashboard link to show the list of security tweaks. Then click on the "You are not blocking known bad hosts and agents with HackRepair.com's blacklist" link. Check the box next to Enable Default Banned List. Then click on the Add Host and Agent Blacklist button.

Click on the Security Dashboard link to show the list of security tweaks. Then click on the "You are enforcing strong passwords, but not for all users." link. Make sure there is a check in the box next to Enable strong password enforcement. Then select the minimum level of user account that is required to use the Strong Password Role. By default, Administrator will be selected. It is up to you if you want to require all the way down to a Subscriber, but we strongly recommend selecting at least Editor or preferably Author. Then click on the Save Changes button.

There are still several more potential tweaks in Security tab. Some of these can cause trouble for certain WordPress themes and plugins. And some of the tweaks make changes to your .htaccess file that will affect other applications in your site. For example, you can select Security->System Tweaks. There are check boxes you can select that will impact the .htaccess settings in ways that you might not be able to predict at first.

For example, the "Filter Suspicious Query Strings" option can mess up some other applications including phpBB3. If you have a phpBB3 forum in your site and you enable that feature, then some users will not be able to log into phpBB3. So feel free to play with all of the security tweak options, but be sure to do extensive testing any time you change something in the Security tab, because many of the security tweaks are changes in the .htaccess file that affect everything in the site.

 

Step 6: Remove Extra Themes and Plugins

 

It is important to remove all of the plugins that you are not using, because hackers can sometimes exploit vulnerabilities in plugins even when the plugins are set to inactive. Select Plugins in the left menu. Then put a check in the box next to each plugin that is not absolutely critical to your site. Obviously keep Better WP Security and any caching plugin that you have installed. But delete everything else, including those that are installed but not active. Then select Delete in the dropdown. Then click the Apply button. At the next screen, click the Yes, Delete these files button.

It is also important to remove all of the themes that you are not using, because hackers can sometimes exploit vulnerabilities in themes even when the themes are set to inactive. Select Appearance->Themes in the left menu. Then click on the Delete link under each theme that you are not using. Keep your current theme. In this example, I will keep "Twenty Thirteen", but delete "Twenty Twelve". When you click on the Delete link, the browser will ask you to confirm. Click on the Ok button. Repeat these steps for every theme in your site except the theme you are currently using.

 

Step 7: Choose a Strong Password

 

The easiest way to change your password is by mousing over the "Howdy, admin" in the upper right of the screen. Then click the Edit My Profile link.

Now type the new password for your account into the New Password and Repeat New Password fields. Then click the Update Profile button. Also note that the page recommends a password of at least 7 characters, but we strongly recommend using at least 20 characters for admin level accounts.

Choose a really strong password for your admin level user. Long, completely random jumbles are the best, because they cannot be quickly guessed in a dictionary attack. Don't use plain English words. Remember, 20+ character random jumbles are drastically more secure than simple passwords like "qwerty" or "password123". Even after you have changed the admin user's username, it is still important to take password complexity seriously.

Be sure to write down your new password along with the new username you set for the admin level account. Don't try to come up with a password that you can remember. Choose a password that is impossible to guess and impossible to remember. That way hackers won't be able to guess it.

 

Step 8: Additional Security Tips

 

Remember, security is not a one time thing. You need to continue to work on security every month. When WordPress, plugins, and themes are updated, be sure to log into the WordPress and run updates. New vulnerabilities are found from time to time. Keep WordPress updated to the latest version to stay as safe as possible.

Change your WordPress admin level user's password from time to time. Run a malware scanner on your local workstation to make sure nobody is keylogging your local computer. If you use Windows, we recommend MalwareBytes Anti-Malware.

Additionally, take frequent backups of your files and WordPress database. Use the partial backup option in cPanel to grab your files and folders and your database. Keep the backups locally on your own computer. Don't keep your only backup on the server, because a server side backup kept in your account could be easily hacked along with the rest of your site if a hacker managed to hack WordPress.

There are other excellent WordPress security articles. Make sure you read the article titled Hardening WordPress the and one titled Brute Force Attacks.

This WordPress Security Guide was written by No Support Linux Hosting, home of the $1/month Linux hosting solutions where we ignore the support questions and pass the savings on to you!