Digital Technology

WordPress Security Tips

Never use “Admin” as an ID.

Some WordPress installers pre-populate your main login user ID to “Admin” during the initial installation. Never use “Admin” as a login ID on anything.

Admin is the first and main username ID that hackers use in an attempt to access your website. I have enough experience of websites to know that they will probably attempt this even on websites that get relatively low traffic.

Choose a user login ID that is not your own name or “Admin”.

If the version of WordPress that you are installing forces you to use “Admin” as the initial user ID, immediately create a new user ID for yourself, assign it with administrator privileges, check it works and then delete the original “Admin” ID.

Change your User Nickname.

One of the quirks of the default Wordress installation is that it doesn’t allow you to set a up nickname at the point of creating a new user installation. This means that having avoided the trap of using the hackers favourite, “Admin”, the default setting for your posts will display your user login ID to the world!!

Once you set up your initial user login ID or any subsequent new user IDs, go to the user profile settings on your WordPress menus and set a nickname that you wish to reveal to the world when you publish your posts, pages, articles & any comment responses. This nickname may indeed be a nickname or it may simply be your own name.

The key point it that your nickname, which is visible to the world and your login ID are not the same.

Your login ID should be something no one could guess but you can easily remember.

Build WordPress in a Subdirectory.

I normally suggest building the WordPress site in a subdirectory rather than in the main one. You would need to copy, paste and make a slight modification to the index.php file coding in the public_html folder, but it means you can construct the new site without disrupting the existing one and only “go live” when you are completely ready.

It also means in theory you could construct another new site in a different subdirectory at some time in the future and simply switch between them with minimal effort and zero downtime.

It also has a minor security advantage as it “hides” the main website files & folders from the root level of the website. It is not difficult for a person that know what they are doing to discover the folder name, but it is an additional level of complexity to make it harder for any automated systems attempting to scan the website with malicious intent.

Once you have built the website and are ready to go ‘live’, copy the index.php from the base WordPress subfolder to the public_html folder and edit it so that the path inside ‘points’ to the install.php file in the subfolder.

You will also need to modify the WordPress Site Address (URL) and the Site Address (URL) in the ‘Settings, General’ options to point to the WordPress subfolder and the website domain respectively.

Unfortunately any ‘site absolute’ file-paths or links in your website may need to be changed to reflect their location. It’s a pain but unfortunately needs to be done.

Change configuration file permissions.

Change the permissions for the wp-config.php file to 0400 or r——–. If your hosting’s file manager has a tick-box system for setting permissions, uncheck all boxes for ‘Other’, uncheck all boxes for ‘Group’ and uncheck all boxes except the ‘r’ for ‘Owner’.

This configuration file is in the base folder of the WordPress installation and contains the location, database name, user name and password for your WordPress database. Anyone who can read it could theoretically gain access to your database and take control of every aspect of your website. By changing permissions you deny that possibility, leaving only the single read option for your own WordPress installation itself that requires it.

Once you change the config file permission via your file manager, check your website works properly. If it doesn’t, reverting to the previous permissions for the config file should restore operations. Since that leaves your site vulnerable, contact your hosting provider technical support as you may need to change some of the hosting configuration, but that is between you and your hosting provider and way beyond the scope to describe it here.

Rename or delete the installation file.

Inside the subfolder called ‘wp-admin’ there is a file called ‘install.php’.

This is the file used to install a new WordPress website.

Anyone entering the path to this file (the url) via a web browser can install a fresh version of WordPress. This means that they could destroy your website and your access to it. You would lose your website and everything in it and they could build their own website inside your hosting, accessed via your domain.

If you have a backup you could wipe their website and restore yours, but this is messy, time consuming and could cause damage to your reputation and the continuity of your web presence.

Better to not let this happen. Once you have installed a new WordPress website delete the install.php file of rename it to something unguessable.

Install ‘Limit Login Attempts’ plugin.

Hackers will attempt to access your website by repeatedly trying popular usernames (e.g. admin) and known popular passwords. They will repeat this indefinitely and might even have an automated process to keep trying until they get in.

Installing a plugin that limits the number of times they can attempt, slows them down and effectively thwarts their system.

The ‘Limit Login Attempts’ plugin temporarily locks out the IP address of anyone repeatedly trying to login unsuccessfully.

You can configure the number of attempts before lock-out and the time the lock-out is for. I usually set mine to around 10-12 so that if I make any typos or enter wrong details by mistake, I have enough ‘headroom’ to not immediately close myself out.

The time of the first lockout for failed attempts I usually set fairly low, 20-30 mins. That means if I should accidentally lock myself out I am not locked out for a long time. (Tt’s never happened yet.)

The second lock-out time I usually set for several days. It might surprise you to know that hackers will come back after the first lock-out. Once they are locked-out for several days they rarely come back.

Of course, since all the lock-out does is block IP addresses, the hacker can change to another IP address. But they will get locked out again after 10 or so, attempts on the new IP too and this slows them down.

Provided your user ID and password are hard to guess, this lock-out system is usually enough to keep hackers out, even though they keep trying for a while.

This plugin can also be set to show the details of failed logins. The listing on some websites I have seen is miles long, even on low traffic sites. Don’t think they wont try yours. I’ve seen websites that the only traffic they get is hackers!!

Unguessable user IDs and passwords.

The main thing for any login system is to use usernames and passwords that are unguessable.

Use passwords that contain letters and numbers.

Make them longer than 10 characters.

Don’t use any real words nor your real name or nickname for either your username ID or passwords.

Use perversions of words and word combinations, mixing up caps and lower case with some numbers.

Apply some of these tips and you should be fairly safe.

No one can 100% guarantee safety from hackers as they are continually becoming more innovative and they are persistent.

Applying these few basic steps outlined here should prevent most malicious access attempts and they will go away as it is too much bother. There are other easier unsuspecting fish to catch.

Data transfer & backup

Whether you are simply looking to backup your computer or laptop, or maybe transfer data between systems, the ‘Samsung M3 1TB USB 3.0 Slimline Portable Hard Drive’ is a great device. It’s small, light, has a decent capacity and powered via the USB connector, is easy and convenient to use. I’ve used these on severalContinue Reading

Best Ever Deal on Fujifilm X-M1

The latest deals on Fujifilm’s X-Trans Compact System Cameras have made them more attractive than ever. Check out the Fujifilm X-M1 at Amazon UK I’ve succumbed to the lure and ordered the Fujifilm X-M1 with 16-50mm kit lens from Amazon UK at an amazing price, the lowest so far. I just need to be patientContinue Reading

Pay As You Go Data, Voice & Text SIM Card with Adapters

Pay As You Go Data, Voice & Text SIM Card with Adapters Note that the products discussed on this page are for UK use only. Browsing some other articles on this website would make you aware of my experience using a preloaded data-only sim for my Tablet device, (for article click here). Having just obtainedContinue Reading

Moto G photos

A selection of photos taken with my new Moto G Android (4.3) Smartphone. I had a few days break at Kilconquhar Castle and took the opportunity to try out my new Moto G camera. All images are untouched apart from resizing, watermarking or by using the phones own apps to add effects. The first isContinue Reading

First Impressions of the Moto G

Okay. I’ve go one. I am now the proud owner of a Moto G (Motorola XT1032 Android smartphone). Yesterday, on the very first day of release to the public, I purchased one, although it has taken me a day to get into it and set it up with some of the great apps that areContinue Reading

Samsung Galaxy Tab Review

The Photographer’s Eye

People often buy expensive cameras but forget that to take great photos it is simply not enough to have a good camera and all the accessories. The greatest asset of any photographer is their own ‘creative eye’. Even those with a good natural creative talent can benefit from the knowledge and experience of others. SoContinue Reading

Mini hands-on review of Fujifilm X-Series

I had a brief hands-on with the Fujifilm X10, X100 & X-Pro1 at a local store recently. They were tethered so it was hard to make a full judgement of the ergonomics but it was a useful exercise and gave a good impression of how they might handle in proper use. Ergonomics are important AllContinue Reading

Fujifilm X-Pro1 Digital Camera (16MP)

Fujifilm X-Pro1 Digital Camera (16MP) with APS-C X-Trans CMOS Sensor Information, Fujifilm videos, review video, user video and purchasing link for the Fujifilm X-Pro1 Digital Camera. The Fujifilm X-Pro1 is the masterpiece in the X series range of cameras. Building on the hugely successful X100, the X-Pro1 is an interchangeable lens, compact system camera withContinue Reading

Interchangeable lens system camera from FUJIFILM: X-Pro1

Interchangeable lens system camera from FUJIFILM: X-Pro1 Featuring the new X-Trans CMOS sensor™ and an original FUJIFILM X-Mount and Hybrid Multi Viewfinder 09.01.2012 Press release from: FUJIFILM Corporation (President and CEO: Shigetaka Komori) are proud to announce the FUJIFILM X-Pro1, an all-new interchangeable lens camera system. The X-Pro1 features a 1 UPDATES: Click here toContinue Reading

Fujifilm Finepix X10 Fashion Photo Shoot

Fujifilm Finepix X10 Fashion Photo Shoot Fujifilm Finepix X10 - brand new camera for both professional and creative needs. The X10 functions will fire your passion for photography. Video of first fashion photo shot with only natural light, no studio flash, jpeg format, by photographer, Jacek Heliasz

The NEW Fujifilm X10 premium compact camera

The NEW Fujifilm X10 premium compact camera The NEW Fujifilm X10 premium compact camera sets new standards in style and quality for digital photography Announcement Date: 01 September 2011 Fujifilm is proud to announce the addition of a new premium compact camera to its digital camera line up for autumn 2011. The X10 features aContinue Reading

Samsung Galaxy Tab Accessories

Samsung Galaxy Tab Accessories Everything you need for your P1000 or P1010 Tab. Leather case, stand, 16GB microSDHC Memory Card, keyboard, multimedia desk dock, usb cable, car charger cable,  screen protector, portable fold up stand, Tab TV out cable, windscreen mount.  

Preloaded Data Sim for Mobile Devices

Preloaded Data Sim for Mobile Devices Mobile Broadband is simply broadband on a mobile network that lets you surf the web, blog, tweet, facebook, email and do anything you can do on the web via broadband. Note that the products discussed and advertised on this page are for UK use only. Update Feb 2014 –Continue Reading