WordPress Security Tips

Never use “Admin” as an ID.

Some WordPress installers pre-populate your main login user ID to “Admin” during the initial installation. Never use “Admin” as a login ID on anything.

Admin is the first and main username ID that hackers use in an attempt to access your website. I have enough experience of websites to know that they will probably attempt this even on websites that get relatively low traffic.

Choose a user login ID that is not your own name or “Admin”.

If the version of WordPress that you are installing forces you to use “Admin” as the initial user ID, immediately create a new user ID for yourself, assign it with administrator privileges, check it works and then delete the original “Admin” ID.

Change your User Nickname.

One of the quirks of the default Wordress installation is that it doesn’t allow you to set a up nickname at the point of creating a new user installation. This means that having avoided the trap of using the hackers favourite, “Admin”, the default setting for your posts will display your user login ID to the world!!

Once you set up your initial user login ID or any subsequent new user IDs, go to the user profile settings on your WordPress menus and set a nickname that you wish to reveal to the world when you publish your posts, pages, articles & any comment responses. This nickname may indeed be a nickname or it may simply be your own name.

The key point it that your nickname, which is visible to the world and your login ID are not the same.

Your login ID should be something no one could guess but you can easily remember.

Build WordPress in a Subdirectory.

I normally suggest building the WordPress site in a subdirectory rather than in the main one. You would need to copy, paste and make a slight modification to the index.php file coding in the public_html folder, but it means you can construct the new site without disrupting the existing one and only “go live” when you are completely ready.

It also means in theory you could construct another new site in a different subdirectory at some time in the future and simply switch between them with minimal effort and zero downtime.

It also has a minor security advantage as it “hides” the main website files & folders from the root level of the website. It is not difficult for a person that know what they are doing to discover the folder name, but it is an additional level of complexity to make it harder for any automated systems attempting to scan the website with malicious intent.

Once you have built the website and are ready to go ‘live’, copy the index.php from the base WordPress subfolder to the public_html folder and edit it so that the path inside ‘points’ to the install.php file in the subfolder.

You will also need to modify the WordPress Site Address (URL) and the Site Address (URL) in the ‘Settings, General’ options to point to the WordPress subfolder and the website domain respectively.

Unfortunately any ‘site absolute’ file-paths or links in your website may need to be changed to reflect their location. It’s a pain but unfortunately needs to be done.

Change configuration file permissions.

Change the permissions for the wp-config.php file to 0400 or r——–. If your hosting’s file manager has a tick-box system for setting permissions, uncheck all boxes for ‘Other’, uncheck all boxes for ‘Group’ and uncheck all boxes except the ‘r’ for ‘Owner’.

This configuration file is in the base folder of the WordPress installation and contains the location, database name, user name and password for your WordPress database. Anyone who can read it could theoretically gain access to your database and take control of every aspect of your website. By changing permissions you deny that possibility, leaving only the single read option for your own WordPress installation itself that requires it.

Once you change the config file permission via your file manager, check your website works properly. If it doesn’t, reverting to the previous permissions for the config file should restore operations. Since that leaves your site vulnerable, contact your hosting provider technical support as you may need to change some of the hosting configuration, but that is between you and your hosting provider and way beyond the scope to describe it here.

Rename or delete the installation file.

Inside the subfolder called ‘wp-admin’ there is a file called ‘install.php’.

This is the file used to install a new WordPress website.

Anyone entering the path to this file (the url) via a web browser can install a fresh version of WordPress. This means that they could destroy your website and your access to it. You would lose your website and everything in it and they could build their own website inside your hosting, accessed via your domain.

If you have a backup you could wipe their website and restore yours, but this is messy, time consuming and could cause damage to your reputation and the continuity of your web presence.

Better to not let this happen. Once you have installed a new WordPress website delete the install.php file of rename it to something unguessable.

Install ‘Limit Login Attempts’ plugin.

Hackers will attempt to access your website by repeatedly trying popular usernames (e.g. admin) and known popular passwords. They will repeat this indefinitely and might even have an automated process to keep trying until they get in.

Installing a plugin that limits the number of times they can attempt, slows them down and effectively thwarts their system.

The ‘Limit Login Attempts’ plugin temporarily locks out the IP address of anyone repeatedly trying to login unsuccessfully.

You can configure the number of attempts before lock-out and the time the lock-out is for. I usually set mine to around 10-12 so that if I make any typos or enter wrong details by mistake, I have enough ‘headroom’ to not immediately close myself out.

The time of the first lockout for failed attempts I usually set fairly low, 20-30 mins. That means if I should accidentally lock myself out I am not locked out for a long time. (Tt’s never happened yet.)

The second lock-out time I usually set for several days. It might surprise you to know that hackers will come back after the first lock-out. Once they are locked-out for several days they rarely come back.

Of course, since all the lock-out does is block IP addresses, the hacker can change to another IP address. But they will get locked out again after 10 or so, attempts on the new IP too and this slows them down.

Provided your user ID and password are hard to guess, this lock-out system is usually enough to keep hackers out, even though they keep trying for a while.

This plugin can also be set to show the details of failed logins. The listing on some websites I have seen is miles long, even on low traffic sites. Don’t think they wont try yours. I’ve seen websites that the only traffic they get is hackers!!

Unguessable user IDs and passwords.

The main thing for any login system is to use usernames and passwords that are unguessable.

Use passwords that contain letters and numbers.

Make them longer than 10 characters.

Don’t use any real words nor your real name or nickname for either your username ID or passwords.

Use perversions of words and word combinations, mixing up caps and lower case with some numbers.

Apply some of these tips and you should be fairly safe.

No one can 100% guarantee safety from hackers as they are continually becoming more innovative and they are persistent.

Applying these few basic steps outlined here should prevent most malicious access attempts and they will go away as it is too much bother. There are other easier unsuspecting fish to catch.