How to: Keep Your WordPress Website Safe

6th November 2012

It’s easy to think your website is immune to malicious attacks and that only big sites with high volumes of traffic are likely to be a target, but this is a naive assumption. Here are 10 tips any webmaster can utilise to help keep their WordPress website safe.

1. Never use the default ‘admin’ username

Change it to something that isn’t so predictable and obvious. If you’ve already set this WordPress will tell you it can’t be changed, but you can get around this restriction by going into the user table of your database.

2. Use a secure password

This seems obvious but a frightening number of people use their name or something else equally obvious. If you need help with this, there are numerous secure password generators on the net.

3. Keep everything up to date

It only takes a matter of seconds to install plugin and core updates, but they contain valuable security fixes so make sure you do it.

4. Change the database table prefix

By default it will be wp_ and everyone knows this. Again, if you’ve already installed WordPress then changing this is trickier, but it is possible using the WP Secure Scan plugin.

5. Move your wp-config.php file

Again, the default location makes it easy to find and read so move it up a directory (a change which WordPress should detect).

6. Change the default secret keys

In the wp-config.php file you’ll see four secret keys. These make it harder to crack your password, so for the sake of 60 seconds of effort they are certainly worth changing. You can get your own unique secret keys here.

7. Use safe themes and plugins

Only upload plugins and themes you know are safe and come from a reputable developer. Be wary of anything you’ve downloaded from torrent and file sharing services.

8. Limit access to the wp-admin directory

Using .htaccess it is possible to restrict access to the wp-admin directory to only certain IP addresses. To find out how to do this properly, I recommend you check out Net Magazine’s excellent post, Protect your WordPress site with .htaccess

9. Limit login attempts

By default, WordPress will allow an unlimited number of attempts to login. The Limit Login Attempts plugin will stop this by blocking an IP address from making more than a specified number of attempts within a set time frame.

10. Backup your data

That means your files AND database. You can never guarantee your site is 100% safe, so be smart and keep a copy of everything that’s important. There are various plugins that can help you with this.

Thank you very much to Jo Cox Design for assisting in changing and updating our website. Jo was extremely helpful and dealt with my requests very quickly. Would certainly recommend.

Rachel Watmough (Butterfly Bridal Boutique)