How to: Keep Your WordPress Website Safe
6th November 2012
It’s easy to think your website is immune to malicious attacks and that only big sites with high volumes of traffic are likely to be a target, but this is a naive assumption. Here are 10 tips any webmaster can utilise to help keep their WordPress website safe.
1. Never use the default ‘admin’ username
Change it to something that isn’t so predictable and obvious. If you’ve already set this WordPress will tell you it can’t be changed, but you can get around this restriction by going into the user table of your database.
2. Use a secure password
This seems obvious but a frightening number of people use their name or something else equally obvious. If you need help with this, there are numerous secure password generators on the net.
3. Keep everything up to date
It only takes a matter of seconds to install plugin and core updates, but they contain valuable security fixes so make sure you do it.
4. Change the database table prefix
By default it will be wp_ and everyone knows this. Again, if you’ve already installed WordPress then changing this is trickier, but it is possible using the WP Secure Scan plugin.
5. Move your wp-config.php file
Again, the default location makes it easy to find and read so move it up a directory (a change which WordPress should detect).
6. Change the default secret keys
In the wp-config.php file you’ll see four secret keys. These make it harder to crack your password, so for the sake of 60 seconds of effort they are certainly worth changing. You can get your own unique secret keys here.
7. Use safe themes and plugins
Only upload plugins and themes you know are safe and come from a reputable developer. Be wary of anything you’ve downloaded from torrent and file sharing services.
8. Limit access to the wp-admin directory
Using .htaccess it is possible to restrict access to the wp-admin directory to only certain IP addresses. To find out how to do this properly, I recommend you check out Net Magazine’s excellent post, Protect your WordPress site with .htaccess
9. Limit login attempts
By default, WordPress will allow an unlimited number of attempts to login. The Limit Login Attempts plugin will stop this by blocking an IP address from making more than a specified number of attempts within a set time frame.
10. Backup your data
That means your files AND database. You can never guarantee your site is 100% safe, so be smart and keep a copy of everything that’s important. There are various plugins that can help you with this.
NB: Because this post is more than two years old, and the world of web design and technology moves on so quickly, the information in it may now be out of date