How to Protect Your WordPress From Hackers

There are a few easy steps you can take to secure any WordPress installation you create. But why be concerned about security?

Here is why

I've previously had two WordPress online journals hacked. This was during a period when I was doing very little internet marketing, and by the time I found time to address the situation (months later), the sites had been penalized in search engines. They were not removed, but their rankings were reduced.

I eventually fixed the problem, but I neglected it for several months. I was completely unaware of the problem for quite some time.

What was the end result? I'm guessing I lost a few hundred pounds in ad revenue.

Much of WordPress security is common sense. Do you have a secure password? Do you have a unique password for each website?

I didn't for years. I had three or four passwords that I used on a regular basis. However, there are two ways to create a good, strong password for every website you visit. (Of course, this applies to your WordPress blogs as well.)

The weaker (but still effective) approach is, to begin with, a common password; then add some numbers you are likely to remember, such as the house number of your first address; and finally, add the first few, say, five letters of the area name. For example, if you begin with the password reindeer230 and use the website example.com, the result is reindeer230examp. This is a very secure password. These technique guards against dictionary attacks, in which an attacker tries to log in to your account repeatedly using English words, words from other languages, names, and so on.

The more secure method, which I personally recommend, is to use one of the browser-based password generation and storage plug-ins. Many people like RoboForm, but after the free trial period, I believe you have to pay for it. I use Lastpass's free version and recommend it to anyone who uses Internet Explorer or Firefox. It generates strong passwords for you; you then log in with a master password.

Now we'll get into the details of WordPress. When you install WordPress, you must rename the config-sample.php file to config.php. There, you must install the database information.

There are a couple of different changes you ought to make.

There is a section in config-sample.php titled "Authentication Unique Keys." This section contains four definitions. This section of code includes a hyperlink. Enter this link into your browser, copy the content, and replace the existing keys with the website's pseudo-random unique keys. This makes it more difficult for attackers to generate a "logged in" cookie for your website automatically.

The next step is to change the table prefix from "wp_" to something else. This is accomplished through the WordPress Database Table Prefix section. It doesn't matter how you change it; alphanumeric characters, hyphens, and underscores are all acceptable. This should prevent so-called SQL injection attacks, in which an attacker attempts to get WordPress to execute SQL code that has unintended consequences for your website. This code may add a new user to your WordPress website with superuser privileges.

This final step should only be performed on new installations. If you want to do it on an existing installation, you will also need to change the names of all the tables in the database.

Finally, if you install the WordPress Security Scan plugin, it will scan most of it for you and notify you of any errors. It will also inform you that a user named "admin" exists. Of course, this is the name of your administrative user. If you want, you can click on a link to learn how to change this name. Personally, I believe that a strong password is a sufficient protection, and there have been no successful attacks on the numerous blogs I run since implementing these measures.

Finally, WordPress Security will notify you that the wp-admin/ directory is inaccessible. If you want, you can place a.htaccess file in that directory to control access to the wp-admin directory based on IP address or address range. You can learn how to do this by searching the Internet.

However, instead of the.htaccess controls, I recommend installing the Login LockDown plugin. After three failed login attempts, this will disable login requests from a specific IP address for one hour. If you do this, you will be able to access your admin panel even if you are not in the office, and you will be well protected from hackers.