8 Easy Ways to Keep Your WordPress Web Site Secure

Wordpress Security

Flickr User Peregrino Will Reign

Lets face it, site security is one of the most boring subjects in web development. It’s not as sexy as site design and it’s not as geeky as feature development. It’s pretty lame. But all it takes is one site to get hacked for you to realize that it’s not something you can take for granted.  Unfortunately most security posts center around server security and if you’re on a shared hosting environment you don’t have much control over the server. Nevertheless, there are some steps you can take with your next WordPress installation to make it more secure. Before I dive in, I want to thank Terran Birrell and the members of his WordPress User Group in Rochester, New York for many of these tips.

OK, here we go.

1. Stop doing the one-click install at your host

For a brief period I was taking advantage of my host’s “one-click” install for my WordPress sites. My reasoning was simple… why go through all that manual work, when I can just have my host set up the default WordPress site for free? Then all I would have to do is add plugins, themes and content and I had a site. Sounds good, right?

Why this is bad

The problem with anything automatic is that you give up control. In the case of a one-click installation, you give up control of your database name, database user name, database password, and table structure. You also miss out on another WordPress security feature: secret keys. These are all items that should be manually configured to ensure your site is secure.

What to do instead

Keep a folder on your computer that has a pristine copy of the latest WordPress files. In the \wp-content\plugins folder, keep all your favorite plugins and when it comes time to do a new install, create the directory on your host and then FTP all those files up (don’t forget to edit wp-config.php first!) You’re going to need the FTP connection anyway – might as well set it up during the install.

2. Change your table prefixes

In wp-config.php WordPress prefaces all your tables with “WP_” by default. So for example your OPTIONS table is called WP_OPTIONS.

Why this is bad

WordPress (and most other CMS for that matter) generally have safeguards against SQL injection attacks. But it’s still not worth taking a chance. A SQL Injection attack is initiated when a hacker posts a SQL query to your site through a form, a comment, on the URL, etc. During the early days of the Internet when people had “guest books” you could easily deface them by placing an unclosed <BLINK> tag in your comment, redering the rest of the page infuriatingly unreadable. (It also gave some Japanese kids seizures.) Well, the modern day equivalent is dropping into a form a piece of SQL like this:

UPDATE wp_options
SET <evil stuff goes here>

…and watching the site become a zombie attack robot. Like I said, in most cases this will fail, but if you fall behind in WordPress updates you could be exposed.

What to do instead

Change your table prefixes to anything other that “wp_”. To do that, look through wp-config.php for these lines:

* WordPress Database Table prefix.
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
$table_prefix = 'wp_';

On that last line change ‘wp_’ to ‘PREFIX_’
Where ‘PREFIX’ is anything you want (letters, numbers and underscores only)

3. Make your DB user name unique

When you’re manually creating your database on your host it’s tempting to use the same database user for multiple databases.

Why this is bad

Duh. Access to one means access to all.

What to do instead

Create a unique user for each database. Give that user rights only to that database. Never use root.

4. Set the secret keys at the bottom of the wp-config file

WordPress allows you to set up encryption keys that keep your users’ cookies safe. It’s a good idea to use them, not just for your site but also to protect your users. As the Codex says, “You don’t have to remember the keys, just make them long, random and complicated — or better yet, use the the online generator.”

How to set the keys

In your wp-config.php file, look for these lines:

define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

Then click on this link and get the keys. You can copy the entire text on that page and paste it into the file replacing what’s already there.

5. Delete the “admin” account

At install, WordPress creates an administrator account called “admin” and then lets you create a password for it.

Why is this bad?

Access is controlled by two variables, the user name and the password. If you keep the admin account you’ve just handed over the half your credential to a would-be hacker.

How to fix it

The first thing you should do when you log in with this account is create a new administrator account with a name other than “admin” or “administrator” and give it the administrator right.

Pro tip: Oh, don’t use “webmaster” or “info” either. Those are logical next guesses. Once you’ve created the new administrator account, log in to WordPress and delete the admin account.

6. Don’t use your post author name as your login name

Just as we don’t want to log in with “admin” we don’t want to use the display name for your blog posts as your log in name. So for example if you post as “Rob” don’t have “Rob” as your login name. Instead this should be a user name that you don’t share with anyone.

7. Use a spam blocking plugin

Currently I’m using Spam Free WordPress by Todd Lahman on all my sites. It’s awesome. Zero false positives and I haven’t had to moderate a single comment about Viagra. Nonetheless, something is bound to get through eventually. And when it does I’ll begin my search anew. I don’t know what the best SPAM protection is (except maybe turning off comments altogether) but it’s worth spending the time to find one. Besides not having to deal with crap all day, by having a good SPAM blocker installed you make your site less attractive to would-be hackers.

8. Finally… keep your site up to date with the latest versions of WordPress, themes and plugins

Get in the habit of checking your sites regularly, and set aside time to do your updates.


If you have any other tips for securing your WordPress site, please feel free to add them in the comments below. Thanks!