WordPress Security

WordPress Security – Part II

iPage Affordable Web Hosting only $3.50/mo

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

WordPress Security – Part II

“Excellence is not a skill. It is an attitude.” - Ralph Marston.

Dear friends, this is the second part of the series of tutorials about WordPress Security. You can read the WordPress Security – Part I here.

I am planning to continue this series since there is lots of information we need to cover in respect to WordPress Security. Let’s get to the juice of this post already!

Change the name of the “admin”

WordPress blog will use “admin” by default, which is not recommended from security standpoint, since it makes it easier for bad guys to guess your password. It’s best to change the name to long and complicated one.

There are several ways of changing the name of the “admin”. I recommend always saving the database and blog files before making any changes. Also, do not forget to write down new important information (logins, passwords, and so on).

The easiest way to do this is to use plugin WPVN – Username Changer, which will let you easily change the name.

Another approach is to change the username in the database. You will need to send the SQL request below to the database (via phpMyAdmin):

[codesyntax lang="sql"]

UPDATE wp_users SET user_login='admin', user_login='new_login';

[/codesyntax]

Instead of the “new_login” you will place the name you chose.

Use Login LockDown plugin

This wonderful plugin logs all unsuccessful attempts to the admin area of your blog. It keeps records of all IP addresses and the time it happened. On top of that, this plugin blocks IP after three unsuccessful login attempts during the 5 minutes (you can change these settings). Download Login LockDown plugin here.

Block access to the “wp-admin” folder

By placing the code below into your .htaccess file, you will make sure unauthorized users will not be able to visit the login page of your blog, which will eliminate a possibility of trying to guess your password.

Here is the .htaccess code:

[codesyntax lang="text"]

AuthUserFile /dev/null  
AuthGroupFile /dev/null  
AuthName "Access Control"  
AuthType Basic  
order deny,allow  
deny from all  
# below access allowed from your home computer IP  
allow from xx.xxx.xxx.xx  
# below access allowed from your work computer IPs  
allow from xx.xxx.xxx.xx  
allow from xx.xxx.xxx.xx  
# below access allowed from temporary traveling computer IP  
allow from 128.163.2.27

[/codesyntax]

This way only the IP addresses you specify will have access to your Admin area.

Use WP Security Scan plugin

WP Security Scan – great plugin for WordPress, which scans your blog and displays possible security holes. After the scan has ended, plugin will show recommended changes to be made in order to increase your WordPress security. You can download the plugin Wp Security Scan here.

Change database prefix

By default all databases in WordPress have “wp_” prefix in the beginning, which makes your blog vulnerable to SQL-injections (the form of attack using SQL queries).

There are several approaches to change the database names prefix. The easiest way is to use WP Security Scan, which has this function.

After activating the plugin WP Security Scan, your Admin area will have a new option called “Security”. When you click on it you will se several messages about the level of security in your blog. There will be a warning that will say: “Your blog name has wp_ prefix. Click here to change“.

I recommend making the prefix difficult to guess, use numbers mixed with letters if possible. Please write down your new changes, just in case.

Access Rights to Files and folders

In order to increase WordPress security, I recommend making the access rights to your folders (chmod) 755. The exception here are the folders “cache” and “uploads”, you will need give them rights 777. All other files should have 644. This is important – your .htaccess file should have 444 rights, if your hosting service lets you do it. Your blog theme files you should put 666. Different hosting services place different access rights by default, I strongly recommend checking them.

Again, for convenience I recommend using WP Security Scan, which will scan your blog and suggest which access rights to which directories and folders need to be set.

If you are not familiar with how to change access rights to directories and files, let’s talk about it. Enter your hosting service via your FTP client, right click on any folder or file on your hosting service and in the menu click on “Properties”. You will see sets of 3 numbers, which you will need to change according to the settings we discussed above.

Have a Great Day and Good Luck with WordPress Security!

Beck @ ProfitSEO.com