Everyone knows that WordPress is one of the most popular platforms for which to create websites. The popularity means that just about anyone with basic skills can setup a WordPress site with little to no training. Unfortunately those who would do you harm also know this fact and actively target WordPress installations in a number of manners. Malicious individuals will attack websites for any number of reasons. Many do it to cause damage to your site, disrupts your business, steal your date or worse, just for fun.
Luckily there are some pretty simple steps that can get you started securing your WordPress site.
Securing Your WordPress Site – First Few Steps
Most people think that securing your WordPress sites starts after you install it, but believe it or not that would be incorrect. Some of the first steps can be done before you even install the WordPress blog for the first time. Let’s go over a few.
Choosing Your WordPress Login Credentials
When you first create your site you must choose at least 2 username and password combinations. These will be one set for the database connections and one for your administrative login access.
In most cases the hosting provider you are on will automatically add your accounts username to the database connections. Lets take a look at how this is done. As part of your initial setup WordPress will ask you to create a database. This will most often be done within your CPanel login are. Once
Login to your websites CPanel using the information provided to you by your web-hosting provider. Once you enter this page you will see a page selection asking for Database creation steps.
Please note that the site username is automatically added to the Database name (noted by the blacked out section.
Anything you enter into the text box will be prepended with your account username. (username is added to the beginning)
If you decide to make the database name something like this:
DB Name: Mywebsite
The Cpanel will turn it into this:
Since you cannot usually change this function, the best part would be to make the second part of the database name much harder to guess. This can be done by alternating how you create the name such as these manners:
Adding Numbers: Mywebsite102
The more randomized the naming structure is the better off you will be. This concern will also need to be applied to the Database usernames and passwords on the lower portion of the page. This way in the event someone learns what the site wide username is they will still have to take a considerable amount of time to determine the remaining portion of the database login credentials.
IMPORTANT: The database credentials will become stored in the WordPress configuration file. This file is generally kept within the public_html folder, making it potentially accessible to the public.
We will cover some options to help secure that in the new few posts.
Installing Your WordPress
Now that you have your database credentials setup it will be time to install the WordPress installation. You will enter the steps as normal with a few key exceptions.
DO NOT USE DEFAULT “ADMIN” NAME
One of the most common reason a site gets hacked or intruded upon is simply using default or easily known credentials.
Consider using different methods for naming your admin account such as this example below:
This could come out something like Admin_8_18_16_Joe. This if course is just one example. Consider different methods that fit your level of security concern.
DO NOT USE SIMPLE PASSWORDS
As with the username, simple passwords are just waitng to be broken. Things like your name, your birthday, heck even your cat’s name can often be scraped right from Facebook. So those are a definite no-no. Forget about one or two word combinations as well. You need to get a little smarter.
I recommend using a password generator that can generate random passwords for you. As this will make remembering the password harder, I suggest using a Password manager program such as KeePass.
KeePass can generate and keep your passwords handy with a couple keystrokes. KeePass also has some nice security of its own and can run on most any current platform (IOS, Android, PC) as well as being FREE.
Don’t Forget the Prefix
While the table prefix is not entirely a security concern by itself, this is a simple as changing it from the default value. It only takes 2 seconds to alter this option.
*Note: if you are using multiple WordPress sites within the same database then you must change this.
Now you are ready to get your WordPress site installed.
Next steps will be to worry about those security steps that can be done once your WordPress is up and running. Steps there will include your first WordPress security plugins along with some additional back-end steps you should take in your web-hosting Cpanel.