This article will focus on the basic steps you should take to secure WordPress.
WordPress is the most popular Content Management System by far these days, and it’s only growing. WPVEGAS will be featuring more articles and groups set up around specific topics that, in more ways than one, help new and experienced WordPress users get more from their installations of WP. The first topic we would like to discuss is “Security”. This may mean different things to different people. So let’s get more specific.
Security is a topic that the WordPress Meetup Group will be discussing at every meetup starting this month on February 21st, 2011 inside the Usr/Lib. If you attended the December Meetup, a few days before the Las Vegas WordCamp, you would of been able to hear one of the best security experts we know. Dre Armeda gave an interesting presentation on how to secure your passwords and user names in a safe location. In this post, we are going to talk more about the default installation of WordPress and setting up proper security measures.
If you have never installed WP manually on your website before, some of this might sound a bit foreign to you. It’s ok thought because we will try to explain, in the most basic of terms, what we are talking about. Before you can install WP you must set up a database on your hosting account that is associated with your WP installation. This consists of a database name, a database user name / password and the database host address in the wp-config.php file which is located inside your root folder, or folder where you might have WordPress installed (www.yoursite.com / www.yoursite.com/blog / blog.yoursite.com), assuming you have re-named the wp-congifg-sample.php file to wp-config.php. Once you have have done those steps and added them to the config file, a user would upload the entire WP files using a FTP client like Filezilla.
One of the most common mistakes a new user can make when installing an installation of WordPress is being very generic or basic on naming each of the entries listed above. Using names associated with the site allows a potential hacker to guess your information and hack their way in. If you named your database “WP” or “yoursiteswpdatabase”, it’s almost like leaving the keys inside your car. Now, we have heard this argued in many different discussions, both pro and con, but for the sake of this article we are going to discuss why this is a bad practice for new WordPress Users. When you name something that matches the site, you are allowing a potential hacker the chance to guess your information and getting inside your installation. Some of the very, we we mean very, basic tips we could ever give is to rename files to something that has meaning to yourself and only yourself. Naming your database to something like “crashcourse_wpdb_2012” (dont use that name as I have used it in this article) adds an extra level of security. It means something to you and will take a hacker a longer period of time to crack your site. NOTE: Most hackers are looking for sites that take less than a minute to get into. So slowing them down will likely increase the chances of a hacker to guess your information, fail, and move on. See where we are going with this?
The next section of this article is going to talk about the actual administrative credentials associated with logging into your WordPress Dashboard.
If you remember the earlier versions of WP like 2.0, you will remember that the default admin name in the setup process was in fact named “admin” or “Admin”. This seemed pretty cool to anyone who was new to WP because everyone wants to say that they are an admin or administrator of a website, even if it is your own. What wasn’t discovered until later versions of WordPress is that by using the User Name “admin” you again are basically taking a security risk. This is because anyone who would be considered “smart enough to be dangerous” – coined by our own John Hawkins – with WP would already know that you have to go to the wp-setup.php page before your installation of WordPress would be complete and “admin” would more than likely be the default name. So basically, a hacker already has a 50/50 chance of guessing your password to let them walk right into your installation. This is another basic practice a new user should take when setting up WordPress.
Re-naming your admin login to something that means something only to yourself is a huge step. Now we know this might be kind of a ‘No Brain-er” and all, but our readers would be surprised to find out how many WP sites actually still have this going on. Just like your password, you want to name your “admin login” something like “KingKongLong”, (again dont use that as we have used this name in this article for anyone to Google search and read), allows another door a hacker must break through. If a hacker can not guess your config.php credentials, their next step is to visit “yoursite.com/wp-login.php” and try to get in there. We have even seen some installations of WP where the programmer of the site has modified the wp-login.php script to contain a “captcha” before allowing the login button to be activated. This is very smart, but again time consuming to anyone who just wants to hurry up and get blogging.
So in conclusion, the main focus of this article of many to come is to open up the mind of a “new” user of WP so that they can take some kind of security measures with their site.