Securing your Wordpress Installation - GoFuckYourself.com

Mr Pheer · 12-03-2012, 05:11 PM

Most people seem to use Wordpress these days for just about any type of website. It's free, it's easy to use, and there are tons of plugins to make it do just about anything you want it to do. It's popularity also makes it a big target for hackers and spammers that want to either take your website down or inject code into it for spamming purposes.

But your website doesnt have to be an easy target for the hackers & spammers. Securing wordpress is fairly easy, if you know what to do.

Here are seven simple steps to lock down your Wordpress site againt the majority of exploits and SQL injection attacks.

Step 1 - Change Administrator Account Name.

Leaving ?admin? as the username for the administrator account can be asecurity risk.

You can now change this to something different using the Admin Renamer Extended plugin.

Once you have installed and activated this plugin the standard way, click on the Settings link in the Admin Renamer Extended plugin listing on the Plugins page.

The plugin will show all administrator accounts - there should only be
one listing for your WordPress installation.

1. Type in a new name for the administrator account.
2. Click the Update button.
3. You should logout and log back in with this new administrator account (the password will still be the same).

Step 2 - Update Unique Keys in your wp-config.php file.

Unique Keys makes your site harder to hack and access harder to crack by adding random elements to passwords. These secret keys are stored in the WordPress settings file wp-config.php.

You can update these unique keys by installing the Update Unique Keys plugin in the standard way. The settings page for the plugin is available on the Settings menu. You just have to click the Update button.

This plugin will automatically set and update the Authenication Unique Keys in the wp-config.php file. You must log out and log back in after this update.

Step 3 - Change Administrator Account Password.

You should now change the administrator account password to something more secure.

Go to your profile by using the Users→Your Profile menu.

You can update your password at the base of this screen and click the Update Profile button to save.

Step 4 - Change WordPress Database Prefix in your database and remove the WordPress Version from your WordPress head section.

You can check the security of your WordPress installation by downloading and installing the Better WP Security plugin.

This plugin will fix many issues and you may not need all the fixes. However, you should at least consider the following:

Using this plugin to remove the WordPress version being displayed in
the WordPress head section as this is a security risk.
Rename the default WordPress tables in the database from having the prefix ?wp? - this is also a security risk.

Once installed, the plugin will add a Security menu item on the WordPress menu. Click on this menu item and click the link beside the ?Your table prefix should not be wp_? item.

On the resulting page just click on the Change Database Table Prefix button. This will fix the database prefix issue. You will probably want to make a backup of your database before doing this, unless this is a new site that you are building.

Go back to the Security menu and click on the link beside the ?Your WordPress header is showing too much information...? item.

On the resulting page, check the Remove WordPress Generator... checkbox and click the Save button at the base of the page.

Step 5 - Stop SQL Injection Attacks.

SQL injection is a hacking technique that exploits security vulnerabilities occurring in the database layer of a web site.

Install the WordPress Firewall 2 plugin to identify and stop the most obvious SQL injection hacking attempts against WordPress.

Once installed and activated, you can click on the Settings links on the WordPress Firewall 2 plugin listing.

The default settings on the Firewall Options screen should be fine, you just need to click on the Set Security Filters button.

Step 6 - Stop Comment Spam.

Comment spam is endemic on the internet. You should install a plugin to filter the spam comments from the real comments.

Antispam Bee is a free WordPress antispam plugin that comes highly recommended. Once installed and activated, you can find the Antispam Bee plugin menu under the Settings menu.

Simply click on the Save Changes button here to stop comment spam.

Step 7 - Check your permalink settings.

By default WordPress uses URLs which have question marks and numbers in them which look ugly. However WordPress offers you the ability to create a custom URL structure for your permalinks (short for "permanent link").

Go to the Settings Permalinks Screen using the Settings→Permalink
menu item.

Tick the bottom option that says Custom Structure.

Make your changes and click the ?Save Changes? button.

Tip: A simple and useful permalink structure is
%post_id%/%postname%/

This will provide good SEO benefits and performs well.

12-03-2012, 05:11 PM	#1
Mr Pheer Mark Osterholt Sucks Cock Industry Role: Join Date: Dec 2002 Location: In your AirBNB Posts: 18,146	Securing your Wordpress Installation Most people seem to use Wordpress these days for just about any type of website. It's free, it's easy to use, and there are tons of plugins to make it do just about anything you want it to do. It's popularity also makes it a big target for hackers and spammers that want to either take your website down or inject code into it for spamming purposes. But your website doesnt have to be an easy target for the hackers & spammers. Securing wordpress is fairly easy, if you know what to do. Here are seven simple steps to lock down your Wordpress site againt the majority of exploits and SQL injection attacks. Step 1 - Change Administrator Account Name. Leaving ?admin? as the username for the administrator account can be asecurity risk. You can now change this to something different using the Admin Renamer Extended plugin. Once you have installed and activated this plugin the standard way, click on the Settings link in the Admin Renamer Extended plugin listing on the Plugins page. The plugin will show all administrator accounts - there should only be one listing for your WordPress installation. 1. Type in a new name for the administrator account. 2. Click the Update button. 3. You should logout and log back in with this new administrator account (the password will still be the same). Step 2 - Update Unique Keys in your wp-config.php file. Unique Keys makes your site harder to hack and access harder to crack by adding random elements to passwords. These secret keys are stored in the WordPress settings file wp-config.php. You can update these unique keys by installing the Update Unique Keys plugin in the standard way. The settings page for the plugin is available on the Settings menu. You just have to click the Update button. This plugin will automatically set and update the Authenication Unique Keys in the wp-config.php file. You must log out and log back in after this update. Step 3 - Change Administrator Account Password. You should now change the administrator account password to something more secure. Go to your profile by using the Users→Your Profile menu. You can update your password at the base of this screen and click the Update Profile button to save. Step 4 - Change WordPress Database Prefix in your database and remove the WordPress Version from your WordPress head section. You can check the security of your WordPress installation by downloading and installing the Better WP Security plugin. This plugin will fix many issues and you may not need all the fixes. However, you should at least consider the following: Using this plugin to remove the WordPress version being displayed in the WordPress head section as this is a security risk. Rename the default WordPress tables in the database from having the prefix ?wp? - this is also a security risk. Once installed, the plugin will add a Security menu item on the WordPress menu. Click on this menu item and click the link beside the ?Your table prefix should not be wp_? item. On the resulting page just click on the Change Database Table Prefix button. This will fix the database prefix issue. You will probably want to make a backup of your database before doing this, unless this is a new site that you are building. Go back to the Security menu and click on the link beside the ?Your WordPress header is showing too much information...? item. On the resulting page, check the Remove WordPress Generator... checkbox and click the Save button at the base of the page. Step 5 - Stop SQL Injection Attacks. SQL injection is a hacking technique that exploits security vulnerabilities occurring in the database layer of a web site. Install the WordPress Firewall 2 plugin to identify and stop the most obvious SQL injection hacking attempts against WordPress. Once installed and activated, you can click on the Settings links on the WordPress Firewall 2 plugin listing. The default settings on the Firewall Options screen should be fine, you just need to click on the Set Security Filters button. Step 6 - Stop Comment Spam. Comment spam is endemic on the internet. You should install a plugin to filter the spam comments from the real comments. Antispam Bee is a free WordPress antispam plugin that comes highly recommended. Once installed and activated, you can find the Antispam Bee plugin menu under the Settings menu. Simply click on the Save Changes button here to stop comment spam. Step 7 - Check your permalink settings. By default WordPress uses URLs which have question marks and numbers in them which look ugly. However WordPress offers you the ability to create a custom URL structure for your permalinks (short for "permanent link"). Go to the Settings Permalinks Screen using the Settings→Permalink menu item. Tick the bottom option that says Custom Structure. Make your changes and click the ?Save Changes? button. Tip: A simple and useful permalink structure is %post_id%/%postname%/ This will provide good SEO benefits and performs well.