Improving your WordPress security is one of the most important things you can do as a blogger. If you’ve been following this guide from the start, you should already have installed and activated a WordPress security plugin. If you haven’t, go ahead and do it now.
This free (for the basic version) plugin is invaluable for improving your WordPress security. This post will explain some of the features of Wordfence and describe how to optimize the settings.
Of course, you shouldn’t rely solely on a plugin for your WordPress security. There are many other steps you can take to increase the security of your blog.
This post is part of the Blog Cogs Start Blogging With WordPress Today tutorial.
- Start Blogging Today with This WordPress Tutorial
- Choosing the Right Domain Name for Your Blog
- Registering for a Bluehost Web Hosting Account
- How to Install WordPress on Your Domain
- Optimizing the WordPress Settings
- Installing WordPress Plugins
- Install These WordPress Plugins Now!
- Choosing and Installing a WordPress Theme
- SEO Optimize Your WordPress Blog Posts
- Improving Your WordPress Blog Security
Top Tips for Improving WordPress Security
Keep Your Username Hidden
In order for someone to hack your site, they need two things: your username and your password. It’s quite easy to find out someone’s username. Try this trick: go to a blog you read regularly and pick a random post. Find the author byline (the bit where it tells you who wrote the post) and hover your mouse over the name. With your pointer hovering over the name, look at the status bar in the bottom of the window (browser depending). It probably says something like www.blogname.com/author/admin/. This tells you that ‘admin’ is that author’s username. A potential hacker now has fifty percent of the information they need to hack that site. Now, try hovering over my name at the top of this post. You should see www.blogcogs.com/author/david-borrowdale/ in the status bar. Here’s a secret: david-borrowdale is not my username.
I wouldn’t be so naïve as to pick something as obvious as that as my username. So how did I hide my username? I used a neat little plugin to hide it.
Before the plugin is useful, though, you need to complete your user profile. Just go to Users > Your Profile and complete your fist name, last name, nickname and select how you want your name to appear publically. A different public name will not hide your username. No matter what you select as your public name, your username will still be displayed when you hover over your public name until you activate the plugin.
Prior to WordPress version 3.0, the default WordPress installation came with an administrator account with ‘admin’ as the username. Hackers are smart cookies, so they will always try that first. Why not beat them at their own game by setting a secure username, using Edit Author Slug to make them think it’s ‘admin’, and then use Wordfence to automatically block people who enter an incorrect username three times?
Of course, your best defense against hackers is a strong password, but why give them a helping hand by giving them your username?
Changing Your Username
So, you’ve just realized your username is not secure. What do you do? Well, according to the WordPress dashboard, “Usernames cannot be changed”.
Well, that’s not strictly true. Here are three ways you can do it (backup your site (see how below) before doing any of these):
Change Your Username Using a Plugin
There are a few plugins that will allow you to change your username quickly and easily.
Once you’ve installed and activated the plugin, go to Users > Username Changer. Select the username you want to change, enter the new username, and then save changes. Once you’ve changed the username, you can delete the plugin.
Create a New Administrator Account
As you are already an administrator of your own blog, you have the authority to create new administrator accounts. Go to Users > Add New and create a new account with a secure username (i.e. not ‘admin’, ‘your-blog-name’, or ‘your-name’).
After you’ve created the new administrator account, you’ll need to log out of your current account and log in with the new one. Then you can delete the old administrator account and assign all the previously published content to the new administrator account.
Change Your Username Using phpMyAdmin
This is an advanced method that requires directly editing your database which I would not usually recommend. However, sometimes needs must.
- Log in to your web hosting account.
- Go to your cPanel, scroll down to database, and then click on phpMyAdmin
- Locate the correct database in the left pane. You may only have one database which will make this simple.
- In the right pane, scroll down until you find the wp_users table. Click browse.
- Click the pencil/edit icon next to the username you want to change.
- Delete the old username from the user_login window and enter the new one. Click Go and you’re done!
Use Secure Passwords
In this digital age, we all have so many passwords that it’s difficult to keep track of them all. This often leads people to use the same password for everything or to use very simple passwords that are easy to guess. Both of these are bad! There are two rules for good password security:
- Use a unique password for every account to have.
- Use a strong password for every account you have.
What makes a strong password? Strong passwords:
- Are at least 8 characters in length
- Contain upper and lowercase letters (start your password with a lowercase letter to really bamboozle password-cracking software)
- Contain numbers
- Contain symbols such as $ % & ? etc.
- Do not contain real words
Of course, a large number of complex passwords are difficult to remember and that’s when people start reusing passwords, using simple passwords, or committing another security faux pas, writing them down in a notebook and leaving it next to their workstation.
Use a Password Manager
Password managers are applications that store your passwords, and other sensitive information such as passphrases, PINs, and security questions. The data is stored in an encrypted format and can only be accessed with a single strong master password that you enter when you want to access your other passwords. This means that you can use a unique, strong password (or use the password generator that comes with most password managers) on every account you own, but only need to remember one master password.
Here are a few for you to consider:
It has a very slick interface, is very easy to use, can automatically change the passwords for 500 of the most popular websites, integrates into your browser toolbar and automatically captures and recalls login details when you visit sites without having to open the interface every time.
Always Update WordPress, Plugins, and Themes
This one’s a no-brainer. Whenever an upgrade is released for WordPress, your plugins, or your theme, install it as soon as possible. It’s always a good idea to backup your database before installing an upgrade. Which leads us nicely on to . . .
Backup Your Database and Files
Your site has two components: your database and your files. Your database contains every post, comment, and link you have on your blog. Your files contain your media, attachments, theme, and plugins. If your database or files get erased or corrupted, you stand to lose everything you have written. There are many reasons this could happen and not all of them are under your control. With proper backing up of your WordPress database and files, you can quickly restore things back to normal. Here’re a couple of options for backing up your database and files:
Backup Your Database and Files from cPanel
Most web hosts provide easy backup options in your cPanel. The screenshots below are from Bluehost, but SiteGround and HostGator have very similar options.
After logging in, go to your cPanel, scroll down to files, and select the backup function.
Select whether you want to backup your files or database and click browse.
Place a tick next to the files or database you want to backup and click download zip.
Backup Your Database with phpMyAdmin
This option is a little more complicated, but it gives you more options than the cPanel method. Follow the slideshow below for a walkthrough:
- Login to your web hosting account.
- Go to your cPanel and scroll to the database section. Click on phpMyAdmin
- Select the database you want to backup. I have multiple WordPress installs so have multiple databases.
- With the correct database selected in the left pane, the tables will be shown in the right pane. Click export.
- There are couple of extra settings you need to change from the quick settings so select custom to display more options.
- Select save output to a file and select compression as zipped. You don’t need to worry about any other settings. Scroll to the bottom and click Go and database backup will be downloaded.
Backing up your database and files is a large topic. You can find more about setting up automatic backups in the post, Backing Up Your WordPress Database and Files.
Here’s another one that’s simple to action: choose a reliable web hosting service. You entrust your files and databases to your web host so you want to know they are taking good care of them and that they themselves have good security practices. Avoiding free and budget web hosting is advisable if you don’t want your web host cutting corners with security.
Bluehost has an excellent reputation for security and their automatic backup service is convenient and easy to use (as I found out the hard way when I accidently overwrote my site with a fresh WordPress install before I had started backing it up myself!)
Next: Get Blogging!
You’ve come to the end of this ten step guide to starting a blog with WordPress. If you’ve followed the steps, you should have a beautiful, optimized, secure blog ready to be filled with amazing content. There are loads more posts to explore on Blog Cogs. You can find advice on Blogging, Life Hacks, Marketing, Monetization, Product Reviews, SEO, Social Media, Web Hosting, and WordPress. Take a look around and sign up to our mailing list to receive regular updates on turning your blog into a money-making machine! If you’ve got a question, feel free to drop me a line via the contact page.