❤ OrganicWeb

Australian Mailchimp Training Partners

You are here: Home / WordPress / 5 ESSENTIAL WordPress Security Steps

5 ESSENTIAL WordPress Security Steps

by 1 Comment

WordPress.org (self-hosted) software is very secure. The apparent WordPress security flaws often have nothing to do with the software itself but rather problems with the host, hosting setup or configuration of the software. One reads about WordPress Sites being hacked however it is usually a SQL injection or a result of incorrect folder and file permissions being set on the host.

Here are five steps that will help your WordPress powered website be even more secure

WordPress, Theme and Plugin Updates

The most simple security task is also the most important; occasionally there will be updates to core WordPress software as well as Plugins and themes. Fortunately updating to the latest version is as simple as clicking the upgrade button when it is indicated in your WordPress dashboard that updates are available. As soon as you see that an update is available the install the update!

Secure Passwords and Usernames

Don’t make it simple for people or software to guess your username or password. Since WordPress version 3.0 the ‘admin’ username is no longer default (which it always used to be the default) therefore don’t use the ‘admin’ username. Rather use your name or something else you can remember.

For passwords use a password longer than 10 characters comprising uppercase and lowercase letters as well as numbers and characters.

Remember that usernames and passwords aren’t just used to access your WordPress dashboard (i.e. example.com/wp-admin) but are also used in wp-config.php for database access, for FTP access and for access to your cPanel or hosting account.

Folder Permission Settings

Incorrect host folder and file permissions will result in access and upgrade problems if too stringent and open to hacker access if too insecure. Ensure therefore that your host file and folder permissions are as restrictive as possible whilst allowing just enough access. WordPress.org doesn’t provide definitive file and folder permissions however some guidelines may be found on the WordPress website.

SALT for WordPress Security

In wp-config there are a few lines reserved for use by SALT. It takes a few seconds to enter the necessary SALT information and makes your site more secure from attacks via cookies left on computers (the SALT data are used to further encrypt data in cookies). Go to https://api.wordpress.org/secret-key/1.1/salt/ in your browser and replace the SALT section in your wp-config with the values given in your browser. The SALT section will now look something like:

define(‘AUTH_KEY’,         ‘9Yk0y1/<K`~T-XRoTtMy7O}?qs;~W7:9pI_)~|4Kj)LD!|<#nUJQFh$ mD|R$3′);

define(‘SECURE_AUTH_KEY’,  ‘Dyq0w3!nTVm=}[geju3nvh!xxXf=.}f!+[g_ -]e4N0z#9gPh3]5ng[/vkH_4>(B’);

define(‘LOGGED_IN_KEY’,    ‘yxm=bUUt3?j“biLLl|x7]Wz|iVM.+$83^_%jWmy^~|nk+Wv+;Iu5&s=kt)(6ov!’);

define(‘NONCE_KEY’,        ‘rwO)A#HZ/[email protected],/-oMk99m n&@<[email protected]]mv}r_<=h!XgriqqR>f}spOYT|p8,’);

define(‘AUTH_SALT’,        ‘F_1{>5JX*N!F9x/7rfrJz|]-2e$m$r-/:j:jx}L$NtNQD_>2|VvW)8`)[J?VD0+2’);

define(‘SECURE_AUTH_SALT’, ‘$mWP`VoKz)yn–Y(lLfv;l}$1/Gw0X/b1m#ajX|?s^A<3xg .1Sm-YEB{3g%XF’);

define(‘LOGGED_IN_SALT’,   ‘Z)R,B?M9oulWjYNWkpWz,]w+=3OO!;:mA 7XbwH[Z;5~Ok=sLL_Z*R|!aJo(Ri’);

define(‘NONCE_SALT’,       ‘<-dE+cNHS;gOP/aCGc|f!+|ejlqf>LJ<9,o7T~HrDzwz;th.87!{}S4N+z5_Jh/q’);

MySQL Table Security

By default, WordPress installs with the MySQL tables being prefixed with ‘wp_’. As so many millions of Websites use WordPress and the significant majority use the default prefix there have been occurrences of SQL-injections by the hackers assuming the default table names. By changing the table_prefix value in wp-config.php from ‘wp_’ to anything else (e.g. ab7_) it will still be simple to identify the WordPress tables whilst reducing the chance of vulnerability to a random SQL-injection attack.

In addition to the above I thoroughly recommend using a security certificate (HTTPS) especially for any times that your username and password are entered (e.g. logging in to WordPress) and whenever any contact details and financial details are entered by visitors to your Site. Attaining and installing a SSL certificate can be complex and the ability to install a SSL certificate depends on your host.

Filed Under: WordPress Tagged With: , , , , , ,

Contact Gary now

Email: [email protected] Telephone: (+61) 04 1092 3445

Gary from OrganicWeb

What our clients have to say

Gary totally blew my mind with the possibilities available & how they can work for my business specifically."
Kim, Brisbane
Great facilitator and ensured the whole class was happy and competent at the end of the session."
Natalie, Sydney
Don't waste time looking anywhere else - contact Gary today, you won't be disappointed."
Evelyne, Sydney
He is knowledgeable and gifted on the in's and out's of Mailchimp and email campaigns. I highly recommend him! He will make your efforts count!"
Fred, Melbourne
I highly recommend anyone seeking information on how to use Mailchimp to attend one of Gary's expert workshops."
Beverley, Gold Coast
I was constantly updated by email with progress of the work, which was completed to my total satisfaction. Highly recommendable company."
Harry, London

Learn Mailchimp

Attend one of our classes and learn the tips and tricks to incredible results using Mailchimp
Learn More

Comments

  1. You could also add to the list, “use second factor authentication” instead of standard passwords.

    There is a new website authentication method shieldpass.com where you buy cheap access cards and then install the WordPress Plugin. You then place your card onto the screen to see the dynamic login numbers instead of a static password. It is unique in also being able to encode transaction digits for mutual authentication which stops attackers man in the middle tactics, even one with access into your laptop or mobile.

    Reply

Leave a Reply