• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

❤ OrganicWeb

Australian Mailchimp Training Partners

  • Home
  • Services
    • Mailchimp Public Classes
      • Adelaide
      • Auckland
      • Brisbane
      • Melbourne
      • Online
      • Perth
      • Singapore
      • Sydney
      • Wellington
    • Mailchimp Corporate Training
    • Mailchimp Consulting
  • Blog
  • Contact & About
You are here: Home / WordPress / 5 ESSENTIAL WordPress Security Steps

5 ESSENTIAL WordPress Security Steps

April 6, 2011 by Gary 1 Comment

WordPress.org (self-hosted) software is very secure. The apparent WordPress security flaws often have nothing to do with the software itself but rather problems with the host, hosting setup or configuration of the software. One reads about WordPress Sites being hacked however it is usually a SQL injection or a result of incorrect folder and file permissions being set on the host.

Here are five steps that will help your WordPress powered website be even more secure

WordPress, Theme and Plugin Updates

The most simple security task is also the most important; occasionally there will be updates to core WordPress software as well as Plugins and themes. Fortunately updating to the latest version is as simple as clicking the upgrade button when it is indicated in your WordPress dashboard that updates are available. As soon as you see that an update is available the install the update!

Secure Passwords and Usernames

Don’t make it simple for people or software to guess your username or password. Since WordPress version 3.0 the ‘admin’ username is no longer default (which it always used to be the default) therefore don’t use the ‘admin’ username. Rather use your name or something else you can remember.

For passwords use a password longer than 10 characters comprising uppercase and lowercase letters as well as numbers and characters.

Remember that usernames and passwords aren’t just used to access your WordPress dashboard (i.e. example.com/wp-admin) but are also used in wp-config.php for database access, for FTP access and for access to your cPanel or hosting account.

Folder Permission Settings

Incorrect host folder and file permissions will result in access and upgrade problems if too stringent and open to hacker access if too insecure. Ensure therefore that your host file and folder permissions are as restrictive as possible whilst allowing just enough access. WordPress.org doesn’t provide definitive file and folder permissions however some guidelines may be found on the WordPress website.

SALT for WordPress Security

In wp-config there are a few lines reserved for use by SALT. It takes a few seconds to enter the necessary SALT information and makes your site more secure from attacks via cookies left on computers (the SALT data are used to further encrypt data in cookies). Go to https://api.wordpress.org/secret-key/1.1/salt/ in your browser and replace the SALT section in your wp-config with the values given in your browser. The SALT section will now look something like:

define(‘AUTH_KEY’,         ‘9Yk0y1/<K`~T-XRoTtMy7O}?qs;~W7:9pI_)~|4Kj)LD!|<#nUJQFh$ mD|R$3′);

define(‘SECURE_AUTH_KEY’,  ‘Dyq0w3!nTVm=}[geju3nvh!xxXf=.}f!+[g_ -]e4N0z#9gPh3]5ng[/vkH_4>(B’);

define(‘LOGGED_IN_KEY’,    ‘yxm=bUUt3?j“biLLl|x7]Wz|iVM.+$83^_%jWmy^~|nk+Wv+;Iu5&s=kt)(6ov!’);

define(‘NONCE_KEY’,        ‘rwO)A#HZ/[email protected],/-oMk99m n&@<[email protected]]mv}r_<=h!XgriqqR>f}spOYT|p8,’);

define(‘AUTH_SALT’,        ‘F_1{>5JX*N!F9x/7rfrJz|]-2e$m$r-/:j:jx}L$NtNQD_>2|VvW)8`)[J?VD0+2’);

define(‘SECURE_AUTH_SALT’, ‘$mWP`VoKz)yn–Y(lLfv;l}$1/Gw0X/b1m#ajX|?s^A<3xg .1Sm-YEB{3g%XF’);

define(‘LOGGED_IN_SALT’,   ‘Z)R,B?M9oulWjYNWkpWz,]w+=3OO!;:mA 7XbwH[Z;5~Ok=sLL_Z*R|!aJo(Ri’);

define(‘NONCE_SALT’,       ‘<-dE+cNHS;gOP/aCGc|f!+|ejlqf>LJ<9,o7T~HrDzwz;th.87!{}S4N+z5_Jh/q’);

MySQL Table Security

By default, WordPress installs with the MySQL tables being prefixed with ‘wp_’. As so many millions of Websites use WordPress and the significant majority use the default prefix there have been occurrences of SQL-injections by the hackers assuming the default table names. By changing the table_prefix value in wp-config.php from ‘wp_’ to anything else (e.g. ab7_) it will still be simple to identify the WordPress tables whilst reducing the chance of vulnerability to a random SQL-injection attack.

In addition to the above I thoroughly recommend using a security certificate (HTTPS) especially for any times that your username and password are entered (e.g. logging in to WordPress) and whenever any contact details and financial details are entered by visitors to your Site. Attaining and installing a SSL certificate can be complex and the ability to install a SSL certificate depends on your host.

Found this useful? Please share:

  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • More
  • Click to email this to a friend (Opens in new window)

Related

Filed Under: WordPress Tagged With: https, malware, mysql, security, Software, websites, WordPress

Contact Gary now

Email: [email protected] Telephone: (+61) 04 1092 3445

Gary from OrganicWeb
  • This field is for validation purposes and should be left unchanged.

What our clients have to say

Gary totally blew my mind with the possibilities available & how they can work for my business specifically."
Kim, Brisbane
Great facilitator and ensured the whole class was happy and competent at the end of the session."
Natalie, Sydney
Don't waste time looking anywhere else - contact Gary today, you won't be disappointed."
Evelyne, Sydney
He is knowledgeable and gifted on the in's and out's of Mailchimp and email campaigns. I highly recommend him! He will make your efforts count!"
Fred, Melbourne
I highly recommend anyone seeking information on how to use Mailchimp to attend one of Gary's expert workshops."
Beverley, Gold Coast
I was constantly updated by email with progress of the work, which was completed to my total satisfaction. Highly recommendable company."
Harry, London

Learn Mailchimp

Attend one of our classes and learn the tips and tricks to incredible results using Mailchimp
Learn More

Comments

  1. Matt says

    September 18, 2011 at 11:31 pm

    You could also add to the list, “use second factor authentication” instead of standard passwords.

    There is a new website authentication method shieldpass.com where you buy cheap access cards and then install the WordPress Plugin. You then place your card onto the screen to see the dynamic login numbers instead of a static password. It is unique in also being able to encode transaction digits for mutual authentication which stops attackers man in the middle tactics, even one with access into your laptop or mobile.

    Reply

Leave a Reply Cancel reply

Want Mailchimp Training?

Gary now offers his Mailchimp class online. Learn from a Mailchimp Partner

Learn Mailchimp

Australian Mailchimp Partners

What our clients say

"Gary was awesome! He has a fantastic way of making everything rather simple and straightforward. I definitely left with a lot more knowledge, confidence and ideas than when I walked in. Thanks Gary!" Fiona

Australian Mailchimp Classes

Want to learn Mailchimp?

See Dates

Meet Gary, Mailchimp Expert

Gary Eckstein is listed by Mailchimp as an Expert.

Gary is a Mailchimp Expert and Partner. He delivers Mailchimp training and consulting services in Australia. Gary presents at Mailchimp events and hosts the first, and only, Australian Mailchimp sponsored event.

Contact Gary for your Mailchimp needs

READY TO GET STARTED?

Contact Gary today to get started with Mailchimp consulting, training or integrations.

Get in touch!

Copyright © 2019 · Sitemap · ABN: 40800872179 · Privacy Policy · Terms of Service

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.