It’s a terrible feeling. You spend months, even years building up your blog. You lovingly polish each post, find the perfect image for each one and publish it for the world to see.
Then – for no apparent reason – some anti-social cyber-weasel hacks into your site. They might place links to not-so-family friendly sites in your footer or (if they’re really bad) delete your content altogether.
Regardless of what they do, the feeling is the same. You feel violated.
But it doesn’t have to be that way. The following five steps will help make your blog more secure for years to come.
#1. Beef Up Security With The Secure WordPress Plugin
Your blog publishes a lot of meta data – such as the WordPress version you’re using – which hackers can use to break into your site. Secure WordPress is a plugin which removes all this public data, thereby making it harder for hackers to plan a successful attack on your site.
It also makes access to plugin and theme update information available only to people you’ve designated as administrators. Secure WordPress also adds extra security by adding the index.php plugin directory, which denies public access to your directories, and so prevents hackers from browsing them.
Step #2. Move the wp-config.php file out of the public_html folder.
Wp-config.php is the file which contains all your site’s configurations. You can imagine the kind of damage a hacker could do if they had access this all-important file.
Strangely, WordPress places the wp-config.php file in the public_html folder, thereby making it public.
This is not good. Fortunately, you can easily move it to a private area on your site. Simply open the public_html folder, then drag the wp-config.php file outside the folder. This moves the file up one level in the hierarchy. Though the file can no longer be viewed by the public, WordPress automatically searches for (and finds) the file in its new location.
The file path goes from something like this:
Step #3. Regularly update WordPress and all plugins.
New versions of WordPress include security patches and functional improvements. If you don’t update accordingly, hackers may exploit known security issues in past versions.
Same goes for plugins. Try and update them on a regular basis; not only does it make your site safer, it also ensures optimum performance. A quick note on plugins: Use as few as possible, as numerous plugins can slow your site’s performance and create possible security holes.
Updating WordPress has never been easier. You can set it to automatically update, which saves the hassle of updating several times a year.
#4. Delete the Default User Admin
Hacking your site is a one-two punch. Armed with your username and password, a hacker can run amok through your blog, tearing down anything they wish.
And unfortunately, WordPress creates an admin user with the username “admin”… and since most people don’t update this, hackers already have the first piece of the puzzle.
Now it’s time to take it back.
What you need to do is delete the default admin account and replace it with a new username.
- In the WordPress admin, click Users, then create a New User. Make sure it has admin privileges.
- Then, click Users again, select the user “admin” and delete it. It should lead to this page:
If the “admin” user has posts associated with it, make sure to click the second option (see above) and attribute the posts to your newly created admin (or whoever else you wish).
#5. Back Up Your Database Regularly
While this doesn’t protect your blog from getting hacked, backing up your site minimizes the damage if do you get hacked.
The WP-DBManager plugin will back up your database and email it to you every day. You can change the scheduling, but once a day ensures you’ll never be too far behind if you actually need the backup to restore your site.
If you want to make your site extra secure, change your database password so it’s different from other databases. If you don’t know how to do this, call your hosting company.
These five actions will help secure your blog and, in the event of an attack, will help you recover quickly. Implementing these steps shouldn’t take longer than 20 minutes – so get to work!
What security measures do you use? Tell us in the comments section below!
This article was written by Adam Costa.
Adam Costa is the co-founder of Trekity.com, a travel site that finds the perfect trip for you based on your personal preferences. He also runs the Travel Blogger Academy, which shows people how to build profitable travel blogs. If you love travel, follow him on Twitter for updates on the world’s greatest adventures.