It’s a terrible feeling. You spend months, even years building up your blog. You lovingly polish each post, find the perfect image for each one and publish it for the world to see.
Then – for no apparent reason – some anti-social cyber-weasel hacks into your site. They might place links to not-so-family friendly sites in your footer or (if they’re really bad) delete your content altogether.
Regardless of what they do, the feeling is the same. You feel violated.
But it doesn’t have to be that way. The following five steps will help make your blog more secure for years to come.
#1. Beef Up Security With The Secure WordPress Plugin
Your blog publishes a lot of meta data – such as the WordPress version you’re using – which hackers can use to break into your site. Secure WordPress is a plugin which removes all this public data, thereby making it harder for hackers to plan a successful attack on your site.
It also makes access to plugin and theme update information available only to people you’ve designated as administrators. Secure WordPress also adds extra security by adding the index.php plugin directory, which denies public access to your directories, and so prevents hackers from browsing them.
Step #2. Move the wp-config.php file out of the public_html folder.
Wp-config.php is the file which contains all your site’s configurations. You can imagine the kind of damage a hacker could do if they had access this all-important file.
Strangely, WordPress places the wp-config.php file in the public_html folder, thereby making it public.
This is not good. Fortunately, you can easily move it to a private area on your site. Simply open the public_html folder, then drag the wp-config.php file outside the folder. This moves the file up one level in the hierarchy. Though the file can no longer be viewed by the public, WordPress automatically searches for (and finds) the file in its new location.
The file path goes from something like this:
/home/user/public_html/wp-config.php
To this:
/home/user/wp-config.php
Step #3. Regularly update WordPress and all plugins.
New versions of WordPress include security patches and functional improvements. If you don’t update accordingly, hackers may exploit known security issues in past versions.
Same goes for plugins. Try and update them on a regular basis; not only does it make your site safer, it also ensures optimum performance. A quick note on plugins: Use as few as possible, as numerous plugins can slow your site’s performance and create possible security holes.
Updating WordPress has never been easier. You can set it to automatically update, which saves the hassle of updating several times a year.
#4. Delete the Default User Admin
Hacking your site is a one-two punch. Armed with your username and password, a hacker can run amok through your blog, tearing down anything they wish.
And unfortunately, WordPress creates an admin user with the username “admin”… and since most people don’t update this, hackers already have the first piece of the puzzle.
Now it’s time to take it back.
What you need to do is delete the default admin account and replace it with a new username.
Here’s how:
- In the WordPress admin, click Users, then create a New User. Make sure it has admin privileges.
- Then, click Users again, select the user “admin” and delete it. It should lead to this page:
If the “admin” user has posts associated with it, make sure to click the second option (see above) and attribute the posts to your newly created admin (or whoever else you wish).
#5. Back Up Your Database Regularly
While this doesn’t protect your blog from getting hacked, backing up your site minimizes the damage if do you get hacked.
The WP-DBManager plugin will back up your database and email it to you every day. You can change the scheduling, but once a day ensures you’ll never be too far behind if you actually need the backup to restore your site.
If you want to make your site extra secure, change your database password so it’s different from other databases. If you don’t know how to do this, call your hosting company.
These five actions will help secure your blog and, in the event of an attack, will help you recover quickly. Implementing these steps shouldn’t take longer than 20 minutes – so get to work!
What security measures do you use? Tell us in the comments section below!
This article was written by Adam Costa.
Adam Costa is the co-founder of Trekity.com, a travel site that finds the perfect trip for you based on your personal preferences. He also runs the Travel Blogger Academy, which shows people how to build profitable travel blogs. If you love travel, follow him on Twitter for updates on the world’s greatest adventures.
its is absolutely a terrible feeling.
Adam, thank you for your tips.
You’re very welcome – it doesn’t take long to implement, and is totally worth the effort!
Thanks Adam, its really very very important to think about the hacker and their approaches, and you are doing a great work to help the beginner to protect his wordpress blogs.
I love this post and definitely will implement this on my website ComputerSneaker.com
Can you please tell me that how a hacker hit you and stole your data.
He has any authentication to change your preferences of privileges?
Please tell me more to make my blog secure
Thanks Adam, its really,very important to think about the hacker and their approaches, and you are doing a great work to help the beginner to protect his wordpress blogs.
Your post is helpful!Adam thanks a lot!The information you gave can help many people in avoiding the bad hackers.
Just for wordpress?
With the resources available for hackers, it will really be important to engage in the measures that will ensure your site’s security.
Hi Adam,
thanks for the tips – just removed my admin account :)
There is one more plugin: backupwordpress, which makes automatically backups for you.
Just twitted
BR, Chris
I didn’t thought much about the security of my website blog. But thanks to your tips, it brought a thought into me. I will applying it sooner. Thanks again
Another thing to do to secure WordPress is change the permissions on index.php, .htaccess, wp-config to read only to prevent injection attacks.
With the resources available for hackers, it will really be important to engage in the measures that will ensure your site’s security.
Thanks so much for the tips.. I have been hacked several times and it is such a pain. It’s worth it to take the extra time to avoid getting hacked.
I just know the significance of take care of wp-config after read this article. Thank you, Adam.
If you think that making your blog secure from hackers (or any other kind of website for that matter) is a lot of trouble to go to, then imagine the hassle of trying to sort out the problem once your website has been hacked. This happened to me earlier this year and, apart from the time it takes to sort out, the emotional distress and sense of threat is something that really shocked me.
I really appreciate this timely post. I’ll implement it immediately. Cheers!
I have been hacked several times and it is such a pain
Thanks for this post. My site was hacked 3 times. I hate hackers
Hi Adan,
THX for the info!
I´ve been hacked only once, hope it will never happend again to me :)
Adam,thank you a much.I have some issues with word press right now and looking for solutions. Your article was very helpful.I did figure out i have to move file folder. but never thought is so friendly to hackers. Thank you for article
Thank you for the information – helps. The delete admin doesn’t work on wordpress MU to delete the super admin.
Delete the admin doesn’t work on any of the wordpress sites mu or single. Another suggestion?
ID #1: admin The current user will not be deleted.
There are no valid users selected for deletion.
okokok silly me forgot to log out before deleting admin, :)
I’ve not been blogging for long, and I don’t know which scares me the most – the thought of being hacked, the thought of moving my Wp-config.php file or the thought of deleting my admin account.
But thanks for the tips, I will see how I go…after backing everything up.
Carol.
I thought I was stuck with ‘Admin’ as the username. I will also have a look at ‘Secure WordPress’ plugin that you mentioned. Thanks.
Hi Adam I’m stuck on 2 the public_html folder. I have looked all over the admin part of my blog . Where can I find it. Please give directions to where it is.
All the best from Ian.
the public_html folder will be on the server where your site is hosted. check folders in your cpanel.
When I try to move my wp_config.php above the public_html level I get a message when I try to log in that says “There doesn’t seem to be a wp-config.php file. I need this before we can get started.”
What am I missing in trying to move this file?
Hey Adam,
Nice pieces of advice. Anyway, I may have to ask about your second tip. What if I have more than one wordpress? Say, I installed wordpress on my root folder then I also installed wp on another subdirectory of my blog? Whats gonna happen on that?