1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[GUIDE] Secure your WordPress website - HowTo

Discussion in 'Blogging' started by OriginalEXE, Jul 26, 2012.

  1. OriginalEXE

    OriginalEXE Power Member

    Joined:
    Feb 6, 2012
    Messages:
    634
    Likes Received:
    664
    Occupation:
    WordPress developer
    Home Page:
    Hi everyone, I believe that this topic should exist because I am terrified with the security of the WordPress websites I got to see here.

    I am writing this guide to let you know that your WordPress website can and NEEDS to be secured. Don't cry later when you get your website hacked by some noobs just because you did not take 15 minutes of your time after reading this to secure your websites.

    This guide is for WordPress websites, works on any version but of course, upgrade to the latest one is VERY RECOMMENDED. In this tutorial I will be using only one plugin and it is completely free.

    Step 1. "Installing plugin"
    Login to your WordPress admin dashboard -> Plugins -> Add new
    [​IMG]
    In the input field, type Better WP Security and click on Search plugins. Top result should be plugin named Better WP Security. Click on Install now and confirm.
    You should get few messages, the last should be Successfully installed the plugin Better WP Security 3.4.1.
    Click on Activate plugin.

    Step 2. "Adjusting settings"
    Ok, we have installed the plugin and activated it. We are still in WordPress admin dashboard, and in the left menu, in the bottom, new menu item should show up under the icon of the blue shield saying Security.
    This is where you will be adjusting all of the settings for your website security.
    Click on the Security menu item and you should be welcomed by this screen:
    step2.jpg
    This plugin should work on all websites, old and new. However, for teh sake of security, we will create a database backup prior to changing anything with this plugin, so you can restore your website as it was before doing this.
    Click on the Create Database Backup button. Database backup will be sent to your email specified in Settings -> General (WordPress admin dashboard).

    Ok, we are on our next screen, plugin is asking us if we want to give it permission to write to WordPress core files. In order to secure the website to maximum lvl with this plugin, we need to allow this, so click the upper button to Allow this plugin to change WordPress core files.
    Now that we have a backup of everything, we can go play with the options. You should be in Dashboard section of the plugin menu, as shown on the image. Notice the tabs on top (marked on image) as I will referr to them throughout the tutorial.
    step3.jpg

    #User tab
    step4.jpg
    Ok, we have two options on this tab. First one is the main reason why your website get's easily hacked. You have a user with username admin (created by default). That is very bad and you need to change this. Enter new username for that user and click Change Admin Username.
    Note that if you are logged in as that user, you will be logged out and will need to log in again with new username you chose.

    Second option is for changing ID of the user under the id 1. Note that this feature is new and some users report problem with gravatar for their profile after changing this. If you are using gravatar feature for your WordPress profile, don't use this yet.
    Otherwise, click Change User 1 ID.
    Note: you will probably be logged out again, so log in and click the button again.

    #Away tab
    step5.jpg
    is probably not for everyone. Basically, you can lock out your admin dashboard for a certain period of time or by daily period. Use this option only if you are certain you will not need access to the dashboard outside of the specified time.

    #Ban tab
    step6.jpg
    First option is User and Bot blacklist. We will check the checkbox for Enable Default Banned List. This uses hackrepair.com list and blocks access to known parasites.
    For average user, this options on Nab tab is enough, you have option below to add your own list of hosts and user agents to ban.

    #Dir tab
    step7.jpg
    Warning - this is for NEW WORDPRESS WEBSITES only!
    What this feature do is change the name of your wp-content directory. In wp-content, wordpress storess themes, plugins, upload and more. If you already have images uploaded, do not use this as it will break the links. It is recommended to backup your WordPress files (via ftp or CPanel) before doing this.

    #Backup tab
    step8.jpg
    This is a great feature of the plugin - database backup. For those that do not understand, every setting, post, comment, page etc. is saved in the database. Your WordPress website is then pulling that content out of the database and displaying it in your website. That is why it is important to have database backup, as you can restore the last known good configuration any time.
    Check the first chechbox to enable the feature, than select backup interval. I suggest backing up at least once every month (for static websites) or once a week/day for blogs etc, where content is constantly added.

    You have two options, to store backups on your server or to send them to the specified email. Use whatever you find neat.

    Backups to keep option applies only if you store backups on your server. I believe 20 is perfectly fine for that.

    #Prefix tab
    [​IMG]
    This is another important step. By default, database prefix of your WordPress installation is wp_. We need to change this, as we do not want this information to be known to attackers. Just click Change Database Table Prefix button to change it to something random.

    #Hide tab
    [​IMG]
    By default, WordPress login/register urls are wp-admin, wp-login and wp-register. We want to change that. Please note that you need to remember new url's. If you don't, you will not be able to access your dashboard (if you ever forget, just let me know, I can find it out for you).
    Note that some plugins that use registration/login may stop working and you will need to manually edit them for fix.

    #Detect tab
    [​IMG]
    404 Detection

    We will want this setting turned on. Check the first checbox to enable 404 detection. Uncheck the second checkbox, as plugin can sometimes send multiple emails for nothing. Check period set to 2, leave everything else default.

    File Change Detection
    First two checkbox should be checked, uncheck mailing again, for the reason stated above. Note that this option will probably have many false positives. Also, I suggest you not to use this option on shared hosting, as it can slow the server down.

    #Login tab
    [​IMG]
    This feature checks for wrong logins and bans hostname if too many wrong logins come too fast. It's useful to prevent brute force attacks on your blog.
    First checkbox needs to be checked. Leave everything else on default, but turn off email notifications, as it may bug you.

    #SSL tab
    We are skipping this as this is very specific and you have to know what you are doing to do it. You are not missing much :)

    #Tweaks tab
    [​IMG]

    Note that some options here migh be incompatible with certain plugins/themes. If you notice theme/plugin malfunction, get back here and play with options that have warning below them to see what is causing problems.

    Server Tweaks
    Check every checkbox.

    Header tweaks
    Check every checkbox

    Dashboard tweaks
    Check every checkbox

    Strong password tweaks
    You don't have to use this if you do not allow registrations on your website. Otherwise, it might be smart to force users to use strong passwords.

    Other tweaks
    Check every checkbox. Note that if you edit your theme from the backend using editor (under Appearance menu), you will want to leave last checkbox unchecked.



    That's it. I hope this helped you. If you have any questions/problems leave them below. Enjoy using WordPress, it's great!
     

    Attached Files:

    • Thanks Thanks x 109
    Last edited: Jul 26, 2012
  2. SmartMan

    SmartMan BANNED BANNED

    Joined:
    Jul 25, 2012
    Messages:
    673
    Likes Received:
    1,244
    I'm already using this plugin on all my wp sites. Thanks for posting a detailed guide. Much appreciated! :)
     
    Last edited: Jul 26, 2012
  3. James2

    James2 Senior Member

    Joined:
    Jun 3, 2011
    Messages:
    1,133
    Likes Received:
    994
    Location:
    London, England
    Fantastic thread, very helpful. Bookmarked. Thanks for your help EXE.
     
  4. thatotherguy

    thatotherguy Power Member

    Joined:
    Mar 4, 2012
    Messages:
    555
    Likes Received:
    249
    Make this a stickey :)
     
    • Thanks Thanks x 1
  5. OriginalEXE

    OriginalEXE Power Member

    Joined:
    Feb 6, 2012
    Messages:
    634
    Likes Received:
    664
    Occupation:
    WordPress developer
    Home Page:
    I believe this should be done, because this is essential, as every blog I had chance to see (and I saw many because of my wp help thread) used admin as a username and default database prefix, and that is just a basic security.
     
  6. seoexpert2010

    seoexpert2010 Junior Member

    Joined:
    Mar 8, 2010
    Messages:
    116
    Likes Received:
    36
    Great Share!!
    Just completed securing my blog!
    Thanks given
     
  7. finerpleasures

    finerpleasures Regular Member

    Joined:
    Feb 17, 2009
    Messages:
    322
    Likes Received:
    97
    • Thanks Thanks x 2
  8. OriginalEXE

    OriginalEXE Power Member

    Joined:
    Feb 6, 2012
    Messages:
    634
    Likes Received:
    664
    Occupation:
    WordPress developer
    Home Page:
    First thing is covered by tutorial. About the second, yes it applies to those downloading wp installation from WordPress.org, I mostly use softaculous, but I will add it in the tutorial. Thank you for reminding me.
     
  9. zoyaraymonds

    zoyaraymonds Regular Member

    Joined:
    Jan 16, 2012
    Messages:
    490
    Likes Received:
    141
    nice share... thanks
     
    • Thanks Thanks x 1
  10. Big_0n3

    Big_0n3 Senior Member

    Joined:
    Dec 2, 2009
    Messages:
    1,109
    Likes Received:
    85
    Very helpfully thread. I was interested in finding some info about wp secure. thank you
     
    • Thanks Thanks x 1
  11. Duffers5000

    Duffers5000 Elite Member

    Joined:
    Apr 1, 2012
    Messages:
    2,467
    Likes Received:
    7,612
    Truly you are a Wordpress God !
     
    • Thanks Thanks x 1
  12. Sgt Kraut

    Sgt Kraut Regular Member

    Joined:
    Jun 22, 2012
    Messages:
    318
    Likes Received:
    287
    Thanks for writing this guide!

    Will "Better WP Security" be enough for protection against specific attacks (SQL Inj, XSS etc.) or should I install something like "Wordpress Firewall 2" in addition?
     
  13. OriginalEXE

    OriginalEXE Power Member

    Joined:
    Feb 6, 2012
    Messages:
    634
    Likes Received:
    664
    Occupation:
    WordPress developer
    Home Page:
    It should be enough, I had no problems till now.
     
    • Thanks Thanks x 1
  14. Execute

    Execute Supreme Member

    Joined:
    Aug 30, 2010
    Messages:
    1,349
    Likes Received:
    5,017
    Location:
    United Kingdom
    Great info there, been looking into better Wordpress protection good timing there, thanks!
     
    • Thanks Thanks x 1
  15. FraCorp

    FraCorp BANNED BANNED

    Joined:
    Jul 27, 2012
    Messages:
    170
    Likes Received:
    4
    Well Explained, Thank You.
     
    • Thanks Thanks x 1
  16. bigballin6161

    bigballin6161 Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 16, 2011
    Messages:
    1,084
    Likes Received:
    420
    Sweet thread! Thanks and rep given! Nothing worse than trying to fix a site!
     
    • Thanks Thanks x 1
  17. autowakins

    autowakins Junior Member

    Joined:
    May 17, 2012
    Messages:
    120
    Likes Received:
    166
    Fantastic share, buddy... Already looking into securing my WP sites with this
     
    • Thanks Thanks x 1
  18. poweronics

    poweronics Jr. VIP Jr. VIP Premium Member

    Joined:
    May 1, 2011
    Messages:
    3,117
    Likes Received:
    353
    Occupation:
    Freelancer
    Home Page:
    This is a must read guide for all WP users indeed.
     
    • Thanks Thanks x 1
  19. Sgt Kraut

    Sgt Kraut Regular Member

    Joined:
    Jun 22, 2012
    Messages:
    318
    Likes Received:
    287
    was my mistake sorry
     
    Last edited: Jul 28, 2012
  20. GoldenGlovez

    GoldenGlovez Moderator Staff Member Moderator Jr. VIP

    Joined:
    Mar 23, 2011
    Messages:
    701
    Likes Received:
    1,713
    Location:
    Guangdong, China
    Home Page:
    Good write-up OriginalEXE. Thanks for sharing.
     
    • Thanks Thanks x 1