How to secure a new WordPress blog from hackers!
To secure a new WordPress blog should be a top priority especially if your copy is self-hosted. A common deadly mistake I see around is a hurry to start pulling traffic and publishing articles on a newly installed self hosted blog without taking some necessary security steps. That’s foundation for disaster.
This is part 6 in the series to build a money making blog. If you missed the other 5 parts, here is the front page for a list of contents.
In part 7, we are looking at setting up the right theme to monetize your blog.
NB: My buddy, Mike Wallagher has written a great post on 47 different ways to use WordPress. I recommend you check it out.
The copy we installed in part 5 is still virgin and vulnerable to attacks and damages. In this part, we are going to implement basic and solid security to our fresh copy. While it is not common to have a 100% secured blog, it’s going to keep you very safe from your end.
How to secure a new WordPress blog
Basically, what we will be doing here is to change some critical database setup entries, rename some key directories, rename some key urls, set up automatic backup processes, etc. I don’t need you to have any technical knowledge in PHP. The good news is that all of this will be achieved simply by clicking buttons, thanks to one highly recommended plugin.
Login to your WordPress dashboard and be sure you upgrade to the latest version of WordPress. That’s the first thing to do.
Next, on the left menu, point your mouse to “Plugins” and click “Add new“. The window that opens should be something similar to the image below:
Enter “iThemes” in the search field and click “Search Plugins“. You should have it as the first entry on the list of plugins on the result page. Click “Intall now” and confirm installation. On the next screen after installation, click “Activate Plugin“
After activation, you should have a new entry on the left menu of your WordPress Dashboard. Look for “Security” and click it.
Next, Click the “Create Database Backup” button to get the data sent to you. However, this may not be required given that the blog is still new and almost empty.
The next step is so important. We want this plugin to help us protect the new blog against potential attacks. The idea is to activate basic features in one-click so you don’t have to worry about it.
Click the “Secure My Site From Basic Attacks” button. The following basic security has been applied:
- Non-administrators cannot see available updates.
- The default vulnerable admin user has been removed.
- Your login area is protected from brute force attacks.
- Your installation is actively blocking attackers trying to scan your site for vulnerabilities.
Here is a list of security points to take care of. This should be similar to what you have on your own plugin dashboard window:
Now let’s make the security even stronger. So the next step is to work on the user with ID 1. Most hackers know this and there are a lot of hacking scripts out there designed to attack entries with Id 1 . So click” Click here to change user 1’s ID” On the screen that follows, you should have the “Change User 1 ID” button. Click it.
After changing the default admin ID from 1 to a random number generated by the plugin, click the plugin’s Dashboard link and return to the main screen.
Next step, I recommend changing your blog’s database table prefix wp_ to something else. Look for “Your table prefix should not be _wp” and click to rename it.
This will take you to a next page. Click the button on the this page to confirm the renaming action. The plugin will generate a random prefix and rename all the tables on your database. Subsequent tables to be created by other plugins will have to make use of the new prefix.
Go back to the plugin Dashboard and this time, let’s schedule regular backup of our blog database. Locate the point “You are not scheduling regular backups…” and click the link to fix and fill the form on the screen that follows:
Check the box to enable scheduled backup and set the intervals. Usually, once per day will be most appropriate. You may also want the backup copies sent by email. In that case, enter the email address where you want the copies sent and click “Save Changes“.
NB: after each security step, click the plugin dashboard link to return to the main menu as seen in the image above.
The next security step I recommend at this level is to hide the admin login url. Traditionally, admin login url is wp-admin.php This has been known to have some security issues so replacing this with something more personal is a step towards a stronger security. Before being able to hide the admin login url, we need to set the permalink of the new blog. The permalink is simple the url structure.
Point your mouse to “Settings” on the left menu and click “Permalinks“
Click Save “Changes button” Then, point back to “Security” on the left menu and click “Dashboard” Go to the point where it says “Your WordPress admin area is not hidden” and click to fix it.
On the window that follows, click to enable hide Backend. Enter slugs that should be known only to you alone for now.
Now let’s see if this has worked. Go to http://yourblog.com/wp-admin
Boom! This is somewhat embarrassing, isn’t it? – Page not found!
If you get that page not found message, it means you got the settings right to the spot. Congratulations!
The next thing we do now is set iThemes security to be actively looking for changed files. What this means is you get an alert to your email when ever there is an attempt to modify a file on your blog.
This looks pretty good. So look for the point “Your installation is not actively looking for changed files” and click to fix. On the window that comes up, there is a check box labeled “Enable File Change Detection” Check this box and verify that your admin email is correct. Click to save the option.
At this moment, we have actually removed the red items from our security plugin’s dashboard. The items in orange and blue are also to be considered. However, given that these most often will conflict with some plugins and themes, I’d prefer we keep them for now. On the other hand, if you actually know how to handle them and not run into trouble, you may go ahead and enable them.
This is basically recommended steps to secure a new WordPress blog. However, There are a number of more security plugins out there designed with specific tasks in mine. I don’t want to confuse you with them. Most of the things you get in those different plugins are bundled in to this we have just installed. We can now move ahead setting up the right theme to monetize our blog.
See you on part 7 here. Share your thoughts in the comment box. Also share on social media.