Basic Wordpress Security Advice for Beginners

by 15 replies
18
I have just spent a very interesting hour or so watching some twerp from an IP address in Canada trying to force the password of my one and only Wordpress site. Mercifully, I have some basic security installed and this person was locked out in fairly swift order.

I recommend either:

WordPress › Login LockDown « WordPress Plugins

or

WordPress › Limit Login Attempts « WordPress Plugins

Both are very easy to instal and, in this day and age, vital it seems!

The other situation that can arise is choosing 'admin' for the username and a very basic and easy to crack password when installing WP using Fantastico or Simple Scripts. And, on the face of it, you are stuck with it. Well, not so.

You have two options. First, you can create a new user with a better username and secure password, grant them admin rights, and then delete the old admin username.

Secondly, and this is more advanced, you can make the relevant change via cpanel and phpmyadmin. This video tells you how to do it:

How To Change Your WordPress Username & Password Through phpMyAdmin - YouTube
At the very least, everyone should have basic login protection.

Good luck to all and I hope this helps!
#main internet marketing discussion forum #advice #beginners #security #wordpress
  • Yeah, I read somewhere that the single best step you can take to avoid getting hacked on WP is to not make your username "admin". Solves like 50% of the problem right there.
  • Not using admin is the easiest and best place to start. Next, is to make sure you are keeping your plugins and theme up to date. Also, delete any plugins and themes that are not being used from your site.

    These couple things will go a LONG way to keep your site secure.
    • [1] reply
    • Another easy thing to do if you use the manual set-up is to make the database username and password 'strong-password' quality. As others have said, not using 'Admin', setting a good strong admin password and using easy security plugins to limit brute force attacks are (or should be) givens.

      I'd be mildly curious (but not enough to try) how many blogs you could hack with the combination of Admin + 'password'...
  • All my websites are secured using the free plugins: bulletproof security and better Wordpress security

    Also, they are monitored by Securi.net (which costs 200 per year) but is a great piece of mind since they will clean any hack off your site should anything like that happen
    • [1] reply
    • This is an excellent start, but be aware that hacking is not just putting some malware on your site....

      There are many different types of cyber attack and malware infection is just one of them. As its very common, it is least damageable. Now, information theft (your clients' info, credit card, etc.) that's another story. Damage is considerable to you, your business reputation and your clients...

      so11
      • [1] reply
  • Wordfence and some .htaccess magic is all I need, and fail2ban is installed on my dedicated server.

    Daily backups of files/database is also very important.
  • I am using Better WP security to secure my site from basic attacks.
    • [1] reply
    • You should also consider changing your password every month or so.
  • the security also starts at the time of installing wordpress, changing the table prefix, adding salts to the config file, making sure your computer is not infected with keyloggers prior to installing and try not to use the 1 click installers like fantastico, settings from using those can also make WordPress installations more vulnerable.
    • [2] replies
    • Thanks, guys, but this thread was aimed at beginners or 'newbies' for whom installing a plugin will be a new experience! I was highlighting simple login protection for them, that's all.

      '...changing the table prefix...' and .htaccess edits are just not going to happen for them
      • [1] reply
    • Some of this is good advice however, pushing people away from using installers is simply not. Just because someone uses an auto installer does NOT make the site less secure.

      In reality, what does changing the prefix do? Anyone who knows how to force a site to display an error can easily find out what the prefix is...

      EDIT: Don't take that as saying you shouldn't do it, because it won't hurt to change them. Does it help..sure, is it fool-proof? No.
Join the discussion

Next Topics on Trending Feed

  • 18

    Basic Wordpress Security Advice for Beginners

    I have just spent a very interesting hour or so watching some twerp from an IP address in Canada trying to force the password of my one and only Wordpress site. Mercifully, I have some basic security installed and this person was locked out in fairly swift order. I recommend either: