I’m a big fan of WordPress. A WordPress site I run is responsible for putting food on the table for my family! And if you remember, I’m One of the 3 Most Important People in WordPress–and I have the certificate to prove it. (I’m not really; long story).
WordPress is great because it is simple and accessible for almost anyone to use. And because of that, LOTS of people use WordPress to run websites these days. Maybe you do too.
What’s less simple is keeping your WordPress installation secure from those who want to turn your site into an Adult-themed Drug Store. WordPress Security is a HUGE topic. And there is a lot you should be doing (and even more you could be doing) to keep your site secure. And if you know what those things are, this post isn’t for you.
However, if you consider yourself to be a newbie when it comes to WordPress security, read on. I’m going to walk us through one of the simplest ways to secure any WordPress site using–what I consider–the best WordPress security plugin out there!
However, setting this plugin up correctly is important. And there are many things you can do to completely bork your site. So… read along and find out how this guy (I’m using my thumbs to point at myself right now) uses this plugin to harden all my WordPress installations!
Pre-steps: Update your Installation
Update your WordPress installation and all your plugins and themes. You should be doing this anyway. While you are at it, go ahead and delete all the themes and plugins you aren’t using. You should be doing this anyway too.
Next, make sure you have your permalinks up and running (Settings -> Permalinks) and make sure you have your timezone properly set (Settings -> General).
Okay! You are ready to go!
Step 1: Install
Easy enough. Go to Plugins -> Add New. Search for “Better WP Security”. It’ll be the first option most likely. Install and Activate.
Step 2: Backup Your Site
Go to Better WP Security either from the plugin page or from your menu on the left. Since version 3 the first option this plugin gives you is to backup your database. DO IT. Do it even if you are using some other backup tool–or think you are.
Step 3: Give Better WordPress Security God-like Powers
I know. You’re scared. You should be. But do it. You can still use this plugin without doing this, but you will have to do many of the operations manually. And since you are reading this post, chances are you don’t want to do these things manually.
Step 4: Secure your Site from Basic Attacks
You’ve finally reached what will become the regular “home” page of Better WP Security, the Dashboard. Except, you are going to be prompted to “Secure your Site from Basic Attacks”. The answer is YES of course. Its easy. Just click the button. Do it.
Step 5: Fine Tune your System Status list
Congratulations! You’ve come a long way, in 4 easy steps. Your site is already much more secure than it was just 15 minutes ago! But there’s even more you can do (and should do) to bring your WordPress install into Security Nirvana (that doesn’t truthfully exist, but its my blog so I can say whatever I want).
Your System Status list will look something like this:
You want this list to be as green as possible. Beside each numbered Status there is a “Click here to fix” link. That’s the easy way to address these issues.
But, for the purposes of this tutorial we are going to go through Better WP Security’s menu options.
WordPress used to create the first user as “Admin” by default in the installation. You had no choice in the matter. This made it easy for people who wanted to access your installation because they already knew what to put in the user field. If you still have an “Admin” user, its time to change that.
If you’re not using the Admin user because you setup another Administrator on the system and always login with that other account, go to “Users” and delete the Admin user (be sure you don’t delete any posts associated with them).
If, however, you still ARE the Admin user. Lets change that here. Better WP Security makes it super easy to do so. (You will want to make sure you have backed-up of your database as well as given Better WP Security God-like Powers in Steps 2 & 3 or this won’t work.)
Note: If you are / were logged in with the Admin user you will now need to logout and log back in using your new username!
The first thing you need to make sure you do is in your WordPress Dashboard Menu go to Settings -> General and make sure your Timezone is correctly setup. Don’t know your UTC/ GMT? Go find that here.
The basic idea with Away Mode is you don’t need to access the admin area of your website 24 hours a day. So, for instance, when you sleep, you can lock it down. I lock all my sites down between midnight and 6AM. You may want to use different hours. Whatever choice you make, remember, you can’t access your site’s Admin Dashboard at that time.
The ability to Ban Users (via IP address) and Ban User Agents is a powerful feature. If you know who the bad actors are, you simply don’t let them access your site. Its easily one of my favorite features of this plugin (especially the Ban User Agents feature). But, as with some of these features, you should probably skip this unless you absolutely know what you are doing! After all, most of the time, you actually WANT people to get to your site!
If you’d like a list of the Users and User Agents I personally ban, email me.
I love this plugin, but this particular feature is bad news. Its the easiest and quickest way to bork your site. Just don’t do it. Move along people, there’s nothing to see here other than heart-ache and pain. We are talking 7th circle of hell people. Are you getting my point? Run from here. RUN!
If for some reason you didn’t Backup your database in Step #2, you get a second chance here. Do it. Back it up daily. Seriously.
Much like the Admin user, the default for WordPress installations used to create MySQL tables with the prefix “wp_”. So your comments table would look like, “wp_comments”. Turns out, that made it easy for anyone to know exactly what your table names were in your database. Not good.
So here is where you change that. But, before you do: MAKE A BACKUP IF YOU HAVEN’T ALREADY!
Note: You’ll need to have your permalinks setup in Settings -> Permalinks for this feature to work correctly.
Although this feature doesn’t bring as much pain and destruction as the “Content Directory” option above, I don’t use this on many of my sites because I have had some issues when upgrading plugins and WordPress itself. I’d skip this.
The Intrusion Detection area attempts to block bad actors from your site if a certain criteria is met. The area has 2 sections: 404 errors (attempts to reach a webpage that doesn’t exist) and file modifications (files that have been edited in some way).
Both of these will be turned on by default if you’ve followed along on this tutorial. However, for my real estate site I have really scaled down the 404 detection. Why? I literally have 1000s of 404s on my real estate site from my indexible IDX (houses that were for sale, googlebot indexed, and are now sold and not listed on my site anymore). Googlebot comes and checks those listings out every day and was regularly getting blocked from my site.
Obviously not what I am going for. So I’ve decreased the Check Period and increased the Error Threshold. For 99.9% of you I’m guessing you won’t have to do that. Unless you have a real estate site too.
As well, under the File Change detection, I exclude many directories under my wp-content directory. In particular my caching plugin’s cache folder and my uploads folder. I know that’s me and not some bot inserting malware. I don’t need to hear about it.
Everyone knows where to login to WordPress (although you can change that default with this plugin, see above “Hide Backend”). And its been demonstrated many times that WordPress isn’t immune to Brute Force attacks. That’s where login limits come in!
My typical password looks something like this: ]64Ysv<LQ84bnHXZGe. I’m not typing that in. I copy and paste it in. Its going to be right the first time every time. I setup this page accordingly. I’ve got one chance to login or I’m locked out. You should setup these options in a way that works and makes sense for you.
If your server / host supports Secure Socket Layers this option is a no-brainer. If it doesn’t, then move along. Nothing else to see here!
Another name for this option could be, “everything else”. Haha. But lots of great stuff in here. However, many of these options could cause problems else where, so make sure you test. Here’s how I setup my sites.
You’ll probably know if you are needing Really Simple Discovery for your site.
Dashboard & Password Tweaks
All pretty straight forward. You shouldn’t be letting people register on your site anyway unless there is a particular reason to do so.
The miscellaneous section of the miscellaneous section. So random its probably illegal in the South. But some important stuff in here!
One note, on my none real estate sites–or on sites I don’t use special URLs for Google Analytics tracking–I have the “Prevent Long URL” box checked. Like on this site.
Step 6: Troubleshoot
If you run into issues–and you might–head on over to the plugin’s forum and ask your questions. One of the reasons I love this plugin is because the author is very engaged with it.
That’s it! Go get a beer! We are all done here!
Think I missed something important? Let me know about it in the comments.