| There are some simple steps that you can take to | | | | There are a few other changes you should do as well. |
| protect every WordPress installation you set up. But | | | | There is a section of config-sample.php that is headed |
| why worry about security? | | | | "Authentication Unique Keys." There are four definitions |
| This is why: | | | | that appear within the block. There is a hyperlink within |
| I have had two WordPress blogs hacked into in the | | | | that section of code. You need to enter that link into |
| past. That was at a time when I was doing very little | | | | your browser, copy the contents that you get back, |
| internet marketing, and until I found time to address the | | | | and replace the keys you have with the unique, |
| situation (months later), these sites were penalised in | | | | pseudo-random keys provided by the site. This makes |
| the search engines. They were not removed, but the | | | | it harder for attackers to automatically generate a |
| rankings were reduced. | | | | "logged-in" cookie for your site. |
| I fixed it in the end, but I did not deal with it for several | | | | The next step is to change the table prefix from the |
| months. For a good amount of time, I was unaware | | | | default "wp_". This is in the WordPress Database |
| even of the problem. | | | | Table Prefix section. It does not really matter what you |
| The result? I estimate that I lost out on a couple of | | | | change it to; you can use alphanumeric characters, |
| hundred pounds of advertising revenue. | | | | hyphens and underscores. This should thwart so-called |
| Much of WordPress security is simply common sense. | | | | SQL injection attacks, where an attempt is made by |
| Are you using a strong password? Are you using a | | | | an attacker to cause WordPress to run some SQL |
| different password for every website? | | | | code that has an undesirable effect on your site. That |
| For years, I did not do that. I had three or four | | | | code could add a new user with superuser privileges |
| passwords I commonly used. But there are two ways | | | | to your WordPress site. |
| which you can always generate a good, strong | | | | Note that you should only do this last step for new |
| password for every site you register with. (Of course, | | | | installations. If you want to do it for existing installations, |
| this includes your WordPress blogs.) | | | | you will also have to change all the table names in the |
| The weaker approach (but still pretty good) is to start | | | | database. |
| with a common password; add some numbers to it | | | | Finally, installing the WordPress Security Scan plugin will |
| that you are likely to remember, such as the house | | | | check most of this for you, and alert you to anything |
| number of your first address; then add the first few, | | | | that you might have missed. It will also tell you that a |
| say, five letters of the domain name. For example, if | | | | user named "admin" exists. Of course, that is your |
| the password you were starting with was reindeer230, | | | | administrative user name. You can follow a link and |
| if you were using a site called example.com, that | | | | find instructions for changing that name, if you wish. I |
| would become reindeer230examp. That is a pretty | | | | personally believe that a strong password is good |
| strong password. This technique protects against | | | | enough protection, and since I followed these steps, |
| dictionary attacks where an attacker may repeatedly | | | | there have been no successful attacks on the |
| try to log into your account using English words, words | | | | numerous blogs that I run. |
| of other languages, names, and so on. | | | | Finally, WordPress Security will also tell you that there |
| The stronger approach, and the one I personally | | | | is no htaccess in the wp-admin/ directory. You can put |
| recommend, is to use one of the password generation | | | | a.htaccess file into this directory if you wish, and you |
| and storage plugins available for your browser. Many | | | | can use it to control access to the wp-admin directory |
| people like RoboForm, but I think after a free trial | | | | by IP address or address range. Details of how to do |
| period, you have to pay for it. I use the free version of | | | | that are readily available on the net. |
| Lastpass, and I recommend it for those of you who | | | | However, I recommend that you install the Login |
| use Internet Explorer or Firefox. That will generate | | | | LockDown plugin in place of any.htaccess controls. |
| secure passwords for you; you then use one master | | | | That will stop login requests from being allowed from a |
| password to log in. | | | | specific IP address for an hour after three failed login |
| Now we are getting into things specific to WordPress. | | | | attempts. If you do that, you can still access your |
| Whenever you install WordPress, you have to edit the | | | | admin panel while away from your office, and yet you |
| file config-sample.php and rename it to config.php. You | | | | still have good protection against hackers. |
| need to install the database details there. | | | | |