WordPress Security Basics Video Series

This past week I dealt with a client of mine who had three sites hacked at the same time. She didn’t have a recent backup, and her web host had just deleted all of her files and their backup failed. So she had to start from scratch. Because of this I decided to do a quick video series on securing your WordPress site.

Each step should take you less than 5 minutes to do on your own, and when you’re done, your blog should have some basic security measures in place as well as recent backups of your site database and files.

Here’s what I’m going to cover:

1. Get rid of the “admin” account: The admin account is the default account that gets created whenever you install WordPress version 2.9.2 or earlier. WordPress 3.0 eliminates this altogether, allowing you to choose your user name, but if you’ve installed your blog before the 3.0 final release, you may be stuck with an account called “admin.” I’ll show you how to get rid of this and how to create a new, more secure user name and password.
2. Automatically back up your database: I think the best way to deal with a hacked website is to have a recent backup of your database so all you have to do is wipe out the hacked database and restore the backup. I’ll show you how to install a simple plugin that will allow you to get back ups sent directly to your email daily, weekly or monthly.
3. Back up your WordPress site files: Backing up your site files as well as your database is another step in a quick recovery after a hack. I’ll show you two methods, one using your web host’s built-in features (using a web host that has CPanel) and one using an FTP program. You only need to do this when you first set up your site and every time you do major changes like upgrades or theme changes.
4. KeepWordPress updated: Your first line of defense is always to keep WordPress updated to the latest stable version. Hackers target older versions because there are vulnerabilities that newer versions have patched. There really is no excuse any more for not updating WordPress since they made it so easy a few versions back. I’ll show you the proper procedure to update your WordPress site.
5. Lock down your admin login: Some hackers use brute force to log in to your WordPress admin once they know your user name (which is why we’re getting rid of the “admin” user account). With a simple plugin you can stop brute force attacks by limiting how many times an incorrect user name/password combination is accepted.
6. Remove the WordPress version from your code: When you view the source of most WordPress sites, you can see what version of WordPress you’re running. Hackers can use this information to target that version’s vulnerabilities. I’ll show you two different ways to remove this from your site’s header information.

If you do at least these six things to your WordPress sites, you’ll be way ahead of the game. These steps will not make you completely hack-proof. But you can do something to make it harder for hackers to get into your site.

Since you’ll have a recent backup of your database and files after this series, if you DO get hacked, you’ll be back up in no time.

So, if this sounds good to you, please leave a comment. If it doesn’t, please leave a comment letting me know what you would prefer to see from WPChick. If I spend days working on this series and you don’t really want it, I’ll feel a kinda silly.