Most importantly take note of this disclaimer which applies to all parts of this particular article.
DISCLAIMER: This information is provided in good faith and without warranty of any kind. I cannot be responsible for any detrimental effects any of these changes may have on your site/blog/domain because all server, WordPress and domain setups are different. If you are unsure as to what you are doing, don’t go any further, STOP! And ask an expert – e.g. tame techy or your hosting provider’s helpdesk. Furthermore if you do decide to make some or all of the changes to your WordPress blog/server then DO A COMPLETE BACKUP FIRST! Only when you are sure you have a copy of your site’s files and data should you continue. Finally, making these changes will not guarantee that you are 100% safe against hackers, nothing can do that. Keep an eye on your site, take very regular backups and keep your software up to date.
If you’ve followed the instructions in Part 1 you’ll have a WordPress setup that’s as lean and as up-to-date as it can be. Underlying that is the server and its configuration, plus your user IDs and passwords.
All of the following actions have the potential to stop your blog working in some way so make a full file and database backup beforehand and make one change at a time, checking that everything seems to be working OK after each change. That way if something goes wrong you know what caused the problem.
- General system security – don’t use dictionary words in you passwords for FTP or WordPress. Instead use hard passwords which include numbers, upper and lowercase letters and special characters such as $%^&*()-@ etc. Those passwords are much harder for humans and automated cracking programs to hack. Yes, they are a pain to remember but the inconvenience is worth it. Don’t ever tell anyone your password, no matter who they are. Change all your WordPress and FTP passwords to these strong passwords now. Note them down and keep them somewhere secure. A lot of people will tell you never to write them down but hey, who’s going to remember a password like yU7*(f$^6h ? Oh, make your passwords at least 10 characters long too.
- Get rid of all unnecessary users from your WordPress installation. Create a new administrator called anything other than “admin”, “Administrator” or ”root” and give this user a strong password plus full administrator privileges. If you don’t know how to do this refer to WordPress help.
When and, only when you are happy that you have a working alternative admin account on your WordPress blog you should delete the “admin” user. Yes, that’s right. So long as you have checked that the new admin user is able to log in and have full access to your WordPress Blog you don’t need the “admin” user – it’s the first account hackers will try to attack. If it isn’t there they can’t hack it 🙂
- Set your wp-config.php files access permissions to 750. They are usually set by default to 644, this isn’t a good idea because 644 allows any user logged in to the server to read the database password and user from the file. You’ll need to use your hosting package’s cPanel or an FTP client to do this – they’re all different so refer to the help provided by the host/software vendor on how to set file permissions.
- You can stop hackers finding out what version of WP you have (and therefore exploiting any known vulnerabilities in that version) by adding this line to the functions.php of your template:
Potentially this can break your template unless you add it in the right place. If you insert it as the second line of your functions.php, immediately after the opening <?php you should be OK but if in doubt seek advice first!
- Add the following line to the end of your robots.txt (in the root folder of your site):Disallow: /wp-*This tells crawlers not to poke around in the WordPress folders. Of course they might not take any notice but do it anyway. Don’t be tempted to disallow your root (/) folder, if you do your site’s front page will not get crawled by Google and the like. Bad times.
- Make regular backups of your blog’s files and folder – yes I keep saying this but you only realise how important this is when you haven’t backed up and something goes wrong. Very bad times.
- Watch out for strange activity on your blog. Contact your host’s helpdesk if weird stuff starts to happen.
There are other things that you can do to lock the system down but I’ve not mentioned them because they can compromise the features of WordPress or even stop your site working altogether. They are so dependant on how you’ve implemented WordPress that you really do need to get specialist advice before implementing them.