Securing your WordPress website begins before you even hit the “Install” button. While WordPress is known for its ease of use and powerful features, it’s also a prime target for hackers if left unprotected. This guide will walk you through some of the key security steps to take before and after installing WordPress, as well as a nifty trick to block malicious PHP execution in your directories.
1. Before Installing WordPress
Choosing the Right Hosting Provider
Your hosting environment plays a big role in the security of your WordPress site. Choose a reputable hosting provider that prioritizes security, offers automatic backups, and includes features like firewalls, malware scanning, and DDoS protection. Avoid cheap, unknown hosts—they often skimp on security measures.
Create Strong Database Credentials
When installing WordPress, you’ll need to create a database and set up a username and password. This is a critical step, and using weak credentials here could open your site to database hacks. Use a strong, complex password (a mix of uppercase, lowercase, numbers, and special characters) and a unique username that doesn’t easily reveal its purpose (e.g., avoid using “wp_user”).
Change the Default Database Prefix
By default, WordPress assigns the prefix wp_ to all database tables. Hackers know this, so it’s one of the first things they target when attempting SQL injection attacks. During installation, you’ll be prompted to set a database prefix—change it to something unique, like “mynewwebsite_” or a random string (e.g., “x8y9_”). This simple change adds an extra layer of security to your site. Me personally generating random 4-7 random string with string generators.
Download WordPress Only From Official Sources
Always download WordPress from wordpress.org. Avoid third-party websites or repositories, as they could contain modified files with malicious code. Similarly, when selecting themes and plugins, stick to the official WordPress theme and plugin directories, or purchase from reputable vendors.
2. After Installing WordPress
Now that you have installed WordPress, it’s time to lock things down:
Change the Default Admin Username
WordPress used to create a default user with the username admin which hackers love to target in brute-force attacks. If your installation didn’t allow you to change this during setup, create a new administrator account with a unique username and a strong password, then delete the old “admin” account. Make sure you reassign any posts or pages to your new admin account.
Set Up Two-Factor Authentication (2FA)
Implementing two-factor authentication is one of the best ways to prevent unauthorized access to your WordPress dashboard. There are many plugins available, like Google Authenticator, that make it easy to set up 2FA. With this in place, even if a hacker gets hold of your username and password, they still can’t log in without the secondary authentication method.
Limit Login Attempts
By default, WordPress allows unlimited login attempts, leaving your site vulnerable to brute-force attacks. Limit the number of times someone can attempt to log in before being temporarily blocked. This greatly reduces the chances of hackers guessing your login credentials.
Enable SSL
An SSL certificate encrypts data transferred between your website and your visitors, making it much harder for hackers to intercept. Most hosting providers offer free SSL certificates, and you can easily enable SSL in WordPress using plugins like “Really Simple SSL.” You’ll know it’s working when you see the little padlock in your browser’s address bar and “https://” in your URL.
3. Block PHP Execution in Specific Directories
Hackers often try to upload malicious PHP files to your WordPress directories. One effective way to block such attempts is by disabling PHP execution in specific folders, like the wp-content/uploads
directory, where media files are stored.
Here’s how you can do this:
Access Your Website’s File Manager: Log in to your hosting account and navigate to the File Manager, or use an FTP/SFTP client to access your WordPress site files.
Create a
.htaccess
File: In the directories you want to protect (typicallywp-content/uploads
,wp-includes
, etc.), create a new file named.htaccess
if it doesn’t already exist.Add the Following Code: Open the
.htaccess
file and paste in the following lines of code:<Files *.php> deny from all </Files>
Save the File: Save your changes and close the file. This will block the execution of any PHP files in that directory.
Why This Works
Blocking PHP execution in these directories prevents malicious scripts from running if a hacker tries to upload them. Note that this won’t interfere with your regular media uploads (images, videos, etc.), as they don’t require PHP to function.
Wrapping Up Part 1
By following these steps, you’re already ahead in securing your WordPress site. The key takeaway is to be proactive with your security—many attacks can be prevented by simply making a few adjustments early on. In the next part, we’ll dive deeper into other ways to harden your WordPress site, including securing your database and setting up activity monitoring.
Stay tuned for more ways to keep your website safe from threats!