The news has been full this week about brute force attacks on WordPress-based websites. If you already have a site, there are steps you can take to make it more secure. The best thing, however, is to set it up well in the beginning. If you are planning to install WordPress, skip their “Famous Five-Minute Installation” or your host’s installer, and follow these steps instead. You will have a site fortified against many basic attacks.
If You Already Have WordPress Installed
All of these steps can be taken after WordPress is installed, but it can be quite complicated. You have to modify the database and the configuration files. A mistake could make your site inoperable. If you’d like to secure an existing site, get help, or make sure you understand the steps thoroughly, especially how to change the database tables (not just contents).
Two Important Notes Before Beginning
CPanel is the most widely used control panel for hosting (it is not used on GoDaddy). The instructions below are primarily for cPanel. If you have another type of control panel, the tasks are still the same, but you may have to research where to access certain controls.
If you are not comfortable using your host’s control panel, setting up a database through it, or working with files, this procedure is not for you. You may not want to hire a website designer–the advantages of WordPress include being able to do a lot yourself–but you may want to have someone knowledgeable do the install as I’ll describe. (Of course, The Word & Web Smith can help you with that.)
Download the latest version of WordPress from WordPress.org. Look for the big Download button in the top right of the banner. Save the zip file to a location on your computer that you can easily access.
Login to your host account and set up a new database for WordPress, then assign a user to it. Don’t use a user name like “admin” or “user,” and give the user a strong password. (See my posts on strong passwords–there are two.) Make note of the database name, the username, the password, and the host (usually localhost).
Upload the WordPress file. You can do this two ways–through the cPanel file manager, or through FTP. I think the File Manager is simpler. Here’s that process.
When you enter File Manager, check the boxes to select the document root and show hidden files. Once in the Manager, select Upload. Browse for the WordPress.zip file and upload it. When the upload is complete (watch the lower right corner), select the link to go back to the previous screen. Then select the uploaded file and click the icon to extract it to the main folder for your site. (There are instances where you would want it in another folder, but we won’t address that here.)
The extraction creates a folder called WordPress. Use the File Manager to move all the files from the WordPress folder up one level. Do this by selecting All, then Move. After completing the move, delete the empty WordPress folder. Then open the main folder to handle step 4.
Instead of using File Manager, you can upload the file using File Transfer Protocol (FTP) to transfer the file up to the document root folder. Then use File Manager to unzip it and proceed with the other steps. If you want to avoid File Manager completely, unzip the files, complete steps 4 and 5 first, and then use FTP. (This will take considerably longer to transfer the files.)
Rename the file wp-config-sample.php to wp-config.php.
Select wp-config.php and edit it, using utf-8 encoding.
First, find the place in the file where it says” // ** MySQL settings.” Edit the next four lines that begin with the word “define.” Replace where it says ‘database_name_here’ with the database name (leave the quotes). Do the same thing with the user name and password, and, if needed, the host.
Scroll a little farther to where it says, “* Authentication Unique Keys and Salts.” Find the section with the line that begins, “define(‘AUTH_KEY’, ‘put your unique phrase here’);.” Go to https://api.wordpress.org/secret-key/1.1/salt/. This will generate random phrases for all the keys. Copy the text that is produced and paste it in place of all the lines in that section.
The next section has a line that says, “$table_prefix = ‘wp_’;.” Change the “wp” to something else. Make it 2-3 letters and be sure to leave the underscore. This will make your tables harder to access, because no one will know the correct field names.
You are now ready to complete the installation. While still logged into your control panel, open another window or tab and enter the address http://www.domainhere.com/wp-admin/install.php. (Replace the words domainhere.com with your actual domain.)
Find the file .htaccess. This file should be in the folder in which you placed your WordPress files.
Add the following lines of code at the bottom of .htaccess:
# secure wpconfig.php
deny from all
This will prevent anyone from altering your config file.
Even More Security
Once your site is up, there are other changes and procedures that can greatly increase your site’s secure, and any number of plugins available to help. But do a secure installation, and you’ll already be ahead of the game.
Photo of sticker by Pimkie (AKA Chesi – Fotos CC)