In this article we would like to give some important and interesting tips on how to build a WordPress website safely and how to put as many obstacles in the way of potential hackers as possible. 10 tips on how to maximize security, which also apply to our customer websites.
1. Use strong passwords
Directly at the beginning of the installation you are asked to enter the database access data. Again, there are no passwords that are too strong. This also applies to any user accounts that are subsequently created. If you allow users to register later, plugins that only allow strong passwords (e.g. DF5kysdZS66) are advisable.
2. Change table prefix
WordPress allows to adjust the table prefix of MySQL database tables in the current versions. This should be used urgently. The standard prefix “wp_” is of course known to hackers. By adjusting the prefix e.g. in “wp45fkze_” you make it harder for potential intruders. In addition, this prefix only needs to be specified once. You don’t need to remember the prefix anyway.
3. Swap out upload folder
WordPress allows you to move the upload folder of the integrated media library. So you can choose any place and adjust the path in the WordPress backend under “Settings > Media library > Save uploads in the following folder”. Since the upload folder is a relatively unprotected folder (chmod 777 – readable and writable by everyone), it should be packed especially in cotton wool.
The so-called core files of the system can, of course, be placed in the main folder, but even here you make it very easy for potential attackers, since you retain the standard structure. WordPress allows to swap to a subfolder e.g. “wp_cms4538”. There you move the WordPress files integrally, but leave the “index.php” in the main folder. This file has to be adapted accordingly:
/** Loads the WordPress Environment and Template */
require('wp_cms4538/wp-blog-header.php');
Don’t forget to adjust the paths to the website or blog in the backend of the WordPress installation under Settings > General.
5. Do not use user “Admin
If you create a first user, you should name it more cryptic than “admin” or “administrator”. These names are very often used for this kind of user accounts and are therefore easy to guess. If you want to go one step further, you should also adjust the user ID in the database accordingly, since the first administrator is assigned “1” as the user ID, which also plays into the cards of a hacker regardless of the choice of name. This will also make sure to reject people that will use pirate proxy to change their ip
6. Do not create customer login as administrator
If there are other users that need to be generated / created, you should only assign the administrator status in extreme cases. Here applies: Too many cooks spoil the broth and to all abundance the security suffers
[…]
This article was written by Editorial Staff and originally published on WPArena.