WordPress is probably the most popular and at the same time one of the most frequently hacked platforms. For some reason, there is an opinion that if your site is not particularly interesting to anyone, then it will not be hacked – why? In fact, the threat of hacking is literally every site (and not only on WordPress), so it’s important to take care of protecting your page. What you can do – or rather, which plug-ins to install – about this I will tell in this article.
These tips will be useful not only in working with WordPress, but also with any other CMS. They are basic, but, as practice shows, there are still people who do not know about them. Why we need this all for? To complicate the life of an attacker. Using data that is set by default, a hacker can relatively easily crack your site, as well as your database. Therefore, you need to do the following.
1. Change the username from admin to another.
To do this, you must first create a new user as an administrator. You can do it right here:
After creating the user, go to his account and in the “All users” list delete the “admin” account. At the same time, try to make a new login some relatively complex, well, at least consisting of several words: vasyapupkin99. You can use your nickname, for example.
About the password I will not write – it is better to use the one that will generate you WordPress at the stage of creating an account, and not invent some kind of your own (which, most likely, will be easier).
2. Change the database prefix from wp to another.
There are two ways to do this: either by manually editing the tables in phpMyAdmin (or even just in the file manager) or via the plugin. I will briefly describe both options.
Change via phpMyAdmin
At once I will tell, that this action demands attention to details and some operational experience in phpMyAdmin.
First of all, create a backup of the database – it will help you to recover information if something went wrong (or you edited something somewhere).
Now go to the file manager and find the file wp-config.php, in it the line $ table_prefix = ‘wp_’;
“Wp” should be changed to something else, less related to WordPress and databases. You can change even an arbitrary set of letters and numbers (but you need to remember it or write it down).
Attention. It’s best to make this change on the newly installed WordPress. On the already launched sites of information more – more data will have to be changed.
After that, go to phpMyAdmin (on Timeweb hosting, you can do this directly from the control panel) and find the database for the desired site. All tables of this database need to be renamed, instead of “wp_” substituting what you have already written above.
How to rename: select the table in the left column, click the “Operations” tab, then see the “Table settings” block and the line “Rename the table in”. After making changes do not forget to click “Forward”.
After that, look for the table “… _options” in the list. After selecting it, click “Browse” – in the content on the second page in the “meta_key” column you will see wp_user_roles – change the prefix “wp” to the one you are going to use now. Save the change.
The following table for the change – “… _usermeta” – similarly look at its contents and change all the old prefixes to new ones.
Everything, on this prefix changes can be considered fulfilled!
If after editing you have something started to work wrongly or did not work at all, check to see if all the changes you made. In extreme cases, use a backup.
Change via All In One WP Security & Firewall plug-in
This plug-in needs no introduction, so I’ll go directly to what needs to be done.
After you installed and activated the plug-in, go to the “Database Protection” section. There you will see the line “Generate a new database table prefix” – write the prefix you want to put (or tick “Check that the plugin itself generates a prefix of 6 random characters”), and click “Change the table prefix”. After that, below you will see the report from the progress of the prefix change. To verify that the expected result is achieved, go to phpMyAdmin.
Once again, I remind you that you need to do this on a new site without articles, since if the site already has a lot of information, the plugin might not work correctly.
All In One WP Security & Firewall
Since we have already switched to the use of this plugin, I’ll tell you about other things, thanks to which you can increase the protection of your site.
In the “Settings” section of the plug-in, go to the tab “WP version info” and tick the box next to “Delete the meta-data of the WP Generator”. Since hackers are often based on information that contains meta-data, it will be superfluous to remove this information from the page code.
By the way, if you still have not changed the administrator’s name (following the advice above), then you can do it through this plugin – in the “Administrators” tab. Just write a new username and log in again (the password remains the same).
In the “Authorization” section, you must enable the blocking of authorization attempts by ticking this box.
Next is the section “Registration of users” – here you need to activate manual approval of new registrations (so that spammers and other bad persons do not come to the site).
Here you can see the tab “CAPTCHA at registration” – also activate this item.
Now go to the “Firewall” section – here we put a tick in the blocks “The main functions of the firewall”. The rest can be turned on / off at will.
Section “Protection against bruteforce attacks”: you need to enable the option to rename the login page and write the desired address in the box below. It is important to understand – this address will be used to enter the admin area, it is vital to remember it!
With this plugin we have finished, we proceed to the next one.
This plugin scans the site files for malicious code. To use it is simple enough – after installation go to its settings and click “Scan the theme templates now”, after that all files of your theme will be checked.
Immediately you can set up a daily check with the report on the email.
During the test, the plugin highlights the code, which seemed suspicious to him. At the same time, it’s better to check all the comments carefully – it’s not always about the virus. If you do not have programming skills, then you can simply compare the found line of code with a line in the code of the same site topic on your computer or the developer. If the record is present initially, then you do not need to worry about it.
Like other active plug-ins, AntiVirus loads the server (which means your website is slower), so it’s better to use it from time to time than keep it in an active state.
This plug-in on the functional is similar to the previous one, they can be used in parallel, it will not be worse. Similarly, set, activate, go to the “Scan” tab and click on the big blue “Start a Wordfence Scan” button. Some features are available only for paid (premium) accounts, but the basic functionality is also good. If your site is doing well, then you will see a green inscription “Congratulations! No security problems were detected by Wordfence “.
I’ll tell you more about other plug-ins, which can also be used to protect the site.
In general, Sucuri is a company that specializes in protecting websites, so they provide protection for any site (not just WordPress). The plug-in from this serious company with an impressive reputation has a wide functionality, representing a complete cycle of site protection, including preventing hacking and attacks on your site. You can use the free version, or you can buy a paid one for $ 16.66 a month – the amount is rather large, but for such a range of protective tools is quite reasonable.
In order to use the free version, after installation you will need to generate a free key (in the blue box you will need to click the “Generate API Key” button, check that the entered data is correct, and send the application.
If Sucuri Security can be called the best paid security plug-in, then iThemes Security is often called the best free plug-in, which should be installed for the security of your site. Especially since now he has more than 800 thousand installations!
I will not write much about the functional – like all other plug-ins, iThemes Security aims to protect your site from most things that can threaten it, and at the same time to check the existing state of the site. By the way, before the plugin was called Better WP Security – perhaps someone remembers it by this name.
If in general we talk about its functions, then we can distinguish the following aspects of this plugin:
- Hiding and removing potentially vulnerable items (this was written at the beginning of the article – changing the administrator’s login, database prefix, and so on);
- Protection of the site from attacks (scanning for vulnerabilities, protection from bruteforce, encryption of the admin area and so on);
- Monitoring the site (for sudden changes, locks, and so on);
- Recovery (backup in the event of a disaster).
Now let’s proceed to the very use of this plugin.
Configuring iThemes Security
To begin with, he has a PRO (that is, a more extended) paid version, so not all the features of this plug-in are available in the free version (but there are still a lot of them).
After installation, activate the plug-in and go to the “Settings” section. In the blue box at the top, you can turn on the Network Brute Force Protection, by requesting an API key that will automatically be added to the settings (but also sent to your e-mail).
Click “Security Check” (the topmost left block or in the menu under “Settings”) and click “Secure site”. After that you will see a list of the included modules.
The next block is “Basic Settings” (to the right of “Security Check”). Since the plugin is almost completely translated, each paragraph has its own decoding – I advise you to go over them all and see what is most relevant to you (even if you do not use, at least you will know where everything is).
Next, go to “Tracking Error 404” – because a bug can be at the hands of the burglars, that is, the sense to include this protection. The initial settings can not be changed – they are optimal.
In the “No in-place” mode, you can set the time when the administration panel is unavailable. On a permanent basis, this can not be used, but you can use it for backup when you are away from the computer. In this case, you can set up both on an ongoing basis (for example, every night), and once in a certain day and period of time.
Block “Blocked Users” – everything is clear here, put everyone here who needs to be blocked.
“Local Brute Force Protection” – this block protects against hacking by brute-force passwords. You have it already enabled, you can leave the settings by default.
“Database backups” – configuration of backup, in the free version it is only about databases.
“Detecting file changes” is a very useful feature that will monitor all changes to the site files; You can quickly track the activity that has suddenly appeared on the site. Be sure to turn it on.
“File Permissions” – the block shows the access rights to files.
“Network Brute Force Protection” – network protection from brute force is that if a hacker tried to hack someone else’s site, access to your site will also be blocked, even if he has not yet launched an attack on your site.
“SSL” – you can configure the use of SSL in this plugin, then if you have a website on Timeweb hosting, I advise you to use the settings in the control panel of the site.
“Strong Password Enforcement” – if your site assumes registration of other users (forum, blog …), then this setting will be useful, users will have to choose only complex passwords for their accounts. In other cases, you can not use it.
“Fine-tune the system” and “WordPress Tuning” – these additional settings are needed in order to further strengthen the protection of your site. But there is one nuance – the inclusion of some settings can affect the work of plug-ins. Therefore, do not choose all at once – include one item and check the efficiency of your site.
Finally, “WordPress Salts” – setting allows you to add a secret key to the password, which will be much harder to pick up than the password itself. This is usually a random character set that is added when hashing. Periodically use this setting (“Edit WordPress Salts”) in order to change the salt.
Everything about the sections. In the paid version there are more, but these are enough to protect the site from many popular types of hacking.
Plugins are an essential element of the security of your site, but I want to remind you that it is not the only one. Do not forget to keep track of updates to WordPress and plug-ins, change passwords regularly and make backups.