Recently we showed you some basic WordPress security settings to protect your WordPress site from some of the most common attacks. In this post, we will discuss more advanced steps that you can take to strengthen your WordPress security.
But before we move forward, let’s go through our basic settings checklist.
Update WordPress Themes and Plugins
Reliable sources for WordPress themes like ThemeForest or WordPress theme directory have a very comprehensive review system. Same is true for WordPress plugins as well. However, sometimes hackers may exploit a vulnerability in a theme or plugin.
This is why it is absolutely essential that you update your themes and plugins as soon as a new update is available. If you are worried that an update might break your site, then you can always revert your site back using backups.
Check WordPress File and Directory Permissions
Your WordPress site consists of scripts, these scripts are executable and can perform queries to your database and write changes. Typically, only your web server should have permissions to read and write changes to these files. If these file permissions are set incorrectly, then this leaves your WordPress site vulnerable.
WordPress requires a specific set of file permissions to work correctly. You can change these file and directory permissions using an FTP client.
Ideally all your directories should have the file permission of 755, and all the files should have file permission value of 644.
Change WordPress Table Prefix
Before attempting any direct change to your websites database tables, make sure that you have made a full backup of the database.
By default all WordPress database tables use wp_ as prefix for table names. This makes the hackers job a little easier because they can write scripts to inject SQL into specific tables. WordPress allows you to change this table prefix before the installation. You can choose a table prefix during the installation. Ideally your table prefix should be a combination of letters and numbers. This will make it harder to guess and break into your website.
To change your WordPress database table prefix in an existing WordPress website, you will need to run a few SQL queries. Before you do that, you need to create a complete backup of your WordPress site. After creating your backup you need to log in to phpMyAdmin. It is a web based interface to manage your MySQL databases. Visit your web hosting control panel and locate phpMyAdmin.
Click on your database and then click on the SQL tab. Now you will need to copy and paste this SQL query. As you can see we have used tf42_689t_ as our table prefix. Each line in this code snippet changes a WordPress database table and renames it. If you are using a plugin that adds its own tables in the database, then you will need to add those tables by yourself.
You will also need to update your options table to replace instances using wp_ as prefix to your new prefix. To find those options, you will need to run this SQL query and then replace each instance manually.
You will need to repeat the process with users_meta table as well. First you will run the SQL query to search for rows that use old wp_ prefix and then you will need to manually replace them with your new prefix.
You can now test your site to see that everything is working as expected. If everything seems OK, then you should create another fresh backup of your WordPress site.
Adding Two Step Authentication
Most WordPress users work on their sites from different locations. If you are accessing your website from a public network like in a coffee shop or airport, then this makes the communication between your computer and your web server a little less secure. This is where 2-step authentication comes in handy.
You will need your mobile phone for that. You will have to install Google Authenticator app on your mobile phone (Android | iOS).
After that you will need to install Google Authenticator. After setting up the plugin, your login screen will require you to provide your WordPress password as well as the one-time code generated by the Google Authenticator app on your phone.
Disable Directory Indexing in WordPress
By default most web servers are configured to look for an index file in any web directory. This could be an index.html, index.php, or any other index file. When there is no index file is found, and there are no instructions for redirection, then the web server will list all directory contents.
Not scared yet? Wait… there is more. Now this page will be browsed and indexed by search engines. If a plugin has a security hole that can be exploited then all the hackers need to do is to run a query like this inurl:wp-content/plugins/unfortunate-plugin-name to find a list of websites using that plugin. Here is an example screenshot:
To disable directory indexing you need to add just this single line of code in your site’s .htaccess file.
That is not all, there is a lot more that you can do to improve your site’s security. But with these tips we have covered the most potentially vulnerable security backdoors. The most crucial advice is to be prepared for the worst to happen and make sure that you are regularly backing up your WordPress site.
If you liked this article and have any questions or comments, we would love to hear from you in the comments below! We also invite you to join us on Twitter and Facebook.