For any new WordPress website, there are two steps you should take when you set up the site to enhance the security of the site and protect from attacks that could compromise the site. If you already have your WordPress website set up, check that these two steps have been taken.
Step 1: Don’t use the default admin userID
When you set up a WordPress site for the first time, you need to supply a userId and password for the administrator account. This is the account that has the most access and can change any setting. This is the account that hackers will try to break into. The default administrator userID is “admin”. Don’t use this. If you look at logs of attempted breakins to any WordPress site, the first userID the hackers try is “admin”. Use a different userID and use a secure password.
If you already set up your WordPress site and used “admin” as the administrator userID, you can fix this. You can’t change the userID, so you have to set up a new user with administrator access, and then delete the “admin” userID. In the Users area of your WordPress control panel, add a new user with a new userID and give that user administrator privileges. Log out of WordPress and log in with the new administrator ID and password. Check that you see all the menu items in the control panel. Then you can delete the “admin” userID in the Users section. You can reassign any posts from the “admin” ID to the new one you created.
On the administrator userID, there is one more setting to change. By default, WordPress will display the userID as your name on posts or comments. This potentially allows a hacker to figure out the administrator userID. In the Users section, edit the record for your administrator user. Change the Nickname field to something other than the default, which is the userID (your real name is a good choice). Then Use the drop down for “Display name publicly as” and select the new nickname. Save the changes by clicking the Update profile button at the bottom of the screen.
Step 2: Install and set up the All In One WP Security plugin
There are many ways to add security to a WordPress site, including plugins and external services. The one I suggest you start with is a plugin named All In One WP Security. I have used it for a few years and have been pleased with the approach and the updates with new features. I also like that the base version is free. You can see the details on this plugin at https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/.
From the WordPress Plugin area, add this plugin to your site. Activate the plugin when it is installed. You will see a new WP Security entry in the menu. Click on it to see all the sections. It looks overwhelming at first and many of the terms are more technical than most people understand. Don’t be concerned with this.
I want to walk you through what I consider to be the settings that give the base level of protection. I will go section by section and specify what to do. While I have used screen shots below, just know that as they update the plugin, some of the screens and options may change. If you feel uncomfortable doing this, hire a WordPress developer or expert to set it up for you.
The plugin does a very good job of explaining what each setting does. Read the explanations that are shown or click on the “+ More Info” link at the end of a setting to read what that setting does. I won’t repeat what they say as to why a setting is important, I will focus on which settings you need to set by using screen shots and instructions of what to click or set. Many sections have multiple tabs at the top, so if you don’t see a setting I have shown, it may be because you are not on the correct tab. Here are the sections included in the screen shots below.
In this section, you will backup some key files before making any changes (just in case) and hide the WordPress version so hackers can’t try to break in based on a potential issue in a specific version.
User Login section
This is a critical section for stopping attempts to break in to your site or overload your site with login requests.
Database Security section
This runs a regular database backup so you have a backup in case the database gets corrupted or attacked.
Filesystem Security section
This protects certain WordPress files from being changed.
This protects certain files and settings from changes.
Brute Force section
This captures automated systems trying to access your site and blocks them.
SPAM Prevention section
This prevents a lot of spam comments from slowing down your site and adding to the work of moderating comments on your site.
This performs a regular scan of the files in your WordPress installation and emails you if it finds any of them have changed. Some changes are normal, especially when WordPress is updated. But I have seen an attack where extra files were added to a WordPress installation to run an attack.
I created a series of screen shots for you to refer to as you are changing the settings. I’ve saved them in a PDF file you can view or download here: All In One WP Security base settings.
Will these two steps prevent all attacks? No. I’ve experienced large scale attacks on my website and if someone gets determined enough, you have to use external services to protect your site. I’ll share that experience in another post.