[GUIDE] Secure your WordPress website - HowTo

[Mayne]

Hi everyone, I believe that this topic should exist because I am terrified with the security of the WordPress websites I got to see here.

I am writing this guide to let you know that your WordPress website can and NEEDS to be secured. Don't cry later when you get your website hacked by some noobs just because you did not take 15 minutes of your time after reading this to secure your websites.

This guide is for WordPress websites, works on any version but of course, upgrade to the latest one is VERY RECOMMENDED. In this tutorial I will be using only one plugin and it is completely free.

Step 1. "Installing plugin"
Login to your WordPress admin dashboard -> Plugins -> Add new

In the input field, type Better WP Security and click on Search plugins. Top result should be plugin named Better WP Security. Click on Install now and confirm.
You should get few messages, the last should be Successfully installed the plugin Better WP Security 3.4.1.
Click on Activate plugin.

Step 2. "Adjusting settings"
Ok, we have installed the plugin and activated it. We are still in WordPress admin dashboard, and in the left menu, in the bottom, new menu item should show up under the icon of the blue shield saying Security.
This is where you will be adjusting all of the settings for your website security.
Click on the Security menu item

This plugin should work on all websites, old and new. However, for teh sake of security, we will create a database backup prior to changing anything with this plugin, so you can restore your website as it was before doing this.
Click on the Create Database Backup button. Database backup will be sent to your email specified in Settings -> General (WordPress admin dashboard).

Ok, we are on our next screen, plugin is asking us if we want to give it permission to write to WordPress core files. In order to secure the website to maximum lvl with this plugin, we need to allow this, so click the upper button to Allow this plugin to change WordPress core files.
Now that we have a backup of everything, we can go play with the options. You should be in Dashboard section of the plugin menu. Notice the tabs on top (marked on image) as I will referr to them throughout the tutorial.


#User tab
Ok, we have two options on this tab. First one is the main reason why your website get's easily hacked. You have a user with username admin (created by default). That is very bad and you need to change this. Enter new username for that user and click Change Admin Username.
Note that if you are logged in as that user, you will be logged out and will need to log in again with new username you chose.

Second option is for changing ID of the user under the id 1. Note that this feature is new and some users report problem with gravatar for their profile after changing this. If you are using gravatar feature for your WordPress profile, don't use this yet.
Otherwise, click Change User 1 ID.
Note: you will probably be logged out again, so log in and click the button again.

#Away tab
is probably not for everyone. Basically, you can lock out your admin dashboard for a certain period of time or by daily period. Use this option only if you are certain you will not need access to the dashboard outside of the specified time.

#Ban tab
First option is User and Bot blacklist. We will check the checkbox for Enable Default Banned List. This uses hackrepair.com list and blocks access to known parasites.
For average user, this options on Nab tab is enough, you have option below to add your own list of hosts and user agents to ban.

#Dir tab
Warning - this is for NEW WORDPRESS WEBSITES only!
What this feature do is change the name of your wp-content directory. In wp-content, wordpress storess themes, plugins, upload and more. If you already have images uploaded, do not use this as it will break the links. It is recommended to backup your WordPress files (via ftp or CPanel) before doing this.

#Backup tab
This is a great feature of the plugin - database backup. For those that do not understand, every setting, post, comment, page etc. is saved in the database. Your WordPress website is then pulling that content out of the database and displaying it in your website. That is why it is important to have database backup, as you can restore the last known good configuration any time.
Check the first chechbox to enable the feature, than select backup interval. I suggest backing up at least once every month (for static websites) or once a week/day for blogs etc, where content is constantly added.

You have two options, to store backups on your server or to send them to the specified email. Use whatever you find neat.

Backups to keep option applies only if you store backups on your server. I believe 20 is perfectly fine for that.

#Prefix tab

This is another important step. By default, database prefix of your WordPress installation is wp_. We need to change this, as we do not want this information to be known to attackers. Just click Change Database Table Prefix button to change it to something random.

#Hide tab

By default, WordPress login/register urls are wp-admin, wp-login and wp-register. We want to change that. Please note that you need to remember new url's. If you don't, you will not be able to access your dashboard (if you ever forget, just let me know, I can find it out for you).
Note that some plugins that use registration/login may stop working and you will need to manually edit them for fix.

#Detect tab

404 Detection

We will want this setting turned on. Check the first checbox to enable 404 detection. Uncheck the second checkbox, as plugin can sometimes send multiple emails for nothing. Check period set to 2, leave everything else default.

File Change Detection
First two checkbox should be checked, uncheck mailing again, for the reason stated above. Note that this option will probably have many false positives. Also, I suggest you not to use this option on shared hosting, as it can slow the server down.

#Login tab

This feature checks for wrong logins and bans hostname if too many wrong logins come too fast. It's useful to prevent brute force attacks on your blog.
First checkbox needs to be checked. Leave everything else on default, but turn off email notifications, as it may bug you.

#SSL tab
We are skipping this as this is very specific and you have to know what you are doing to do it. You are not missing much

#Tweaks tab


Note that some options here migh be incompatible with certain plugins/themes. If you notice theme/plugin malfunction, get back here and play with options that have warning below them to see what is causing problems.

Server Tweaks
Check every checkbox.

Header tweaks
Check every checkbox

Dashboard tweaks
Check every checkbox

Strong password tweaks
You don't have to use this if you do not allow registrations on your website. Otherwise, it might be smart to force users to use strong passwords.

Other tweaks
Check every checkbox. Note that if you edit your theme from the backend using editor (under Appearance menu), you will want to leave last checkbox unchecked.

[renael]

Appreciate the comprehensiveness of your guide. I wouldn't have had a clue what to put in some of those fields without your info. We are all too aware here of what a sloppy approach to wp security results in, don't we now? :P

[danroo]

Thanks for this share

[GoWork]

It would be better if you can add in images

[SYS]

@OP thanks for the share. I use this great plugin some times now and it's great. One hint more:

Wordfense Security is the other must have plugin to secure the WP install. Both works perfect together.

[lordcedrich]

nice info thanks to this

[lifebeinit]

good stuff i will implement this straight away thanks for the share