Results 1 to 11 of 11
  1. #1
    http and a telephoto
    Join Date
    January 18th, 2005
    Location
    NYC
    Posts
    17,708
    First steps when you install Wordpress and to make existing installs more secure
    Since there are a couple of threads going on about this I decided to post this now instead of waiting for the podcast. There will be an indepth podcast on Wordpress installs and security steps in a week or so, but for now here are some steps to take:

    Really good tutorial on how to toughen up your Wordpress install:

    http://guvnr.com/web/blogging/10-tip...ss-hack-proof/

    Key points:
    Create new admin account, log out, log in as new admin, delete default admin account
    Make display name different from login username

    Rename your table prefix (easy to do on install, little tougher later, but doable, follow steps in the tutorial).

    Two plugins to make your life easier:
    WP Security Scan
    WP PhpMyAdmin

    I also recommend the following two plugins:
    Bad Behavior
    Exploit Scanner


    So if you are installing fresh do these in this order:

    Don't use one step installs because you want to create your own config file that has one change that makes your life easier and lessens your chances of attack: In the wp-config-sample.php find the line that defines your database prefix. It is defaulted to wp_ CHANGE THE WP_ TO SOMETHING ELSE. If you do this before you install your wp you won't have to edit the database tables as noted in the above tutorial. Hackers assume you are using wp_ so if you make it something unique to your site they are less likely to break in. Make it anything you want, and throw a number in it. So instead of wp_ it is something like bl0g_ or even better n3w5_ *DON'T* use the same thing as any example suggested, make up your own.

    As soon as you install and log in as the default admin, create a new admin account. You do this under Users - Add New. Give yourself a hard login name, again with a number in it.

    Log out, then log in as your new identity.

    Create a nickname that is *different* from your username. Do this under Edit Users and choose yourself. You will have to save that page and go into edit a second time to choose the nickname to display.

    Now go to Edit Users and delete the default admin account. Tell it to delete all posts and that will give you an empty install.

    Obviously if you are editing a current install, you will tell it to assign the existing posts to the new admin user and *NOT* delete your existing content.

    Then go watch the video in the post in the very first link above and do the rest if you feel brave

    By changing the default admin and the database prefix your blog will escape a lot of hacking issues.
    Last edited by loxly; December 30th, 2009 at 04:55 PM. Reason: typo - i blame the pain meds :)
    Deborah Carney
    TeamLoxly.com BookGoodies.com ABCsPlus.com

  2. #2
    Moderator MichaelColey's Avatar
    Join Date
    January 18th, 2005
    Location
    Mansfield, TX
    Posts
    16,232
    Excellent suggestions!
    Michael Coley
    Amazing-Bargains.com
     Affiliate Tips | Merchant Best Practices | Affiliate Friendly? | Couponing | CPA Networks? | ABW Tips | Activating Affiliates
    "Education is the most powerful weapon which you can use to change the world." Nelson Mandela

  3. #3
    http and a telephoto
    Join Date
    January 18th, 2005
    Location
    NYC
    Posts
    17,708
    I'd love to take credit for them, but the video post I linked to is where I found out about the top two things. I have been running WP Exploit and Bad Behavior for over a year but didn't even think about the default admin profile being easy to break into since hackers know the username! And making the display name different from the actual login when you make the new account, never thought of that either.
    Deborah Carney
    TeamLoxly.com BookGoodies.com ABCsPlus.com

  4. #4
    Affiliate Manager BlogBonnieBlog's Avatar
    Join Date
    July 28th, 2009
    Location
    Surprise
    Posts
    526
    thanks! I've been working on wordpress sites all day and this is helpful.

  5. #5
    Full Member JCSupSvc's Avatar
    Join Date
    February 14th, 2007
    Posts
    275
    Thumbs up
    Very good information, thanks for posting it. I've been doing a lot of reading over the last couple of weeks on WP security and none of the sites mentioned these tips.

    Thanks also for the link to the video.

    John

  6. #6
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Quote Originally Posted by loxly
    I'd love to take credit for them, but the video post I linked to is where I found out about the top two things.
    You get credit for bringing this to light and that's big. It's a great video and I'm getting busy right now following his tips.


  7. #7
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    I should have not tackled this when tired. I created a mess somehow and none of my widgets work. They are throwing errors. I tried to use my backup database and same thing.

    My hosting tech is trying to help me restore.


  8. #8
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Got it rolled back to where it was. All is well and will tackle it again when fresh.


  9. #9
    http and a telephoto
    Join Date
    January 18th, 2005
    Location
    NYC
    Posts
    17,708
    Yeah, changing your wp_ prefix after you have an established blog can wreck things pretty fast, so be careful with that. That's why he says BACK UP everything before you take that step.

    I'm almost done changing all the admins, will tackle the replacing wp_ at a later date but setting up all new blogs following the steps above.
    Deborah Carney
    TeamLoxly.com BookGoodies.com ABCsPlus.com

  10. #10
    Comfortably Numb John Powell's Avatar
    Join Date
    October 17th, 2005
    Location
    Bayou Country, LA
    Posts
    3,432
    Quote Originally Posted by loxly
    I'm almost done changing all the admins, will tackle the replacing wp_ at a later date
    I'm all done. The WP Security Scan plugin could not change my table prefix away from wp_.

    I followed the manual instructions twice only to get the same broken result. Using Find & Replace to change wp_ hit some of the content of the database.

    A little search found 6 Simple Steps to Change Your Table Prefix and that was really good. It's a little more labor as you have to change each table name with SQL in phpMyAdmin.

    I like his idea of using cPanel Full Backup prior to starting. So simple I have missed it. It's also good to have a copy of your database on your PC in case you need it quick.


  11. #11
    Newbie
    Join Date
    January 14th, 2010
    Posts
    2
    Better safe than sorry. I never had problems with my WP blogs but I will take a look at the 2 plugins you mentioned above.

  12. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. New Wordpress Install: Must Do Changes?
    By Uncle Rico in forum Blogging, Mobile and Social Media
    Replies: 7
    Last Post: August 16th, 2012, 02:17 PM
  2. Really useful info for securing WordPress installs
    By writerguy in forum Blogging, Mobile and Social Media
    Replies: 8
    Last Post: May 7th, 2010, 08:40 PM
  3. Wordpress Installs defaulting to Private?
    By Kevin in forum Blogging, Mobile and Social Media
    Replies: 7
    Last Post: December 21st, 2009, 12:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •