If you are a WordPress designer or developer who installs WordPress many times, and you are still installing WordPress automatically (e.g. using SimpleScripts or Softaculous in your cPanel), you should read this article. I will explain how to install WordPress the correct way and properly secure it. I have divided the process into 7 steps and I recommend you doing each one every time you set up a new WP installation. Here is our list.
1. Install WordPress the Manual Way
The first and the most important step to a secure WordPress installation is to install it manually. I don’t recommend installing WordPress automatically using the tools in your web hosting account control panel. It is not recommended, because these tools automatically set your WordPress username as “admin” and this is definitely not good for security. Or, they don’t allow you to change your database table prefix from the default “wp_” to something else (using the default wp_ prefix can be a security risk). So because of this I always prefer to install WordPress the manual way, even if it takes a little longer.
2. Don’t use “admin” as Your Username
Like mentioned above, never use “admin” as your WordPress username. If a potential hacker would try to guess your WP login details, the first thing they would try would be logging in with “admin” as your username. So because of this it is always recommended to use something different.
3. Use a Strong Password
This is a must and I’m sure you already know this. Use a strong password with both small and big characters, numbers and special characters like e.g. $ or &. I also recommend installing a password manager into your browser to manage all your passwords (this way you don’t have to remember them). You could try for example LastPass, as it’s free.
4. Remove Unnecessary Plugins and Themes
The first thing that I do after logging into my new WordPress dashboard is to delete the inactive plugins and themes that you won’t need. If you know that you will not be using a certain plugin or theme, you should remove it. This will make your WordPress installation cleaner.
5. Change Your WordPress Login Page
To take the security of your WordPress website even further, another good practice is to rename your WordPress admin login page. So, it won’t be yourwebsite.com/wp-login.php but for example yourwebsite.com/ml05pg2. You can use a free plugin for this, e.g. WPS Hide Login. This will make it even harder for anyone trying to log into your WordPress installation.
6. Prevent Spam Comments
Another thing good to do with every WP installation is to set the rules for your comments. In your WP admin panel in Settings > Discussion you can either completely forbid comments, or set a rule like, for example, to make the name and email field mandatory. An important option is to have the setting “A comment is held for moderation” enabled, so that you can manually moderate your comments. And I also recommend using a plugin to prevent comments spam on your blog. You can use Akismet or WP-SpamShield for example.
7. Backup Your Install
The last step to secure your website, is to have an actual backup of your whole installation. You can use a plugin like UpdraftPlus for this. And you can even schedule your backups to be automatically made e.g. every week, so that you always have an actual copy of your website that you can restore if anything goes wrong.
If you need help in securing your WordPress Site, contact us to help you.