WordPress is a fantastic platform on which to base your websites, it’s easy to use (once you get the hang of it!), has an absolute ton of features and through the use of plugins can be easily extended. But, because of it’s popularity, there are some WordPress security issues that few users know or act on.


However, there are some very simple steps that you can take to secure WordPress websites, and here they are.



1) Always have the latest version of WordPress.

The guys at WordPress have made it extremely easy to upgrade your WordPress website. Simply click the link at the top of your dashboard and it only takes a few seconds, so there is no real excuse for not keeping your website up to date!


2) Do not use admin as your main login username.

When you initially install WordPress, either using fantastico on cpanel, or any other method, DO NOT set your username to admin. This is the default user name and probably 90% of WordPress users use it, therefore making it extremely easy to guess the username!


The main admin username cannot be changed from within WordPress, once it has been set. If you have already got your WordPress website up using admin as the main user name, you will have to change it in the database using phpMySQL.


3) Remove unnecessary files.


Once you install WordPress, there are a few files that are no longer needed, but are left on your server. These files can make it extremely easy for hackers to get into your website, so make sure you delete them from your server. The main ones are:


readme.html located in the public_html folder.


install.php located in the wp-admin folder.


install-helper.php located in the wp-admin folder.


4) Move wp-config.php to your server root folder.


The file wp-config.php contains your WordPress database user name and password. By default it is located in the public_html folder, and can be easily accessed by hackers. The first thing to do is make sure that it’s permissions are set to 600, this makes it so that it cannot be run from outside of your website, ie by hackers.


The second thing to do is move the file to root folder of your server. You can do this using either your servers cpanel (if it has one) or via an FTP program like Filezilla. By moving it to the root you will make sure that hackers cannot access it.


Side note: I have had a problem doing this in that when I moved it and revisted the website, I started getting error messages. This is caused by some FTP programs adding blank lines to the file when it was moved. If you have the same problem, just edit the file in your cpanel or FTP program and remove any blank lines after the ?> at the end of the file.


5) Remove the error message from your login page.


An easy way for hackers to find out your username is via the error message that appears on the the WordPress login page when an incorrect username or password is entered. For instance, if someone goes to your login page and uses the username admin but gets the password error message, they are already half way to finding out what your login details are!


An easy way to correct this is to remove the code that generates the error message altogether. To do this use your cpanel file manager or FTP software to find the following code in file wp-login.php, in your public_html folder.


if ( !empty($errors) )
echo ‘<div id=”login_error”>’ . apply_filters(‘login_errors’, $errors) . “</div>\n”;
if ( !empty($messages) )
echo ‘<p>’ . apply_filters(‘login_messages’, $messages) . “</p>\n”;


You can safely remove red line above, and this will remove any messages that might appear if a wrong username or password is entered. Alternatively, you could change the code between the dots to something like “Login failed, please try again”, like this:


if ( !empty($errors) )
echo ‘<div id=”login_error”>’ . “Login failed, please try again”. “</div>\n”;
if ( !empty($messages) )
echo ‘<p>’ . apply_filters(‘login_messages’, $messages) . “</p>\n”;


This way, hackers will not know whether it is the username or the password or both that are incorrect.


One thing to note about WordPress website security is that each time you upgrade to a newer version, you will need to redo these tasks again, which is a bit of a pain, but the few minutes it takes to do is worth it when compared with rebuilding a hacked website!


Having said that, having to redo the above steps every time WordPress is upgraded brings you a great opportunity to make money.


You see, there are a huge amount of small businesses that use WordPress for their business. Some of them may be in your local area. If you use the methods outlined in this great WordPress security package, you can have these business owners paying you to create their secure WordPress websites!


If you could spend less than $10 and a bit of learning time, wouldn’t that be a wise investment to get small business owners $200 – $300 per month, to look after their WordPress security issues?


Disclaimer: Although due care has been given in writing this article, we cannot be held responsible for your use/misuse of the information provided. Please seek the advice of a trained professional WordPress Security advisor.

Tell your Facebook friends what you think:

I love itInterestingUsefulI don't care I hate it

Comments are closed.

Make Your Own Hi-Res Ebook Covers - and more - in minutes

And you don't need to be a graphic designer

Watch the video to see how easy it is!


Plan to Make Money Online

a simple plan to make money online