by Tony Gamble
This week we’re talking security. You’ve gone to a lot of trouble building a great website. Wait, who are we kidding… you built it on WordPress, so it was no trouble at all. You’ve been loading it up with great content, though, and the last thing you want is for some miscreant coder to find a way in and muck it all up. I’ve got some tips for you that can help ease your mind as your home on the web purrs steadily along.
Many say that security through obscurity is no line of defence, but if you’re so inclined you can in fact hide the default login page to your WordPress site. Out of the box, your Admin screen login can be reached by pointing the browser to your website address, appended with /wp-admin or /wp-login.php. With a plugin like Rename wp-login.php, you can create a customized login URL and prevent access to all login-related items such as the registration form, lost password form and login widget. Such a plugin should be fully tested against other plugins on your site, however. Any hard-coded links to the default /wp-login.php will certainly not work.
Another practice I most often recommend is to move the wp-config.php file out of the home directory. This is the file that contains the database name, username and password necessary to make the website tick. But wait… won’t moving this file break the site? Well actually, WordPress is smart enough to look for this file in any higher directory. You see, on your host server, the home directory is where visitors land when they type in your website address. It’s where the WordPress files and folders live, but it is itself a folder within a tree of folders. Bump that file up one level and you’ve removed any possibility of outside access to it.
Finally, the one plugin I use religiously on every website I build: Wordfence. Actually, it’s more like a suite of plugins all wrapped in one, with functions covering every from firewall and virus scan to real-time traffic monitoring and IP blacklisting. It can even repair your core, theme and plugin files in the event of a malicious attack. One of my favourite features is its update notifications. It keeps an eye out for updates to your themes and plugins and can send you an email as soon as one is detected. As a free plugin, it already comes with a deluge of functionality, but Premium users get even more making it a great bang for your buck.
These are just a few steps you can take to ensure the security and stability of your WordPress website. There are many more such plugins available at WordPress.org and you can keep abreast of security issues at sites like WP Questions and WP Tuts+ or simply by signing up for Wordfence.com’s Security Updates & News.