(image source: cpwebhosting.com)
1 – WordPress Hosts
For the most part, a host is a host these days. WordPress uses php and MySQL, so a host that provides Linux environments is required. The majority of hosting companies are all reasonable.
We tend to avoid using Go Daddy or Yahoo as hosts. Go Daddy is great for registering domains, but them and Yahoo use their own hosting environment (instead of the widely used cPanel environment). Their hosting environments are aimed at being simplistic in nature, so much so that it causes them to be restrictive. This means that they can be less user friendly for doing anything beyond WordPress basics. Because of these restrictions, you may run into problems when modifying your WordPress install and not know how to resolve the issues. It may also prevent you from being able to manually add some of the upcoming listed items to improve your website’s security.
2 – Installing WordPress
To install WP you’ll need to have a basic understanding of using an FTP program and databases. WordPress requires you to FTP the files to your host, then set up a database that will compliment the files. After the files are loaded and the database structure built you visit yourdomain.com (or yourdomain.com/blog, wherever you want to install WordPress). WordPress will then prompt you with some questions to help it auto-install the rest.
Depending on your host, you can often use a WordPress installer too. Hosts with cPanel often have a program called Softaculous that will load your WordPress files and database for you. Manually installing WordPress takes about 10 minutes. Using something like Softaculous to install WordPress takes as little as 1 minute.
3 – Initial WordPress Security
Avoid using “admin” or “administrator” as your administrative login username. Until a year or two ago WordPress would install using “admin” as the default username. Hackers knew this and would run scripts to look for sites that had installed WordPress and not changed the default username. This made it easy for hackers to only have to guess/crack passwords instead of passwords AND usernames. The more recent installs of WordPress let you pick your username during the install process. However, this doesn’t “fix” any older installations of WordPress that may still have the default “admin” username.
4 – Next Level WordPress Security
Now, let’s look into some quick updates to move beyond basic WordPress security.
In the previous paragraph we mentioned hackers running scripts to find WordPress. Hackers can search the internet for WordPress “footprints.” Footprints are identifiable or recurring lines of text or code that would identify that a site uses a particular set of code (i.e. WordPress). By default, WordPress will specify in the source code of your website’s “generator tag” that it uses WordPress. It will say something like this:
<meta name=”generator” content=”WordPress 3.8.4″ />
Bots can easily be used to find sites that say <meta name=”generator” content=”WordPress XYZ” />. Once a hacker has identified what system your site runs on than the easier it is to narrow down what exploits they can try against your website. Webmasters can add the following line of code to their functions.php file to disable this generator tag and lessen your footprint.
This will cause WordPress to remove the generator tag and no longer identify itself as being WordPress.
Bonus – Wordfence
Wordfence is the greatest thing we’ve found for WordPress security. It’s been around for a while, but we just discovered it. We used to use multiple security plugins to prevent excessive login attempts, invalid user login attempts, etc. Wordfence consolidates multiple security plugins into one bad-A plugin.
The default settings work great. You’ll be surprised how many notices you get about people trying to mess with your site. So, you may want to disable some of the notifications after a while. Hackers be cray cray.
You are now a l33t WordPress hax0r.
(Obligatory binary pic)