In this video we’re going to cover some of the basic WordPress security measures that you can put into place for your WordPress website.
There are several different WordPress security measures you can actually have but I’m only going to cover some of the basic ones in this video.
Number 1 – no matter how you install WordPress, the very first ID number in the database is going to be an administrator username and assigned to that is the administrator password. An added layer of security is to go ahead and create an additional administrator username and password and delete the first one because any good hacker’s going to know that the ID number 1 in your database is going to be the administrator and if they have access to that, then they’re going to have access to everything on your WordPress site as the administrator. Let’s just go ahead and delete that one. Best way to do that is to create a new administrator username and password, delete the original one so there no longer is an ID number 1.
Another item is to keep everything up-to-date – your WordPress version, your plug-ins, your themes, anything related to the makings of your WordPress site, keep it as up-to-date as possible.
With that said, whenever a brand new full version of WordPress comes out like a 3.8 or a 3.9 or a 4.0, you may want to hold off for at least a few days before you go ahead and upgrade to that brand new full version because there may be some lingering bugs between that new version and some of the plug-ins or themes that you have activated on your site.
Go ahead and give it a couple of days to let other people encounter those problems to get them fix before you encounter those problems and have to deal with them. It’s really important to do a full backup of both your files and database on a regular basis. How regular? Well it depends on how often you add content or how active your site is. If it’s something that you add content to on a weekly basis, then maybe a weekly backup of both files and database is fine.
If it’s something like a very active membership site that you have brand new members coming in everyday and brand new content every other day, then you might want to consider a full backup of files and database on a daily basis.
As I’d mentioned earlier about keeping things up to date, if for some reason you are just in love with an older version of WordPress, well keep this in mind – hackers are very aware of the vulnerabilities of older WordPress site. If you are going to be sticking with an older version, then what you need to do is erase any and all footprints of that version.
In other words, WordPress lets everybody know what version of WordPress you’re using. For example if we were to right click on your WordPress site, I’m using Chrome browser by the way, so if you’re using a different browser, Internet Explorer, Firefox, whatever, then you might have a different language to get to where I’m about to show you and that is the page source. So I right click and then left click on page source, that opens up all the coding stuff for your WordPress site.
As you can see there are several spots in here that tell you the version of WordPress that you’re working with and it also tells the hackers “oh okay, that’s version 3.2, so all I have to do is just look in my little book of break-ins and see what hacks are available for version 3.2, boom!” What you need to do, again if you’re sticking with an older version, is to remove all of these little telltale signs of what version of WordPress you’re using, this is imperative for WordPress security.
There’s a few different methods out there and really only 1 method covers all footprints. Some methods will require you to delete a certain something in the header.php or something to add to your functions.php that will eliminate this meta-name generator. Well you still have things like the RSS feed that if not eliminated properly, those RSS feeds are still going to be showing the version. What I’m going to show you is a way to eliminate all footprints of what version of WordPress your site it. Let’s go ahead and do that first.
Anytime you’re messing with code, you really should have access to a file manger through a cPanel-type control panel or an FTP client so you can access these files just in case the edits or the additions to your file that you might be doing inside of the dashboard area. For example under appearance, under editor, you can edit all these files right here and the functions.php file is the one that I’m going to be editing but if we do all this stuff within this page right here, which is just fine, but if something goes wrong, then you’re no longer going to have access to this page because you just broke your site.
If that happens, don’t sweat it. As long as you have access to these files outside of your WordPress site, like through a file manager in cPanel or through an FTP client, then you’re good to go. You simply access that broken file through one of those means and fix the problem – whether it means going to your desktop and uploading the original file to overwrite the broken one or just fix the broken one. However you do it, you won’t be able to do it inside of this page here.
That’s why anytime you edit your files or customize your files inside of WordPress, make sure you have an out, make sure you have a plan B. Another thing about editing or customizing code, ideally it should only be done in what’s called a child theme but that’s the makings of a different video so for the time being, I’m just going to do all the editing right inside of here.
Let’s go ahead and tackle that one first and I’m going to go ahead and open up the theme functions or the fuctions.php file right here and I do have my cPanel control panel open right here just in case. I’m going to scroll down to the very bottom of this page to enter the new code and you don’t have to worry about pausing the video and trying to copy all this stuff down. I’m going to include this code along with this video so it’s just a copy and paste type thing.
Scroll back down here and then paste, and then right here I’m going to click on ‘update file’ and by the way this is theme-specific so if you have a few different themes installed and you do this addition to one of those themes, it’s not going to be the same with your other themes. If you regularly switch from one theme to another, then you want to do the same thing on all the themes. Update file, nothing’s broken, so far so good. Let’s come on back here to our front page, refresh the page, right click and left click on ‘view page source’. As you can see all those items up here where version 3.9 was showing are not showing any longer.
All footprints are gone.
That’s probably one of the more important security measures, again only if you’re accustomed to using an older version of WordPress. If you regularly keep your WordPress site up to date, you really don’t need to mess with this at all.
Let’s go ahead and do the first thing I had mentioned and that is to create an additional username.
First off, let me show you what I’m referring to. If we go to our cPanel control panel, come on down to our databases panel and click on phpMyAdmin, come over here and open up our database, click on ‘users’ and you can see right here we only have the 1 user in here right now but ID number 1, that’s what the hackers are going to see. They’re going to have access to everything that this guy has access to and this being the administrator, they have access to everything. Let’s go ahead and eliminate that problem. Go ahead and close this out. Come on back to our dashboard, come on down to ‘users’, come on up here and click on ‘add new’.
So let’s go ahead and fill this in really quick. Come on down here and if you want to send the information to the email address you have entered up here then go ahead and check that box but since that’s a fake email I’m not going to do that but you want to definitely make sure that under role you’ve got ‘administrator’ checked, click on ‘add new user’. Now then let’s go ahead and log out and then log in under this one. Now we’re going to log in as the new administrator. Come on back to users.
Now you can see, since we are logged in as this administrator, we no longer have the ‘delete’ function here but we do here. Let’s go ahead and click on delete, click on ‘delete all content’, confirm deletion. Come on back to our cPanel control panel, go back into our phpMyAdmin, open up that database, click on our users. Now you can see ID 1 no longer exists, just the one brand new and we just added.
Last but not least we’re going to be covering in this video is doing a full backup.
There’s several ways you can do this. There are several plug-ins that can do this but remember whatever you do, we’re wanting to accomplish here is a full back up of the database and the files. A good way to do this is to number 1 – have a folder on your computer that is dealing with this particular WordPress site and inside of that folder have another folder titled ‘backup’ so you can have all these things backed up to that one folder. I’m inside of a file manager here. You can do the same thing through an FTP client. I’m going to go ahead and click on ‘select all’, click ‘compress’.
I’m going to select zip archive. Some of these other ones are actually better but for the sake of this video zip is going to be just fine. I want to give it a name and the name I want to give is going to be the date for this particular backup. Click on ‘compress’ file, click on ‘close’, select that compressed file and then click on ‘download’. Navigate to the location where you want that to be, click on ‘save’ and you have your full back up of just your files.
Now then I’m going to go ahead and cancel out of this and delete this. Now you want the backup of your database. Let’s go ahead and close this guy out. Come on back down to our phpMyAdmin. We should have done this earlier, huh?
Open this up and we want to make sure that this database is selected. Come on up here and click on export and everything by default is going to be just fine. Click on ‘go’.
I would go ahead and leave this name exactly the way that it’s being downloaded but I would put this in a folder with the same name of the file backup. In other words I would create a new folder. That way you know this particular database backup goes with this particular file back; eliminates any confusion 6 months down the line when you need to put these guys back in place because your site got broke. That’s it. That’s how easy it is to do a full backup of your WordPress site both files and your database.
Close this out and let’s head on back to our website here. Now there are many more security measures that you can put into place to help keep the bad people out like installing, activating and configuring the free iThemes security plug-in that used to be called better wp security or BWS but for now, the items that I covered in this video will help keep your site safer than the sites that do not have these basics in place.
That’s the end of the video on basic WordPress security, I trust that you enjoyed our basic security presentation.