-->

IMPORTANT! Ensure you’ve taken a backup of your WordPress files and database before making any of these changes.

 

This guide will show you how to…

Hide your WordPress login page from hackers, change your WordPress admin username if it’s set to the vulnerable default “Admin” user, harden your database against MySQL injection attacks and install a security plugin + implement some of its hardening options.

 

How to install WordPress plugins?

To install these plugins log into your WordPress admin dashboard ( typically at  domain.com/wp-admin ) and select Plugins > Add New and search by name.

plugins_add_new

 

 

 

 

 

Once installed ensure to click Activate before proceeding.


 

Plugin 1: Rename wp-login.php

rename_wp

permalinks

Why? This plugin hides the WordPress default login page to mitigate a very common style of attack called “Dictionary”/”BruteForce”. By hiding the default login page bots, which crawl the internet, will be unable to run this attack on your website.

How? Once installed and activated, go to Settings > Permalinks, scroll to the bottom and set the new login page. Here we’ve set it to http://yourdomain.com/secret which will become our new WordPress login page.

rename_change

 


 

Plugin 2: Username Changer

username_changer

Why? Unless changed during the initial install, your WordPress administrator login username is likely to be the default username “Admin”. This is the username used by bots in all WordPress dictionary attacks and is therefore a security liability we should address.

How? Once installed and activated, go to Users > Username Changer

006

and select the admin username from the dropdown menu. Change this to something memorable – as long as it isn’t admin our work  is done. Here we’ve set it to “wpadmin”.  You’ll have to log back into WordPress with this new username once it’s changed. The password will be unaffected.

changes_username

 


 

Plugin 3: Change DB Prefix

change_db_prefix

Why? All WordPress installs use a database to hold site data. Those databases contain tables which use the prefix wp_ followed by standardised database names eg. wp_users contains your website’s users and their passwords. Automated SQL injection scripts that attack WordPress sites use the default table names during their attacks. By changing the default table prefixes we remove this vulnerability.

menu_change_db_prefix_wordpress

How? Once installed and activated, go to Settings > Change DB Prefix and set the new prefix to anything with numbers or letters other than wp_. Here we’ve changed the prefix on all tables to catly_

change_db_prefix_profile

Save and you should get a message confirming database tables have been renamed. Test your site and ensure there are no issues.

success_change_db_prefix

 


 

Plugin 4: Sucuri Security – Auditing, Malware Scanner and Hardening

sucuri_plugin

Why? Sucuri is a leading WordPress security plugin that alerts to brute force attempts, alerts of logins to your WordPress (via the admin’s email address) and has some very useful hardening options – amongst many other features.

013


How?
Once installed, activated and Get API has been clicked, go to Sucuri Security > Hardening and select Harden on each option that’s available. We recommend leaving “Plugin & Theme editor” option unhardened while you’re working on the site. If hardened this will have to be reverted each time the theme or plugins are changed.

Test the site between each hardening option to ensure nothing has been affected. If anything has been go back into Sucuri and click Revert Hardening on whichever option affected the site.