Having your blog hacked isn't fun, and the standard WordPress installation is not impermeable. Here I explain the whys, the whats, and the whatnots.
Not only does a hacked blog result in downtime, while you work with your ISP to track the problem and ensure it doesn't happen again, it can also mean you spend time, for instance, getting your e-mail client resolving properly once more. All in all, valuable time wasted.
Prevention is better than cure. Here are 10 tips to make WordPress hack-proof.
What You Need
- a WordPress installation
- the WordPress plugin, wp-phpmyadmin
- the WordPress plugin, wp-security-scan
- ftp access to the server on which your blog resides
Before You Begin
- backup your files, using your FTP client
- backup your database, using wp-phpmyadmin. If you don't know how to do that, check out this video tutorial:
Ten Steps to a Secure WordPress Installation
1. Upgrade WordPress To the latest version. If you're using 2.7 or later, this can be done from your admin dashboard, at the click of a button, automatically. Just look for the "upgrade" button. If you're using an earlier version, read this.
2. Update Plugins Make sure all are upgraded to their latest versions. If they're not, you are notified on your plugins admin page. Old versions can present a security risk.
3. Change "wp_" Database Table Prefix
I use wp-security-scan, from the same guys that developed the popular All In One SEO Pack *, Semper Fi Web Design. Once activated, on the left-hand menu, click on "Database" in the "Security" drop-down. The page that loads allows you to easily change the prefix. If that doesn't work, instead throwing an error, do this:
- i. Deactivate all WordPress plugins, as a precaution.
- ii. Backup the database, as explained in the video above.
- iii. Open the downloaded *.sql file with a text editor (where * is the name of your database.)
- iv. Find and replace all instances of your "wp_" prefix with your new prefix.
- v. Within your WordPress database, drop all the tables. DO NOT DROP THE DATABASE itself, only the tables. Wp-phpmyadmin is a great plugin to use.
- vi. Still within your WordPress database, import your newly-amended *.sql file, the one you edited by changing the prefix. Wp-phpmyadmin or similar again.
- vii. Open and edit your wp-config.php file, in the root blog folder, changing $table_prefix = ‘wp_’; to $table_prefix = ’yourNewPrefix_’;.
- viii. Reactivate your plugins.
* Truth is, I prefer HeadSpace to the All In One, but that's another story.