WordPress is hugely popular today but hasn’t always had a clean track record when it comes to security. The widely reported instances of breaches in WordPress websites have made people think twice about opting for it for their business. In all fairness though, users of WordPress have either been using outdated WordPress software, have poor system administration or just lack necessary tech and security knowledge.
You’ve probably read a bunch of articles on how to secure your WordPress site with things like:
- Server hardening
- Secure servers
- DDoS protection
- Back ups
- Regular updates
While these are all absolutely important things to do, you could be missing something very basic – default settings.
Let me explain further.
There are a bunch of settings on your WordPress site that are so obvious (and very often overlooked) that they sometimes provide intruders with an easy loophole to “recce” your website as they are plotting a way to get in. Here’s how you can secure your site by simply making these changes to your default settings:
Default #1 – Your WordPress Admin username: When it comes to your username on WordPress, the default username is “admin”. A lot of us don’t pay attention to this small detail and allow this to be the default username for years together. This is an easy guess for a hacker.
Instead, create a new, unique WordPress username for the administrator role and delete the existing “admin” user.
Once you’ve deleted the old user, WordPress will ask you what you want to do with the old content, for which you need to choose the ‘Attribute all content to’ option and select the user you just created.
Here’s a video tutorial to help you change your WordPress username:
Default #2 – Your admin URL: Many of our WordPress admin URLs still use /wp-admin. The problem with sticking to the default one is that hackers are all too familiar with it. It’s just one step easier to hack your site. To counter this, you could change your admin URL to a unique one.
Here’s the video tutorial:
Default #3 – WordPress Version in code: Another default is exposing the WordPress version you use in the header of your code. You want to be as discreet as possible about your WordPress site configuration. The reason being, if intruders see you’re running on an outdated version, it’s an open invitation to them. By default, the version you are using appears in the header of your source code.
WPBeginner has a little snippet of code you can use to remove this. All you need to do is add the following code to your WordPress theme’s functions.php file:
function wpversion_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpversion_remove_version’);
Here’s a video tutorial:
Default #4 – WordPress version in readme.html file: This is another place where the WordPress version you use is displayed by default. It is located in the root of your installation, domain.com/readme.html. You can delete this file via FTP.
Default #5 – Your WordPress database name: If your site is called ‘best web designer’, your database name by default will be wp_bestwebdesigner. You can harden your database security by simply changing the default database name to a unique one – one that’s different from the name of your site and hard to guess.
Changing your database name makes it harder for intruders to identify and access your database details. WPMudev shows you how to do this in 3 easy steps.
Default #6 – Database table prefix: By default, WordPress uses wp_ as the database table prefix. Changing it to something like 48ab_ is much more secure and harder to crack. While installing WordPress, it asks you for a table prefix and if not customized, uses ‘wp_’
This video tutorial by WPBeginner shows you how to change it:
Conclusion
So, clearly default settings if not customised can expose your website’s security (or lack of it). To lockdown your site, make sure you don’t let the “faults” in the “default” expose the plight of your site. Okay, I’ll stop with the rhyming now.
Have more tips for our readers? We’d love to hear them in the comments section below.
There is no ads to display, Please add some