Happy Halloween, Everyone! Today we’re gonna show you some of the steps we take to secure and prevent malware attacks on your website. At Thee Design Studio, we are aware of the threats that lurk out on the internet that want to turn websites into zombies.
Hackers and malware propagators are going back on the offensive. Actually, they never stop. These folks are relentless in their pursuit of disruption and according to a report released in 2007, malware has caused over $13 billion in damages during the years of 1996-2006. No current estimate for this trend can be found because of the exponential and untamed growth of malicious code. Scary.
Do you ever wonder about how these hackers start out? Most likely as script kiddies that start by infecting ordinary people’s blogs and websites to gain experience. All of your hard work of building your site and your readers and your voice and your traffic and your revenue and your reputation is compromised by one of these jerks. Lucky for us, WordPress is fairly secure and they provide frequent security updates when they know there’s been trouble. But what can you as a site administrator do to harden WordPress even more?
1. Move wp-config.php into The Root Folder!!!
The wp-config.php file contains all of your WordPress configuration information and settings. You can pretty much tap out if hackers gain access to this file. From here, they can inject malware into your website’s pages, or even worse, delete all your content and replace with their own.
A smart safety feature in WordPress allows you to move the wp-config.php file one level above the WordPress root. On most LAMP host servers, wp-config.php is located in:
Use your FTP client to connect into your server, and then move your wp-config.php above the public_html directory so that it is located here instead:
wp-config.php is no longer in the public-facing root folder, thus disabling the scripts and bots that hackers use to infect your site.
There’s nothing more to this feature, WordPress automatically knows to look for your
wp-config.php file one folder above. I wish someone would have told me this sooner, it may have saved my blood pressure from sheer terror as I watched a whole handful of my sites get whacked one after another.
Vigyázat! Caution! Achtung! Увага!
This will not work if you installed your blog in a subdirectory (e.g.
public_html/blog) or as an add-on domain in cPanel (e.g.
2. Delete The Main Admin Account
The default Administrator account on WordPress has a username of ‘admin’. If you leave this as your default username, you have made the work twice as easy for hackers. You should never use this as the main account. Always choose a different username when installing WordPress.
If you have been using the ‘admin’ account, go into the Dashboard » Users » Add New User screen. Create a new user with the role of Administrator. Now log out, and log back in as the new user.
Go to the Users screen again and delete ‘admin’. WordPress allows you to transfer all of the content created by ‘admin’ to your new user account before confirming deletion.
Another benefit of getting rid of the admin account and switching to, say, your real name, is that it is better for SEO as well. This way when somebody searches your name you will rank higher with yourdomain.com/author/your-name/ than you will with yourdomain.com/author/admin/
3. Update WordPress, Plugins, and Themes
WordPress is so easy to update core files, plugins, and themes, to their latest versions. It’s so easy that it can be easy to forget. But WordPress makes it abundantly clear that you should take heed to the warnings located all over the dashboard. Spending a few minutes installing updates can save you from the destruction and embarrassment of getting hacked.
Plugins and themes should be updated religiously. All plugins and themes from the WordPress directory integrate with the automatic update feature. Many premium plugins and themes also have automatic updates, which is a great reason to invest in a high-quality theme for your WordPress.