IMPORTANT! Ensure you’ve taken a backup of your WordPress files and database before making any of these changes.
This guide will show you how to…
Hide your WordPress login page from hackers, change your WordPress admin username if it’s set to the vulnerable default “Admin” user, harden your database against MySQL injection attacks and install a security plugin + implement some of its hardening options.
How to install WordPress plugins?
To install these plugins log into your WordPress admin dashboard ( typically at domain.com/wp-admin ) and select Plugins > Add New and search by name.
Once installed ensure to click Activate before proceeding.
Plugin 1: Rename wp-login.php
Why? This plugin hides the WordPress default login page to mitigate a very common style of attack called “Dictionary”/”BruteForce”. By hiding the default login page bots, which crawl the internet, will be unable to run this attack on your website.
How? Once installed and activated, go to Settings > Permalinks, scroll to the bottom and set the new login page. Here we’ve set it to http://yourdomain.com/secret which will become our new WordPress login page.
Plugin 2: Username Changer
Why? Unless changed during the initial install, your WordPress administrator login username is likely to be the default username “Admin”. This is the username used by bots in all WordPress dictionary attacks and is therefore a security liability we should address.
How? Once installed and activated, go to Users > Username Changer
and select the admin username from the dropdown menu. Change this to something memorable – as long as it isn’t admin our work is done. Here we’ve set it to “wpadmin”. You’ll have to log back into WordPress with this new username once it’s changed. The password will be unaffected.
Plugin 3: Change DB Prefix
Why? All WordPress installs use a database to hold site data. Those databases contain tables which use the prefix wp_ followed by standardised database names eg. wp_users contains your website’s users and their passwords. Automated SQL injection scripts that attack WordPress sites use the default table names during their attacks. By changing the default table prefixes we remove this vulnerability.
How? Once installed and activated, go to Settings > Change DB Prefix and set the new prefix to anything with numbers or letters other than wp_. Here we’ve changed the prefix on all tables to catly_
Save and you should get a message confirming database tables have been renamed. Test your site and ensure there are no issues.
Plugin 4: Sucuri Security – Auditing, Malware Scanner and Hardening
Why? Sucuri is a leading WordPress security plugin that alerts to brute force attempts, alerts of logins to your WordPress (via the admin’s email address) and has some very useful hardening options – amongst many other features.
How? Once installed, activated and Get API has been clicked, go to Sucuri Security > Hardening and select Harden on each option that’s available. We recommend leaving “Plugin & Theme editor” option unhardened while you’re working on the site. If hardened this will have to be reverted each time the theme or plugins are changed.
Test the site between each hardening option to ensure nothing has been affected. If anything has been go back into Sucuri and click Revert Hardening on whichever option affected the site.
