As I’ve written in my book Confessions of an Online Hustler, the best way to protect yourself from hackers, stalkers and other freaks online is to not be an idiot. Don’t provoke people needlessly, don’t be excessively belligerent, and don’t do anything to them that you wouldn’t want done to you. Not being a dumbass will save you in 95 percent of cases.
This is for the remaining five percent.
A year ago, when I wrote an article poking fun at Portland’s horrific dating scene and cliquish culture, some white knight got hacked off enough to try and hack my site. He didn’t succeed, of course, but the script kiddie managed to wreak enough havoc to knock my site offline for a few hours. He was using a brute force program (a hacking program that uses a dictionary to guess computer passwords) to try and gain access to my site. While I had a plugin to block access to anyone who entered a wrong password more than four times in a row, the guy was assaulting me from so many different IP addresses that my server couldn’t handle the load.
Then this happened.
I was sick of playing phone tag with script kiddies, so I revamped my site’s security protocols by installing Better WP Security. It has every option you need to secure your site against hackers. The only problem is that the number of options it throws at you is a bit dizzying, so here’s my advice for configuring the plugin:
- Enforce strong passwords for all users. To create a strong password, use a random password generator. The ideal password has at least six characters and is a random assortment of letters (upper and lowercase), numbers and symbols.
- Turn on all Header Tweaks. Note that selecting the option “EditURI Header” may cause compatibility issues with some plugins.
- Disable update warnings for non-administrative users.
- Remove the “admin” user. If I recall correctly, newer installations of WordPress do this anyway.
- Remove the user with “id 1.”
- Change your mySQL table prefix to something random.
- Schedule a weekly backup of your mySQL database. Also make sure to have this backup sent to your email address so you can restore the site in the event of an emergency.
- Use HackRepair.com’s blacklist to block bad agents and hosts.
- Enable lockouts on your login page to protect against brute force attacks.
- Secure your .htaccess file from public access. Note that you shouldn’t remove write permissions from .htaccess (or wp-config.php), as doing so can mess your site up.
- Block users who are trying to scan your site for vulnerabilities.
- Block long URLs.
- Disable the theme and plugin editors from the WordPress backend. Note that this feature isn’t compatible with custom, paid themes (such as the ones from DIYThemes or Elegant Themes).
- Allow Better WP Security to write to wp-config.php and .htaccess. I think this is turned on by default, but it never hurts to double-check.
- Hide version information from non-admin users.
The other options can be tinkered with at your discretion:
- I’m somewhat conflicted on Away Mode, which shuts down the admin panel for a select period each day. I use it during the overnight hours when I’m asleep to both protect the site and motivate me to finish my work instead of staying up late farting around on the computer. If you’re running a group blog with contributors in different time zones, however, this feature won’t work for you.
- Hiding the admin panel doesn’t seem to work with my existing servers, and will also require you to update all your bookmarks if you do enable it.
- File Change Detection has the potential to really fuck your site up if your servers can’t handle it. The first time I switched it on, my site instantly got smacked with a 500 error, forcing me to manually remove Better WP Security via FTP to get everything working again. 404 Detection is safe to turn on, but make sure you add your site’s IP address(es) to the whitelist, otherwise you’ll get 403 errors.
- Do not rename the wp-content directory unless you’re starting a new blog from scratch. Otherwise, all existing links on your site will be broken.
- Requiring a secure connections for logins and the admin panel requires your server to be able to support SSL, otherwise it won’t work.
If you’re looking to put your shit on lockdown and prevent script kiddies from making a mess of your site, you need to install Better WP Security. While it’s not bulletproof—no security solution is—it’s the best you can get.
If you liked this post then you’ll like Confessions of an Online Hustler, my 140-page book that teaches you how to create a blog that will make you money. It contains writing and web design tips, strategies for getting readers, and debunks myths perpetuated by online scammers. Click here to learn more.