When you setup your new WordPress site, there are a couple of things that will help make things more secure. You can do them later too, but it’ll require a bit more work.
First, use a different table prefix from the default ‘wp_’. It’s easy to change this is from the setup screen, but a bit harder later. Either way, it’ll make SQL injection attacks harder. The table prefix is a prefix WordPress uses for it’s database tables names. Using something like ‘wp_234a2234_’ is perfectly fine.
Secondly, don’t use ‘admin’ as the username. This was the default early on and now attacks often try this username. If you already have an ‘admin’ user, I’ll show you how to change it at the end of this post.
Now that the site is setup, you’ll want to do some additional cleanup by removing some of the install files that are no longer needed, updating the wp-config.php file, and adding some code to the functions.php file. Sounds like a lot, but it’s pretty easy once you have SFTP setup.
On the server
You’ll need SFTP access for these next steps. This guide will help you get going if you don’t already know how to use SFTP. I recommend FileZilla, it works on Window, Mac, and Linux You should use SFTP over FTP if you can. Most hosting companies have SFTP available. What’s the difference? Security!
Make sure you take a backup now!
The easy part… deleting the following files.
Now you’ll want to setup custom salts and disable debugging support in the
wp-config.php. This file is in the root of your website, usually in a http_docs or public folder.
Download the current file and edit in with a text editor. In the section that starts with
define(“AUTH_KEY”), look to make sure there is random text for all the values. It should NOT look like this:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
If it does, go here https://api.wordpress.org/secret-key/1.1/salt/ to create your own random values and replace the ones in your file.
Turn off debugging & web based file editing.
While helpful when developing or initially setting up your site. You should turn the following options off when you’re not using them. They can give attackers helpful information and access to files.
The add the following to the end of
wp-config.php file, but before the
/* That's all, stop editing! Happy blogging. */ line.
## Disable Editing in Dashboard
// Enable WP_DEBUG mode
define( 'WP_DEBUG', false );
// Enable Debug logging to the /wp-content/debug.log file
define( 'WP_DEBUG_LOG', false );
// Disable display of errors and warnings
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );
// Use dev versions of core JS and CSS files (only needed if you are modifying these core files)
define( 'SCRIPT_DEBUG', false );
Here’s a quick video showing how to make these changes w/ FileZilla.
This change after a site is setup require a bit more work. And are best done using SQL. What is SQL? It’s how you talk to databases. It’s not support complicated, but you can ruin your database, so make sure you have a current backup before hand!
Fixing admin login on an existing site.
WPBeginner has a good post with a few ways to change the username. I recommend method 3.
Changing the database prefix on an existing site.
WPBeginner has another good post outlining how to change the prefix.