How to Secure WordPress With Better WP Security
One of the best plugins around to enhance WordPress security, is Better WP Security. In this tutorial I’ll show you the most interesting features of this great plugin, and how to configure them. Because Better WP Security is a free plugin, you shouldn’t hesitate to install this plugin: in a couple of minutes it will make your blog or website much more secure!
Features of Better WP Security
Better WP Security is a plugin with a lot of features:
- Database backups
- One-Click Protection for new users, detailed options for advanced users
- System status with an overview of secured and vulnerable parts of your blog
- Set up an away mode (during this period there no access to backend of the site)
- Blacklist users
- Change the “WP-Content”-directory
- Change the prefix of your tables if you didn’t change these during installation of WordPress
- Change the url of the backend
- Detect users who are hitting a lot of 404 errors (which means they’re probably scanning for vulnerabilities)
- Limit login attempts
- Turn on SSL
- Several minor tweaks for advanced users
Installation & One Click Protection
Installation & Activation of Better WP Security
You can install Better WP Security just as every other WordPress plugin. If you don’t know how to install a WordPress plugin yet, then you should take a look at this tutorial about installing a plugin.
After installation of Better WP Security, don’t forget to activate this plugin. The result is an extra item in your left menu called “Security”.
The first time you click on the item “Security” in the left menu, you’ll get the question to take a database Backup. Unless you already have a backup system, click the “Create Database Backup”-button:
Next, you will be asked if Better WP Security may write to the WordPress core files (wp-config.php and .htaccess). Unless you have specific reasons not to do this, click the “Allow this plugin to change WordPress core files”-button:
The first time you visit the dashboard of Better WP Security, you’ll see the following message:
I advise you to click the “Secure My Site From Basic Attacks”-button. This will enable simple protection for your WordPress site.
Now you’ll see the system status. This is an overview of the status of different aspects of your WordPress installation, and whether they’re secure or not:
Items in red are vulnerable and should be secured immediately!
There are 2 ways to configure the advanced protection of your WordPress installation:
- You start at the “System Status” overview, and click the “Click here to fix”-link to secure all the parts of your site.
- You open each menu-item / tab within the security options and change the options.
In this tutorial, we’ll walk trough all the available menu-items / tabs inside Better WP Security.
This tab contains 2 options:
- Change the Admin User Name: if you have a user name called “admin”, then you should change it into another user name. Here’s the place to do that.
- Change the Admin User ID: Click the “Change User 1 ID”-button to give your user id another id.
In most cases, it’s not necessary to permit access to the backend of your site 24/7. That’s why it’s not a bad idea to limit the logon period.
In this tab you can configure when users are able to logon. You can choose between a one time-period, or a daily restriction.
Be careful when configuring this options; don’t lock yourself out!
Here you can define which hosts are banned from your site.
A good starting point is the the default banned list: just check the box to enable HackRepair’s.com blacklist feature. Don’t forget to click the “Add Host and Agent Blacklist”-button.
Below you’ll find 2 lists:
- Ban Hosts
- Ban User Agents
In the first list “Ban Hosts” you can also ban users by filling in the IP address. Enter 1 IP address or 1 IP address range per line. In the second list “Ban User Agents” you can ban user agents. Enter 1 user agent per line.
In this tab you can change the name of the wp-content folder. This is because hackers scan on the wp-content folder. If you change that name, it’s harder for them to find that folder (and most of them just won’t look any further).The best moment to activate this function is right after you installed a clean version of WordPress.
In this tab you can configure your database backups. This is one of the most important features and if you use this plugin, you should use this function.
Let’s take a look at the available fields:
- Enable Scheduled Backups: check this option to activate the scheduled backups.
- Backup Interval: Select the frequency of automated backups.
- Send Backups by Email: check this option if you want to send your backups to an email-address.
- Email Address: fill in the email address where the backups will be mailed to. This works only if you checked the option “Send Backups by Email”.
- Backups to Keep: how many versions of a backup do you want to keep? This works only if you did NOT check the option “Send Backups by Email”.
Now, what is a good backup interval? Every hour, every day, every week or every month? This really depends on how much the content your blog or website changes. If you have a small blog which you update every 2 weeks, than a backup interval of 1 week should be fine. If you post new articles a couple of days a week, then a backup interval of 1 day is for you.
It’s even possible to configure a backup interval of every hour, but if you don’t need that, don’t configure it. Don’t forget that creating a backup asks power, which means your site could slow down at that moment.
Another important question is; are you going to send those backups by email or not? If you don’t send them by email, they will be saved on your server. Personally, I would choose to email them to myself. The reason is simple: if a hacker takes over your website and server, he also has access to the backups. If you send the backups by email, then you always have a backup on another place then your server, which is very important. In case of a disaster, you’ll always be able to access to your backups!
By default, WordPress uses the prefix “wp-” for all the tables in the database. When installing WordPress, you have the choice to change this. But if you didn’t, or if you have a default installation, then you can change it here.
Why is this important? Well, if hackers know the prefix, they also know how all your tables are named. That makes it easier for them to hack your database. That’s why it’s important to change this.
To change this prefix, click on the “Change Database Table Prefix”-button. Better WP Security will know configure a random database table prefix.
This options “hides” the backend by changing the url from which you can access the WordPress backend. The harder it is to find your login screen, the faster hackers will leave your site.
How does this work? Well, once you enable this option, you’ll be able to choose your own slug (=url) for the login screen, the register screen en the admin screen.
This function has the following options:
- Enable Hide Backend: check this option to hide your backend
- Login Slug: choose another URL for the login screen
- Register Slug: choose another URL for the register screen
- Admin Slug: choose another URL for the admin screen
This tab contains 2 sorts of detection:
- 404 detection
- file change detection
404 detection detects which user gets a lot of 404 errors. This probably means they’re scanning your site for vulnerabilities. With this option you can lock out users who are getting a lot of those 404 errors (and who are probably scanning your site).
File change detection looks in the files of your WordPress installation. If a file is changed (by a hacker), you’ll be informed about that file change.
In this tab you can limit the login attempts of a user. If somebody had unlimited time and wanted to try an unlimited number of password combimations to get into your site, then there is a big chance they eventually would. That’s why it’s important to limit this.
Here you can define when to block a user and for how long. The default configuration is ok.
This tab is only important when you’re using a SSL certificate.
On this tab you’ll find some tweaks to enhance security. If you’re a beginner, I wouldn’t advise you to change a lot here. In some cases, your site will experience some problems (due to plugins which are not compatible).
If you change some options here, don’t forget to do it step by step, so you know what you’ve changed. In case of problems, this makes it easier to reset the option that resulted in a problem.
The last tab contains the log file. These logs are VERY important because they tell you what happened. If something went wrong (= if someone tried to hack your site), you’ll find it here.
In this part you find some links to other articles, some will take you to another site. I added these links because I think these might be interesting for you.
- WordPress Security for Beginners
- Better WP Security official homepage
- Better WP Security on WordPress.org
- Owasp.org: the Open Web Application Security Project (learn about security – TIP!)
- Best WordPress Security Plugin – Better WP Security (by Abhi on Oddblogger.com)
- Best Security Plugins for WordPress (by Jean on wpmu.org)
As you can see, Better WP Security is a very versatile plugin with a lot of options. Luckily, the developer has made it very easy for us to use it. The best place to start after activating this plugin is the dashboard: here you get an overview of all the vulnerabilities of your site.
I can only highly recommend this plugin. It’s easy to configure, even if you’re a beginning WordPress user. Better WP Security makes your site much more secure in just a couple of clicks!