How to Secure WordPress With Better WP Security

, , , ,

One of the best plugins around to enhance WordPress security, is Better WP Security. In this tutorial I’ll show you the most interesting features of this great plugin, and how to configure them. Because Better WP Security is a free plugin, you shouldn’t hesitate to install this plugin: in a couple of minutes it will make your blog or website much more secure!

Features of Better WP Security

Better WP Security is a plugin with a lot of features:

  • Database backups
  • One-Click Protection for new users, detailed options for advanced users
  • System status with an overview of secured and vulnerable parts of your blog
  • Set up an away mode (during this period there no access to backend of the site)
  • Blacklist users
  • Change the “WP-Content”-directory
  • Change the prefix of your tables if you didn’t change these during installation of WordPress
  • Change the url of the backend
  • Detect users who are hitting a lot of 404 errors (which means they’re probably scanning for vulnerabilities)
  • Limit login attempts
  • Turn on SSL
  • Several minor tweaks for advanced users

Installation & One Click Protection

Installation & Activation of Better WP Security

You can install Better WP Security just as every other WordPress plugin. If you don’t know how to install a WordPress plugin yet, then you should take a look at this tutorial about installing a plugin.

After installation of Better WP Security, don’t forget to activate this plugin. The result is an extra item in your left menu called “Security”.

First Backup

The first time you click on the item “Security” in the left menu, you’ll get the question to take a database Backup. Unless you already have a backup system, click the “Create Database Backup”-button:

Create first Database Backup

Create first Database Backup

Next, you will be asked if Better WP Security may write to the WordPress core files (wp-config.php and .htaccess). Unless you have specific reasons not to do this, click the “Allow this plugin to change WordPress core files”-button:

Allow this plugin to change the WordPress Core Files

Allow this plugin to change the WordPress Core Files

One-Click Protection

The first time you visit the dashboard of Better WP Security, you’ll see the following message:

One-click protection

One-click protection

I advise you to click the “Secure My Site From Basic Attacks”-button. This will enable simple protection for your WordPress site.

System Status

Now you’ll see the system status. This is an overview of the status of different aspects of your WordPress installation, and whether they’re secure or not:

System status

System status

Items in red are vulnerable and should be secured immediately!

Advanced Protection

There are 2 ways to configure the advanced protection of your WordPress installation:

  • You start at the “System Status” overview, and click the “Click here to fix”-link to secure all the parts of your site.
  • You open each menu-item / tab within the security options and change the options.

In this tutorial, we’ll walk trough all the available menu-items / tabs inside Better WP Security.

User

This tab contains 2 options:

  • Change the Admin User Name: if you have a user name called “admin”, then you should change it into another user name. Here’s the place to do that.
  • Change the Admin User ID: Click the “Change User 1 ID”-button to give your user id another id.

Away

In most cases, it’s not necessary to permit access to the backend of your site 24/7. That’s why it’s not a bad idea to limit the logon period.

In this tab you can configure when users are able to logon. You can choose between a one time-period, or a daily restriction.

Be careful when configuring this options; don’t lock yourself out!

Ban

Here you can define which hosts are banned from your site.

A good starting point is the the default banned list: just check the box to enable HackRepair’s.com blacklist feature. Don’t forget to click the “Add Host and Agent Blacklist”-button.

Below you’ll find 2 lists:

  • Ban Hosts
  • Ban User Agents

In the first list “Ban Hosts” you can also ban users by filling in the IP address. Enter 1 IP address or 1 IP address range per line. In the second list “Ban User Agents” you can ban user agents. Enter 1 user agent per line.

Dir

In this tab you can change the name of the wp-content folder. This is because hackers scan on the wp-content folder. If you change that name, it’s harder for them to find that folder (and most of them just won’t look any further).The best moment to activate this function is right after you installed a clean version of WordPress.

Backup

In this tab you can configure your database backups. This is one of the most important features and if you use this plugin, you should use this function.

Let’s take a look at the available fields:

  • Enable Scheduled Backups: check this option to activate the scheduled backups.
  • Backup Interval: Select the frequency of automated backups.
  • Send Backups by Email: check this option if you want to send your backups to an email-address.
  • Email Address: fill in the email address where the backups will be mailed to. This works only if you checked the option “Send Backups by Email”.
  • Backups to Keep: how many versions of a backup do you want to keep? This works only if you did NOT check the option “Send Backups by Email”.

Now, what is a good backup interval? Every hour, every day, every week or every month? This really depends on how much the content your blog or website changes. If you have a small blog which you update every 2 weeks, than a backup interval of 1 week should be fine. If you post new articles a couple of days a week, then a backup interval of 1 day is for you.

It’s even possible to configure a backup interval of every hour, but if you don’t need that, don’t configure it. Don’t forget that creating a backup asks power, which means your site could slow down at that moment.

Another important question is; are you going to send those backups by email or not? If you don’t send them by email, they will be saved on your server. Personally, I would choose to email them to myself. The reason is simple: if a hacker takes over your website and server, he also has access to the backups. If you send the backups by email, then you always have a backup on another place then your server, which is very important. In case of a disaster, you’ll always be able to access to your backups!

Prefix

By default, WordPress uses the prefix “wp-” for all the tables in the database. When installing WordPress, you have the choice to change this. But if you didn’t, or if you have a default installation, then you can change it here.

Why is this important? Well, if hackers know the prefix, they also know how all your tables are named. That makes it easier for them to hack your database. That’s why it’s important to change this.

To change this prefix, click on the “Change Database Table Prefix”-button. Better WP Security will know configure a random database table prefix.

Hide

This options “hides” the backend by changing the url from which you can access the WordPress backend. The harder it is to find your login screen, the faster hackers will leave your site.

How does this work? Well, once you enable this option, you’ll be able to choose your own slug (=url) for the login screen, the register screen en the admin screen.

This function has the following options:

  • Enable Hide Backend: check this option to hide your backend
  • Login Slug: choose another URL for the login screen
  • Register Slug: choose another URL for the register screen
  • Admin Slug: choose another URL for the admin screen

Detect

This tab contains 2 sorts of detection:

  • 404 detection
  • file change detection

404 detection detects which user gets a lot of 404 errors. This probably means they’re scanning your site for vulnerabilities. With this option you can lock out users who are getting a lot of those 404 errors (and who are probably scanning your site).

File change detection looks in the files of your WordPress installation. If a file is changed (by a hacker), you’ll be informed about that file change.

Login

In this tab you can limit the login attempts of a user. If somebody had unlimited time and wanted to try an unlimited number of password combimations to get into your site, then there is a big chance they eventually would. That’s why it’s important to limit this.

Here you can define when to block a user and for how long. The default configuration is ok.

SSL

This tab is only important when you’re using a SSL certificate.

Tweaks

On this tab you’ll find some tweaks to enhance security. If you’re a beginner, I wouldn’t advise you to change a lot here. In some cases, your site will experience some problems (due to plugins which are not compatible).

If you change some options here, don’t forget to do it step by step, so you know what you’ve changed. In case of problems, this makes it easier to reset the option that resulted in a problem.

Logs

The last tab contains the log file. These logs are VERY important because they tell you what happened. If something went wrong (= if someone tried to hack your site), you’ll find it here.

Recommended Links

In this part you find some links to other articles, some will take you to another site. I added these links because I think these might be interesting for you.

Conclusion

Better WP SecurityAs you can see, Better WP Security is a very versatile plugin with a lot of options. Luckily, the developer has made it very easy for us to use it. The best place to start after activating this plugin is the dashboard: here you get an overview of all the vulnerabilities of your site.

I can only highly recommend this plugin. It’s easy to configure, even if you’re a beginning WordPress user. Better WP Security makes your site much more secure in just a couple of clicks!

4 Comments:

4 comments
  Livefyre
Newest | Oldest
mistrlisterrob
mistrlisterrob

Be careful newbies if your gonna go checking boxes. For some reason, the layout (css) and functionality (thumbs dont open) of my site works different when logged in to when your logged out?

Nico
Nico

Hi, which boxes do you mean? Nico

Rob
Rob

I managed to fix it now. Some of the little tweaks were selected and the site was viewing ok when logged in but displayed different when logged out.. Be ready to get your hands dirty if your a newbie..

Nico
Nico

Hi Rob, thanks for sharing. That's why I suggest to do the changes tab by tap instead of through the System status view. Some changes in the Tweaks-tab require some technical knowledge. That's why I advise beginners not to make changes there.

Hi, I’m Nico

Nico Julius

I create web applications and WordPress websites. I also give WordPress training.

If you want to create your own blog or website, you’re at the right place!

Sign up and receive this guide

WordPress for Beginners Free PDF eBook

Subscribe to my weekly newsletter and get this eBook for free!

You'll also receive:

The latest tutorials and reviews

Exclusive articles and coupons

Most Popular on WPBrix.com
I Blog About:
Ads:

WPEngine - WordPress Managed Hosting HostGator WordPress Hosting

CodeCanyon Premium WP Plugins Themeforest WordPress Themes

As seen on:

Free-eBooks.net Issuu PDFCast.org Slideshare Scribd

WPBrix




Where To Start?
New on WPBrix
Recommended Plugins
Copyright 2013 WPBrix.com - Hosting by WPEngine - Created with Builder Theme.
WordPress Hosting Service