John's book which will show you how to secure your blog against intruders.
Read some of John's WordPress security tips.
What others are saying about WordPress Defender from around the Web.
About John Hoff and this site.
WordPress Defender

How To Secure WordPress
My Personal WordPress Security Guide
Plus 16 Videos

Get your free

Secure WordPress
Mini Course Here

Videos Included

Get immediate access to our email video mini-course, "Secure WordPress," and watch as we lock down your blog against intruders. Simply enter your name and email address below to get access.

Mini Course Books

Interesting Articles
WordPress Security - So You Think Your Blog Is Safe?
Protect WordPress Blog from Intruders
Blog Lockdown - It's a Well-Rounded System
5 Reasons Why WordPress Blog Security is So Important
Keeping a Secure WP Blog Using the BBQ Plugin

Setting Up a Secure WordPress Blog During WP Installation

The way I typically install a fresh copy of WordPress (video below)

By John Hoff
Author of the WordPress Defender eBook

Setting up a secure WordPress blog right from the beginning is the best way to go.

Thanks to WordPress 3.0 (and now beyond), WordPress has made it much easier to get a head start on creating a more secure blog.

In this article, I want to first highlight a few changes WordPress 3.0 and beyond allow us to do and then I'll show you in a video below how I typically install a fresh version of a WordPress blog.

What WordPress 3.0 Has Added

So far (as of the writing of this article - 7/9/10), these enhancements WP 3.0 has given us mainly apply to new, fresh manual installs of WordPress.

During the installation process, WordPress let's you do 2 new things while the 3rd is done automatically for you:

  1. Choose a different username than the default “admin”
  2. Change our default database table prefix from wp_ to something more secure and less obvious
  3. Automatically set up WordPress security keys

Why These 3 Things Are Important

#1 - The default username

Some bloggers out there say that changing your default username from admin to something else really doesn't help you create a more secure WordPress blog. I tend to disagree with that notion, and so does it seem the creators of WordPress.

You see, by changing your default username from admin to something else, like say johnsID, you're making it much more difficult for hackers to guess your username and password. To crack into your blog, some hackers will use a program like Brute Force Password Discovery which will run millions of combinations of words to try and figure out what your password is.

But to get in, they need to get both your username and password correct.

So why let them guess correctly with the username admin? Just change it and move on. The good news is that WordPress 3.0 allows you to create a unique username right there during the installation process.

#2 - Changing the database prefix

Just like I mentioned in #1 above, why let a possible intruder guess what your database prefix is?

Many hackers will "guess" that your database prefix is wp_.

That is the prefix used by millions of blogs which the owners have not taken the time to change so that their blog is a little more customized and not so cookie cutter.

If you're not sure what all that means, just know that when you install WordPress 3.0 and above manually, be sure to change the default table prefix from wp_ to something more obscure, like tx32Lv_ or something.

#3 - Secret Keys

Like you'll see in the video below, secret keys are long strings of characters which you can add into your wp-config.php file which will help the secure WordPress blog notion.

Basically what they do is help encrypt your cookie which contains your password during the login process.

Again, if you're not sure what this all means, the good thing is that WordPress 3.0 and above does this automatically for you when you install a fresh copy.

Creating a Secure WordPress Blog During Installation Video

When I install WordPress, I typically do it manually. There are also a few things I do right from the beginning to help get my blogs on the fast track to being secure.

To learn everything I do, you'd want to check out my book, WordPress Defender; however, in addition to the adding the 3 topics I talked about above, I also move all my core files out of the main (or root) WordPress directory.

This does two things for me:

  1. Clean up my WordPress directory so there aren't a ton of WP files around
  2. Adds just a little security through obscurity by moving my blog's login page to a different and unique location. It's not the most powerful security feature, but every little bit helps.

Okay, enough talking, let's watch me set up a WordPress blog.

Video 1: Installing WordPress 3.0

Note that these videos were created over on my blog, so they reference WP Blog Host.

Video 2: Moving WordPress Core Files Out of Root

So now that you have your blog set up and on the fast track to being secure, you can go out and get all those plugins, like the Popup Domination WordPress Plugin and SEO Scribe Plugin to help drive traffic to your site and get you making a little money with it.

Want to learn more about WordPress Security?
Get my book, WordPress Defender: 30 Ways to Secure WordPress from Attack Anyone Can Do

Home | About Us | Sitemap | Disclaimer | Privacy Policy | Secure WP Articles | Affiliate Program
Get the WordPress Defender eBook | Contact Us

2011 John Hoff, All Rights Reserved