2 Simple Changes To Make Your Blog 10X More Secure

Blog and lock

TWPS-safe-siteWith all the recent news about hackers recently you can be sure that every bored kid and shady character is interested in getting started with his own hacking adventures.  Fact is incidence of sites being hacked into is on the rise.

What would you do if your blog became the target of a hacker?  Everything you’ve worked so hard for to build a decent blog, to grow traffic and readership, and to make some money could be lost.  Are you willing to take that risk?

Luckily WordPress is pretty secure right out of the box and they are always on top of it with releases of security updates.  But that doesn’t stop the hackers from finding vulnerabilities within your website.  The following two items however will make your blog a lot more secure then 90% of them out there.

Move wp-config.php up one level

The wp-config.php file is what contains all of your WordPress configuration information and settings. If hackers get access to this file it’s game over for your blog.  With that information they can now inject malware into your blog, alter your links, or worse – delete all your content!

But there is a real simple way around this.  By default the wp-config.php file is located in the public facing  root folder of your website installation.  Like this:

~/home/user/public_html/wp-config.php or ~/home/user/www/wp-config.php

Simply FTP into your site and move the wp-config.php file up one level so it’s above the public_html folder like this:


Now your wp-config.php file is outside of the public facing web root and is no longer able to be accessed by scripts and bots that hackers could use on the web.

WordPress automatically knows that if it doesn’t find the config file in the root it will look one level up for it.

Important Note!

This tip will not work if your blog is installed in a subdirectory like, mysite.com/blog, or if it is an addon domain in cPanel like public_html/yourblog.com/wp-config.php.  The config file needs to be in the root folder to begin with.

Delete The 'admin' Account

By default the user name for the administrator account is ‘admin’.  Every hacker and his family knows that so using ‘admin’ as your Administrator user name is like having an unlocked door to the back of your house that every thief in the neighborhood knows about.  Don’t ever use this as your main account and always choose a different name when installing WordPress.

If you’ve already installed WordPress and your user name is ‘admin’ then right away log into your dashboard and select >> Users >> Add New User and create a new user with the role of Administrator.  Then log out, and log back in using the new user name you just created.  Then go back to the TWPS-delete-adminUsers menu and delete the user named ‘admin’.  You will see a confirmation screen where you can select to have all the content that was created under the ‘admin’ user name transferred to the new user name you created.

That’s it.  Those two simple steps will make your blog a lot more secure then most because;

  • One hackers can't access your wp-config.php file and find out all they need to know to hack into your database and...
  • Two - They'll have to guess both your user name and password to get into your site which is twice as hard as just guessing the password alone.

If you have any other tips you’d like to share or questions please let me know in the comments below.




Thoughts and Comments