There are a number of things you can do to make your self-hosted WordPress installation that bit more secure, some of which aren’t widely advertised. Below is a list of some quick and easy options, plus a couple that need a little bit more work but are well worth the extra effort for that extra peace of mind.

1. Secret Keys

When you first install WordPress you need to edit your wp-config.php file to make sure it’s got the right information for accessing your WordPress database. As has always been the case the information in wp-config-sample.php shows you what needs to be filled in. By editing this file and saving it as wp-config.php you’ll be ready to install WordPress.

However, since WordPress 2.6 there’s been a new set of security keys which help keep your WordPress install more secure.

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

If you’re not sure what to put in here, just visit the handy Secret Key Generator at wordpress.org to generate your own special lines of secrecy. Below is an example of the output which can just be copied and pasted into your wp-config.php file.

define('AUTH_KEY',        '_f{,Ez(@SWSTGq~]p7mMu/zsSQ9%Aj;43db|:OjWUlUFJ5Ge{u%T-dx4>u1{_szU');
define('SECURE_AUTH_KEY', 'RQT-|bmNY).USI6vo2khHm<6N!6`x/ri]g-0VNN1t^<b]seB;H*Q=..h<,F@-}% ');
define('LOGGED_IN_KEY',   '{,C+JN*x_sj:iAp3|p~a@HI0:<.KnrS(thDV*[u_kY$xbolk[aiqx${|:Y2L^+{ ');
define('NONCE_KEY',       'Ek@(Zw#<CipmijGZw67b:drxRb*JiQ#+q5bJ|5/NGeEyHGWpSB- .V1{3U_Gi80|');

I should mention, just in case, do not use this above example! Just visit the generator for your own unique code. Also, if you're interested in further reading check out the WordPress Codex article regarding wp-config.

2. Change Your Admin Password

I've talked about the importance of password security in the past and thankfully WordPress generates a fairly random password for the "admin" user when you first install it, but I feel happier by generating my own even longer password for that extra peace of mind.

Personally I use the excellent password generator that's included in our favourite password management web application - Passpack - something I strongly recommend checking out¹, but there are a multitude of free password generators available. A good one I came across is www.freepasswordgenerator.com which allows you to choose whether to include string letters (a..z), capital letters (A..Z), digits (2..9), special symbols (!, +, ], ?, etc) and the length of the password. It produces wonderfully complicated things like:

a^cYj+csV)MifQhc,66s

Again, for the sake of safety I'd suggest signing up to Passpack to store this password nice and securely. Don't write it down!

3. Change Your Admin Username

Keeping things secure is all about making life more difficult for a potential hacker. The default username for the wordpress administrator is "admin", and that's a first step covered for a hacker. Whilst you can't change WordPress usernames through the admin panel, you can change it by editing your database.

As we're security conscious here at Pixelapes, we only access our server through "Secure Shell" meaning that any database interaction is purely command line based. Hence the below example shows you what to do to change your admin user name.

mysql> USE your_database_name;
Database changed
mysql> UPDATE wp_users SET user_login="new-admin-user" WHERE user_login="admin";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

It's as simple as that. If you have a GUI tool installed on your server, such as phpMyAdmin, you can follow the simple steps in this guide to change your admin username.

1. You can read our detailed review of Passpack here