There are a few simple steps you can take to protect every WordPress installation that you set up. But why worry about security?

This is why:

I have been hacked into two WordPress blogs in the past. That was at a time when I was doing very little internet marketing, and until I found time to address the situation (months later), these sites were penalized in search engines. They were not removed, but the rankings were lowered.

I fixed it in the end, but didn’t solve it for several months. For a good amount of time, I didn’t even realize the problem.

The result? I estimate I lost a couple hundred pounds of advertising revenue.

Much of WordPress security is just common sense. Are you using a strong password? Are you using a different password for each website?

For years, I didn’t do that. He had three or four passwords that he used to use. But there are two ways you can always generate a good, strong password for every site you sign up for. (Of course, this includes your WordPress blogs.)

The weakest (but still pretty good) approach is to start with a common password; add some numbers that you will probably remember, like the house number of your first address; then add the first, say, five letters of the domain name. For example, if the password you started with was reindeer230, if you were using a site called example.com, it would become reindeer230examp. That is a pretty strong password. This technique protects against dictionary attacks in which an attacker may repeatedly try to log into your account using English words, words from other languages, names, and so on.

The most robust approach, and the one I personally recommend, is to use one of the password generation and storage plugins available for your browser. Many people like RoboForm, but I think after a free trial period, you have to pay for it. I use the free version of Lastpass and recommend it for those who use Internet Explorer or Firefox. That will generate strong passwords for you; then use a master password to login.

Now we dive into specific WordPress stuff. Whenever you install WordPress, you must edit the config-sample.php file and rename it to config.php. You need to install the database details there.

There are a few other changes that you should make as well.

There is a section of config-sample.php that is titled “Unique Authentication Keys”. There are four definitions that appear within the block. There is a hyperlink within that section of code. You must enter that link in your browser, copy the content you receive, and replace the keys you have with the unique, pseudo-random keys provided by the site. This makes it difficult for attackers to automatically generate a “session started” cookie for your site.

The next step is to change the table prefix from the default “wp_”. This is in the Prefix section of the WordPress database table. It doesn’t really matter what you change it to; you can use alphanumeric characters, hyphens, and underscores. This should thwart so-called SQL injection attacks, where an attacker tries to get WordPress to execute some SQL code that has an unwanted effect on your site. That code could add a new user with superuser privileges to your WordPress site.

Note that you only need to do this last step for new installations. If you want to do this for existing installations, you will also need to change all the table names in the database.

Finally, installing the WordPress security scan plugin will verify most of this for you and alert you to anything that has been missed. It will also tell you that there is a user named “admin”. Of course, that’s your administrative username. You can follow a link and find instructions to change that name, if you want. Personally, I think a strong password is a good enough protection, and since following these steps, there have been no successful attacks on the many blogs that I run.

Finally, WordPress Security will also tell you that there is no htaccess in the wp-admin / directory. You can put an .htaccess file in this directory if you want, and you can use it to control access to the wp-admin directory by IP address or address range. Details of how to do this are available on the web.

However, I recommend that you install the Login LockDown plugin instead of any access control. That will prevent login requests from being allowed from a specific IP address for an hour after three failed login attempts. If you do, you can still access your admin panel while you’re out of your office, and yet you still have good protection against hackers.