Start learning with our library of video tutorials taught by experts. Get started
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
As the world's most popular blogging software, WordPress is a huge target for malicious scripts, hacks, and spam. One of the best ways to secure your WordPress database is to change the default table prefix. In this screencast, we see how to do this quickly and easily during the WordPress installation process. Let's go to the WordPress database, as seen through phpMyAdmin. WordPress prefixes each of its tables with wp_. WordPress tables that use this default value are heavily targeted by bad bots and malicious scripts.
So by changing the default prefix to something unique, you'll effectively immunize your database against such automated attacks. The easiest and recommended method of changing the default prefix happens before the installation process. Before submitting this setup page, go to your FTP/file editor and open the WordPress configuration file/ Scroll down to right here, where it says WordPress Database Table prefix. Here is the default prefix wp_.
Changing this prefix to anything different is going to work just fine, and it's perfectly safe to include wp_, as long as that's not the entire prefix. But even so, here are three helpful tips for customizing your own database prefix. First, begin the prefix with wp_ so the tables appear in order among other tables that are added by plug-ins and themes. In the middle here, pick any sequence of random alphanumeric characters, and then finally, end the prefix with an underscore so that the actual table names--for example, posts, users, meta, and so forth--stand out and are easily recognizable.
Let's return to the FTP/file editor and put this strategy into practice. Following these tips, we will use wp_s3CUr3_ as the new prefix. So we now simply save the file and upload it to the server, and at this point WordPress is ready to install as usual. So let's return to the browser and complete the installation so that we can go to the database and look at our custom prefix in place.
And we add our email, and we do not want our demo site to appear in the search engines. So we click Install WordPress and it says, "Success! WordPress has been successfully installed." So let's return to phpMyAdmin and refresh the database to take a look. As we can see, everything looks great. All of over tables are now prefixed with the default wp_s3Cur3_ for each table. We're all set.
Note that if you've already set up WordPress and want to change the default prefix, it's still possible, but beyond the scope of this tutorial. For an excellent step-by-step guide, check out my post at Digging Into WordPress. Either way of changing the database prefix is fine, but setting up custom prefixes during the installation process is much easier. The point is that by using something other than the default prefix, you'll protect your database from a majority of automated attacks. In this screencast, we've seen how trivial it is to do this for new sites, a a prime example of how a few seconds upfront can save you countless hours of stress and frustration down the road.
There are currently no FAQs about WordPress 3: Developing Secure Sites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.