Updating your Database Prefix

Each installation of WordPress will include a small prefix for the database tables. So whenever you generate a new database for your website the tables will be created as wp_tablename. But if somebody can gain access to your database or even into a shell command in your server, it would be all too easy to pull down that data.

owever if you have created your own custom prefix then it is much less likely anything could happen. This is all assuming somebody could remotely gain access into MySQL, but it’s not an idea you should totally overlook. Keep in mind this step should be applied when you first install WordPress – or you can go through and update the settings in your Admin panel, but this may cause issues with already-existing plugins. Best to do this right away if possible.

Customize the Default Comments

By default WordPress will allow anybody to comment on your blog posts if the form can be found inside your template directory.The problem is that so many people will target WordPress blogs to gain backlinks in the comments area. Just setting up a blank website and letting it sit there is practically begging for trouble.

One security tip you can follow is to limit the amount of time your discussion is opened. I will often setup newer posts to close the comments area pending a certain amount of time – 1 week, 1 month, 3 months, whatever works best. This will keep your comments area uncluttered when you go back to revisit articles 1-2 years old.

But you should also consider grabbing an Akismet API key if you want to use the typical WordPress comments system. They are one of the best spam protection services you can have, and the plugin comes bundled with every script copy of WordPress. But unfortunately their premium services have become paid-only and so this route may wind up costing you some money.

Alternatives for User Discussion

Many webmasters who I ask have said they are getting fed up with the spam on WordPress blogs. This doesn’t happen overnight but it’s not uncommon to find yourself racking up loads of new comments very quickly. On my newer projects I don’t often use the normal system and have instead switched over to Disqus.

Their open source plugin for WordPress is phenomenal to say the least. You create an account with Disqus and can tie in your API key right to your website. This allows you to moderate or delete comments right from the WordPress backend. Plus by now so many people are using Disqus, it’s commonplace that your visitors would have an account to post with.

A couple benefits include threaded comment support, quick signup/login links, and user voting. It’s possible to sort comments by newest, oldest, and even top rated. Disqus is simply the most open discussion system and also the safest to have running on your blog. Before giving up on comments entirely I would highly recommend installing Disqus for a test ride.

Disable wp-config.php Access

Anybody who is attempting to view or download your wp-config.php file are obviously after some malicious endeavor. This file holds your database name, along with the database username and password combination. That information is extremely sensitive and absolutely nobody should have access.

The best way to combat this is by denying all access to your configuration file. This can be done with a couple lines inside your .htaccess file. Alternatively you may be interested in using WP htaccess Control which is a plugin designed specifically for editing this file.

For non-technical users this solution is a lot easier because you won’t need to FTP into the server at all. Just search & install in your Admin plugins page, then edit your file right on the backend.

Limit User Login Attempts

Another problem I’ve run into is noticing hundreds of new subscribers join the site all in rapid succession. This is usually a parade of spam accounts, and they are eating away storage space inside your database.

To clean out and put a stop to this garbage I recommend SABRE. This stands for Simple Anti-Bot Registration Engine and it’s completely free to use on any WordPress site. You should be able to keep this issue at bay and instead go through the database to clear out some pointless accounts.

One related issue you may face is when too many people are logging into the website at once. Check out this login limit plugin which you may install and customize to your own settings. This will stop users from logging into the site after a series of failed attempts. You can change the limit to be just a few minutes or even hours long.