Hopefully you have your Wordpress site a little more secure after reading my advice in an earlier post about the Admin privileges.
Now I want to tell you about another little trick for making your site hard on hackers. This little tidbit is something that you do before you load Wordpress. So if you already have Wordpress up and running, then you might want to keep this in mind for your next site.
I’ve been told that most criminals strike at areas of opportunity. For example, a car thief will hit a parking lot and find the unlocked car. Or a home burglar will go through a neighborhood looking for an empty house with an unlocked garage or open back door.
This is one of the reasons that I almost always put the Club on my steering wheel when I park my car. Even though a thief can break through the Club fairly easily when he has the correct tools, I still use the device. But I’m betting that seeing the Club in place will make him go on to the next vehicle.
And this is a little like hackers. They strike at the weakest sites. We want to make our sites a little more difficult to hack than the next guy. When you are in a group of people running from an angry grizzly bear, you don’t have to be the fastest runner; you just have to run faster than one other person.
We are going to learn how to hide our Wordpress database.
Now, this isn’t fool-proof. The database is not completely out of site. But it is doubtful that one of the hacker’s evil bots will find it.
Your fans, your site visitors, will still be able to get to your site just as always with your standard domain name. But the database will not be in the place where most Wordpress users place theirs.
Before we begin, I want to tell you that I direct most of my clients to a hosting service called HostGator. I know, many of you ask me “why don’t you host the sites yourself?” but to be honest, at this point, I just don’t want to have to manage the servers. For a very reasonable price, you can place your website on HostGator’s servers and this works well until you get big enough that you need dedicated servers.
These instructions are targeted to the Wordpress user who is hosting his site on a third-party server. If you have your own server, this process will work equally as well, but you will have to know about your own environment.
Here we go. First, log in to your server account and bring up your cPanel screen.
Find your File Manager icon and click to get to the File Manager.
Find the root directory of your domain. This is normally something like /public_html/domainName/
Open this directory.
Now, create a new sub-directory under this directory and call it something obscure and funny. (It doesn’t have to be funny, but why not?) For example, you could name your new directory marchmadnessfinalfour as long as your website is not about basketball.
It is in this new directory that you want to install Wordpress. Using SimpleScripts or some other software that your hosting company provides, install Wordpress.
Once installed, move the index.php file to the website root directory. (I know that I call these directories while you might know them as folders. But long ago, when I was programming on big IBM computers, we called them directories. And old habits, well, what can I say…)
If your installation of Wordpress has the .htaccess file, move it as well.
You are almost done.
In order to be able to use the index.php file, you need to open it up and change one little line. So open the file in edit mode, find the line of code that says
change it to the following (substituting your directory name):
and then save the changes.
You’re done! That’s all there is to it! Visitors can still get to your site in the normal manner by typing in www.yourdomainname.com. But your database is safely tucked away in a directory only you know.
You will have to use this new directory to get to the backend of your site. You will type something like
and then log in as usual.
Here are two more important points. The first being that you need to make sure that your WordPress settings are correct so that WordPress can find your subsequent pages. You should click on the Settings item in the Dashboard, and then click on General. In the line that states WordPress Address, you should input the actual URL where you installed WordPress. Following our example, it would be
and in the line that states Blog Address, you would enter
The other point is about the level of security that this provides. If someone really wants to know where your site resides, they can look at the underlying code and see the sub-directory. But that's not the point of this security tip. Here, we are trying to make it more difficult for those terrible little bots that are created by internet terrorists. Normally, if the bot cannot find your underlying database in the root directory, it will move on to the next site.
I will touch on some other security issues from time to time. But if you really want to make your site secure, you should purchase and read Wordpress Defender by John Hoff. The last time I checked, the book was only $39 and is well worth the price. You will literally kick yourself if your site is hacked and then you realize that you could have prevented all of the pain for just $39. Click on the book title above or on this link and go there now.
eTech Alliance inc. develops custom websites and application software for your business.