To achieve WordPress security easily, we will be installing three plugins in a series of thirty six clicks right in WordPress.

In the case of catastrophe, it will take a few more clicks to restore everything back to how it was before, instead of the time and money it could take to reconstruct our site (if that was even possible).

Simple WordPress Security Background

Some years ago we set up a WordPress site that was fully secure and made regular automatic backups to a folder on the server.  Our client was happy with the setup and we merrily went on to build many more websites with WordPress.

During the Christmas season of 2011, the host this client was with had their server hacked.  The result:  the entire website was gone, including the database as well as the backups that were stored in the folder on the server.  To make it worse, the host was unable to restore their own backup.  We had to redo the entire site (and a few others on the same server).

What we’ll be aiming for at the end of this tutorial is a secure WordPress installation that is not vulnerable to the same problem our client experienced.  We will achieve this by applying simple WordPress security in the form of plugins that provide options which do everything automatically for us.  Of course we don’t want to pay money for this if we can help it, so we will be using absolutely free tools, which could be upgraded to paid versions should the need arise.

Please note that this tutorial presumes that WordPress is already installed.

Simple WordPress Security Requirements

What we’ll need:

• WordPress (either already installed, installed via FTP, SimpleScripts, the Fantastico/Softaculous/Installatron package included on your hosting control panel, or another service.
• Better WP Security Plugin (also available at WordPress.org) (do not download)
• Sucuri SiteCheck Malware Scanner Plugin (do not download)
• CodeGuard Plugin (download)
• An e-mail address to create a login at the CodeGuard site

Simple WordPress Security Procedure

Having downloaded the CodeGuard plugin and logged into the WordPress installation we will be working on, we need to continue towards installing the required plugins.  We will firstly install the plugins, then go through the options for each.  For the purpose of this tutorial, we have created a demo site, from which we were able to extract screenshots to illustrate each step.

Firstly, we will select the “Add New” option under “Plugins” in the Administrative Panel.

The next screen displays a search box.  We will search for “Better WP Security,” which will be the first plugin we will install.

In the results returned, “Better WP Security” is the first option returned, so we can simply click “Install Now” to let the WordPress magic happen.

We are presented with the option to either install the plugin or cancel the installation.  Select “OK” to continue installation.

WordPress downloads the plugin to a temporary folder, unzips the archive and installs the files to the proper plugin folder all by itself.  All we have to do is to select “Activate Plugin”.

Once activated, we are returned to the “Plugins” screen.  From here, we want to select the “Add New” option at the top of the page next to the heading “Plugins” to continue installing the next plugin.

The next screen displays the search box again.  We will search for “Sucuri,” which will be the second plugin we will install.

In the results returned, “Sucuri SiteCheck Malware Scanner” is the first option returned, so we can simply click “Install Now” to let the WordPress magic happen again.

We are again presented with the option to either install the plugin or cancel the installation.  Select “OK” to continue installation.

WordPress downloads the plugin to a temporary folder, unzips the archive and installs the files to the proper plugin folder all by itself.  All we have to do is to select “Activate Plugin”.

Once activated, we are returned to the “Plugins” screen again.  From here, we want to select the “Add New” option at the top of the page next to the heading “Plugins” to continue installing the next plugin.

This time, we want to select the “Upload” option to upload the CodeGuard Plugin we previously downloaded.

We are presented with a file upload box with the option to browse for a .zip file.

Once we have selected “Browse…”, we are taken to the file explorer to select a file.  We need to find where we have downloaded the plugin to, then select the file and select “Open”.

Once “Open” has been selected, we are returned to WordPress, where we need to select the “Install Now” option.

Upon selecting the “Install Now” option, WordPress uploads the plugin to a temporary folder, unzips the archive and installs the files to the proper plugin folder all by itself.  All we have to do is to select “Activate Plugin”.

We have now installed all the plugins we require to secure our WordPress site.  CodeGuard requires that we create a user account to enable remote backup of our WordPress site.  They have made the process extremely simple for us:  all we have to do is enter an e-mail address, right where we are now in the “Plugins” section of the Administrative Panel.

Once we’ve entered the e-mail address and selected “Go,” CodeGuard automatically sets itself up and starts with the first backup of our site.

CodeGuard also sends an e-mail to the e-mail address we entered before, which contains our username and password should we ever need to log in to their site to change any settings or restore a backup.

Back in WordPress, we want to select the “Security” option on the Administrative Panel menu.

The “Security” page presents us with two options: “Create Database Backup” and “No,  thanks, I already have a backup.”  CodeGuard has probably not finished backing up our site, but it is busy doing it, so we can select “No, thanks, I already have a backup.”

The next page presents us with the options to “Allow the plugin to change WordPress core files” or “Do not allow this plugin to change WordPress core files.”  If we were to select “Do not allow this plugin to change WordPress core files,” we would have to manually change those files by downloading them through FTP, editing them and uploading them again through FTP.  While (arguably) “safer” to do this manually, we are trusting this plugin with everything else relating to our security, so we will trust it with our core files as well.

We will select “Allow the plugin to change WordPress core files,” thereby saving ourselves some time and hassle.

The next screen presents us with the option to “Secure My Site From Basic Attacks”.  We will select this option and let “Better WP Security” do most of the hard work for us.

Once completed, we are returned to the “Security” section Dashboard.  Some items will be blue, some orange and some red.  Blue items indicate secure settings, or settings that are optional to increase security.  Orange items indicate somewhat secure settings which should be improved.  Red items indicate items that require urgent attention.

Our only red item is number 5: “Your table prefix should not be wp_” with an option next to it displaying “Click here to rename it.”  We will select this option.

Our next screen presents the option to “Change Database Table Prefix”.  We will select this option.

There is a warning to back up the database before we use the tool.  On most installations, this would not be necessary, but it doesn’t hurt being cautious.  Should you wish, only proceed with this option once you have received a confirmation e-mail from CodeGuard that your initial backup has been completed.

After the “Change Database Table Prefix” has been selected, we are returned to the same screen with confirmation at the top that the “Database Prefix Changed” and information at the bottom confirming to what your database table prefix has been changed to.  It is not necessary to make a note of this.

Once confirmed, we will return to the “Dashboard” option of “Security”.

At the “Dashboard” of “Security,” we could continue editing further items that may need attention.  Our site is secure at this stage, but could use some improvement.  Make sure to read all instructions contained in the plugin if you do decide to explore the options.

Once we have made all the changes we require, we want to continue by selecting the “1-click Hardening” sub-option of the “Sucuri Scanner” option of the WordPress Administrative Panel menu.

We are taken to the “Sucuri 1-Click WordPress Hardening” section, where we find that two options exist for hardening.  We will first protect the upload directory by selecting “Harden it!”

Once complete, we are returned to the page.  We may need to see the next possible improvement, which involves deleting the readme file.  We will do this by selecting “Harden it!”

Once complete, we are returned to the page, where all options should show a green shield, indicating that it passes the Sucuri Security Audit.

Simple WordPress Security Conclusion

In thirty-six clicks inside of our WordPress installation we have saved ourselves the potential of a tremendous amount of work by installing three plugins and setting their options.  It is a tremendous improvement on the default WordPress security we had before the installation. You may also be interested in our Advanced WordPress Security setup.

Photo Credit: Jesse757 via Compfight