Keeping Your WordPress Site Safe From Hackers

When there are over sixty million people using a service there are bound to be people trying to take advantage of its vulnerabilities. The popularity of WordPress is awesome giving it a lot of support, plugins and features. That same popularity makes it a target for hackers. So how can you avoid and prepare to fight against the dangers of internet hackers?

When there are over sixty million people using a service there are bound to be people trying to take advantage of its vulnerabilities.

Preparing for war

I don’t have statistics or a background in crime, but I’d venture a guess that saying that most crimes are crimes of opportunity. Working at the University of Alabama we were cautioned that move in and move out days were the biggest days of risk because people would leave their doors open for ease which would result in them becoming the victim of theft. Likewise, a student stepped outside for a smoke, left his door unlocked and found all of his electronics had been stolen. WordPress hackers are going to be the same way. If you give them an open opportunity to harm you, they’ll gladly take advantage of it. So here’s some things you can do to lock some doors.

Change the defaults

There are several things the standard WordPress install comes with, which are going to be the very first thing hackers attempt to infiltrate. To use a metaphor, the WordPress defaults are like the front door or side window of your house, if a criminal sees it left wide open and knows no one is home they are free to walk right in.

Change the default username

The default username is ‘admin’ you can change this and you should! The admin account gives the user access to your entire website. The most common type of hack is a brute force attack; thus, the hacker will try the username admin with a program that guesses passwords until it gets the right one.

Delete the content WordPress came with

WordPress comes with a sample page, sample posts and comment, delete them. Also, change the default value of the ‘uncategorized’ category for your posts.

 Update WordPress and choose plugins wisely

If you speak with me about plugins in WordPress you may feel like I hate them. For the most part, that’s totally true. This is why: when you use a plugin you’re creating a dependency upon said plugin and putting faith that that plugin will not become the victim of a security fault. I suggest being very selective when installing a plugin, ensure you actually need it, then ensure it’s going to stay updated and maintained. Here’s the real danger with outdated and abandoned plugins: Anyone can download a plugin, and once you have you can view it’s source code, which may enable a hacker to find a vulnerability to exploit. If there’s no longer support for the plugin you could be left in the dark with a hacked site dependent upon something now that is killing your business. That being said, it’s up to you to keep your WordPress install up to date. You may think updates only add new features, but they also fix any security exploits the developers may have found. This is true with WordPress and plugins as well. Keeping your WordPress install and plugins up to date is like keeping food in your stomach; you can’t live without it. 

If you aren’t diligent enough to check and ensure your site is up to date at least once a week you need to have a professional host your site for you; you cannot afford not to.

 Choose a great hosting service, ask the right questions

If you’re hosting yourself, you need a quality hosting service. You want to ensure they’re doing their part to keep you safe. In addition, ask about backups. Should the worst happen you can revert to a backup and minimize damages. It’s important to find out the difference between “we backup daily,” and “we backup daily and allow you access to said backup”. Many hosts backup daily to cover their behinds incase of catastrophic server meltdown, but do not allow their clients access to these backups. This is also a huge advantage when someone makes a mistake and accidentally crashes your site.

Create a strong password

8Characters-300x213I once saw this image on Facebook. I question it’s authenticity; however, the message couldn’t be more spot on. The term “brute force attack,” which is the most common form of attack consist of repetitious guessing until success is achieved.  Some quick password tips:

  • Don’t write your password on a post it, and stick it to the underside of your keyboard.
  • Don’t use something the guy in the cubical next to you could guess
  • Use a combination of lower case and upper case letters
  • Use special characters
  • Make your password long, 8-16 characters

Ensure your admin account has a strong password, ensure your other passwords are secure as well. This includes your database password and your FTP password. If you don’t know what those are and you’re hosting your site, you need to find out!

Limit login attempts and destroy brute force attackers

There’s a WordPress plugin which I would encourage anyone to considered called Limit Login Attempts, which simply blocks a user’s IP from logging in once they have failed to login successfully a certain number of times. You can set up how you want this plugin to handle failures in a few ways, you can temporarily lock them out or put them on a blacklist, or do both. Most vulnerabilities I’ve listed here become exposed due to brute force attacking, Limit Login Attempts boasts the ability to combat that with effeciency. If you run a business, this plugin is free, but I strongly encourage you to donate to them so they stay in business and keep making this plugin better!

What Do You Think?