5 Tips To Protect Your WordPress Website From Hackers & Vulnerabilities
Millions of websites are built on WordPress (74,652,825 based on a quota check in 2014), and there’s a very good reason for that. WordPress is easy to use, implement, and navigate. From its famous 5 minute install to its easy administrative panel, WordPress makes the internet a wonderland of websites simple enough to be run by anyone who wants to have a voice. As a result, the website giant has quite the community, and a lot of users rely on the community as a whole (users, plugin makers, theme makers, et al) to keep it running smoothly.
That’s why when all WordPress sites were recently under threat of a security vulnerability, the community quickly rallied, and patches were immediately issued. Being one of the best sometimes means all of the worst are going to try and take you down, so having a strong community is key – but there are a lot of things that individual WordPress site owners can do to stay protected. Keeping your WordPress site secure requires a little work, a little ingenuity and a readiness to accept that ‘No one will ever hack me!’ is pretty much Murphy’s Law in disguise.
Here are 5 tips to protect your WordPress website and help you fend off hackers or recover from being hacked:
Tip #1 – Use Secure Usernames & Passwords
If your username is “admin” and your password is mysite2015! – get ready to be hacked.
Passwords need to be irrelevant to be secure. If you have a password that has anything to do with your site’s name, year founded, or yourself then you should change it right now because it’s not secure.
Passwords also need to be at least ten characters long, should contain UPPERCASE and lowercase letters, numbers and special characters (!@#$()%^&*). The length of the password is also key, more so than even the randomness of slapping the keyboard. The longer the password, the harder the hacker’s computer has to work at figuring it out. If you want to be extra secure and crafty, change your passwords on a regular basis – every couple months or so.
Usernames are equally important when trying to keep your site secure. Most WordPress.org sites have ‘admin’ as their default username, and leaving that default can make it easier for the hackers to get in. With that said, if/when you’re installing your site make sure you select a username that is more like a codename. Never use your email and try and avoid using your first or last name. (Bad Example: Sarah_C. Good Example: Cheez_Lover_13).
Here’s how to change your username if you’re using wordpress.com. And, here’s how you change it if you’ve got WordPress installed on your server.
Tip #2 – Always Install Updates
WordPress is a living, breathing organism that is constantly undergoing changes to stay on top of security issues, bugs and improved user experience. Not only is the content management system (CMS) itself constantly changing, but so are the millions of plugins that are built for the platform, which is why it is very important to regularly install available updates.
The WordPress download page can tell you what the latest version is, so if you’re on any earlier version, you need go hit the big blue update button immediately. Make sure you regularly login to ensure that you’re running the latest version, and don’t worry – updating WordPress is as easy as installing it, so take the five minutes (or less with an awesome server) and do it.
The same goes for plugins – plugins are third party bits of code that can help make your site amazing, but they can also act as little doors into your system by which hackers can orchestrate mayhem and chaos. (It’s very important to vet your plugins!) A good rule of thumb – if a plugin hasn’t been updated in awhile (more than a year), you should move on and try to find a new plugin with more recent, regular updates.
Occasionally the hack isn’t on your end but your server’s end, so if you get any emails from your hosting provider advising you to update – then update.
We can’t stress enough how important updates are. Schedule bi-weekly times to just check in and make sure your site is up-to-date. And remember, updating can sometimes break something else, so be sure to have our next tip running regularly too.
Tip #3 – Conduct Regular Backups
Backups are important for a couple of reasons.
- They’ll help you recover your system, files and database and put everything back to normal in case a hacker gets in there. And…
- It’s an important safety net in case updates break something on your website. It doesn’t happen often, but it does happen and since we’re running with a Murphy’s Law theme, let’s assume it will happen.
Perform backups weekly. If you don’t make many changes to your site, you can get away with bi-weekly or monthly, but have a schedule and don’t let it go too long. There are a bunch of plugins that can do backups for you – here are just a few:
- BackupBuddy! – costs money but can be well worth it depending on your site and what you’re wanting to keep backed up.
- Backup – this one is free and does a pretty nifty job.
Tip #4 – Limit Login Attempts & Use a Security Plugin
One of the biggest tricks in the hacker playbook is a Brute Force Attack – this is what usually cracks short passwords. To keep Brute Force Attacks at bay (besides having an awesome, random, LONG password), install a plugin that limits the amount of login attempts a certain IP address gets within a set time frame. Multiple failed login attempts will result in a ban on that IP for a specified amount of time.
Login Security Solution is an example of a plugin that can help with this. There are a lot of them out there, some more updated than others, so choose carefully.
You may also want to install a full-fledged security plugin like Sucuri or Wordfence. Some security plugins might already have a limit login attempt built-in, so you could opt for a plugin that does both. A security plugin is helpful because it can attempt to stop hacks in progress or, at the very least, notify you that they are happening. Some plugins offer different layers of protection, some are paid while others are free, but either way you should have one running.
Tip #5 – Keep An Eye Out
So how do you keep an eye out for a behind the scenes hack attempt? It’s not always easy, but here are a few things you (and your developer) can do:
- Regularly check your users. Make sure there aren’t any extra administrator users that you didn’t make – that’s the most obvious sign of a hacker.
- Regularly check your posts. If you see a post you didn’t write or didn’t authorize, you’ve been hacked; and then, check your users.
And, for your developer:
- Change your database password quarterly (more often if you have a lot of traffic). Note that your site will be down while you do this, so plan accordingly.
- View the source code on your website and look for any odd bits of code, like any links about Nike shoes, Gucci handbags or medicinal pills for various ailments.
- Look at your files in your FTP and if one has been recently modified and you didn’t modify it check it for hidden code.
- Most WordPress htaccess files shouldn’t be large in size – if yours is big, look at it – it’s probably loaded with hacker code.
- Same thing for index.php’s. If you view them and they don’t say ‘Silence is Golden’ or have obvious WordPress functions on them you’re probably looking at a hack.
- Anything with odd file types or names (.php5 or indonesia.php) is a hack.
- If your site suddenly has content on it that you didn’t put there, sprouts adds you didn’t authorize or has a new tagline: ‘look into your security bro :)’ – then you have been hacked.
Being hacked usually isn’t the end of the world, but you should be doing as much as you can to prevent it. It’s especially important to take precautions and stay on top of things since being hacked can actually lead to poor search rankings or to infecting your website visitors with malware. And don’t forget, you’ve got the entire WordPress community there to help.