Your WordPress Could Be Hacked If You Are Not Doing This
While the online world offers more opportunities than anyone could have imagined even as it began becoming mainstream in the early to mid-1990’s, with opportunity also comes risk. While it ‘d be good to set up a website and then not have to worry about it, the truth is that there are more security threats than ever. Although a great website starts with an excellent theme on a true web content provider like WordPress, you still need to take the appropriate precautions to protect your websites from hackers.
The good news is that security doesn’t have to be difficult. Understanding a few basic things about online threats and how they work will make it easy to take the steps you need to make sure your WordPress websites remain safe.
Read on and follow these steps to secure your WP sites.
Choose Unique Usernames
Many users focus on passwords (and even then set those up wrong), but it is important to remember that signing into WordPress is a two part process. There is the password, but also the username. The Same username across all accounts is just not a smart move. Usernames are often easy to guess. If the name of a website is “Big John’s Blog” it’s amazing how often the username is Big John. Don’t do this.
Using a little-known e-mail address is slightly better. However, the best method is to choose a unique username that follows many of the same rules that get touted for passwords. Don’t make it part of your real name or blog persona. Choose a word or combination of words that include numbers and a symbol. If you’re a history buff a name like “Washington1776!” is easy to remember, is not going to be guessed, and is going to be hard to crack.
An old nickname, a number that is not the year you’re born (but maybe a number that is easy to remember) and a simple exclamation point can make for a great username.
Prevent Hacking with Extra Strong Passwords
Passwords are a major part of any security measure, and there are a few ground rules that are often touted as being good for safety. Just the short list includes:
- Have a capital letter (or several)
- Have numbers
- Have an additional symbol (*, &, !, etc.)
- Don’t use your name or birth date as part of the password
- Never use strings of consecutive numbers (1234567) as part of a password
- Don’t use any of the most common passwords (Jessica, guest, password, qwerty, etc.)
These are all good tips, but there’s one that is often left off: make the password as long as possible and still be able to remember it. Most hacking happens through machines that automatically try one combination after another, which means every extra character in a password makes it even harder for a computer to guess on a nearly exponential level.
So stringing together a bunch of words like “Ilovepinkfloyddarksideofthemoon” is an incredibly powerful password. Capitalize it properly, add a lucky number and exclamation point, and it can be nearly impossible for a machine to guess.
There’s a popular online comic by XKCD, that explains how password security works extremely well. Very long passwords can lead to making your WordPress site from the majority of hacking attacks.
Secure Your Hosting As Well with Great Passwords
There is more than one way to disrupt a website. While this isn’t directly related to WordPress, you always need to make sure your hosting account is just as secure as your actual WP sign in. (Our site suggests an excellent Hosting Provider which you can access from the Top Menu above). If you don’t take those precautions, a talented hacker could access your hosting and add malicious files to every single one of your websites that is hosted on that account.
This should also go without saying, but don’t use the same password for both your hosting and your WordPress login.
Use Smart Security Plugins
There are particular types of WordPress plugins that can help with securing your website from many online dangers. One of the first few things to look for is a limited login attempts plugin. When someone tries multiple times to unsuccessfully login they then get blocked from trying again. Repeated attempts at the hacking result in those IP addresses getting banned from accessing your WordPress site, making it even harder for a hacker to force their way in, especially if you have good password practices.
You also want to take a look at what anti-malware plugins are getting positive attention from WordPress specialists. Malware can be harder to prevent than an outright hacking, and there are many ways for this type of bad code to be forced into a site. Finding good anti-malware plugins is a definite good first step since this often not only helps to block potential malware, but many also scan to look for code that managed to slip its way in.
If you don’t know where to start, Sucuri Security is a well thought of free WordPress plug-in that helps take care of many of these security issues and is updated frequently to keep up to date in defending against some of the worst new threats that are appearing out there. Another advantage of a plugin like Sucuri is that it is extremely easy to add to a WordPress side – just follow the instructions they give to activate it and get your website protected.
Back Up Your Files
This not only should be a high priority, but you should make sure to double up on backups just in case a worst case scenario takes place. This is doubly important for bloggers who are always adding new content or intend to keep growing a website. There are several different options for backing up your files, and you should choose at least two.
One easy option is to install a WP plugin that does the work. Many of these plug-ins, like BackUpWordPress, have free and paid versions offering different levels of service, but do allow you to make backups that can then be saved on your computer or on the cloud. If you have a copy on your actual computer, which is a good idea, look at also loading those up to a flash drive, so you have another unattached backup.
Learning to use FileZilla is another common way to do this. FileZilla, in particular, is popular because it is considered one of the easiest FTP file clients for beginners to use. There are numerous websites and YouTube videos that will take new users step by step on how to connect these with the hosting files of a website and then how to copy them. This allows you to make your own backup of the website files in zip folder form that you can store in your email, in Dropbox, or on your computer.
Finally, there are paid options offered by most companies that also offer hosting. These can range from reasonable to very costly but helps to make sure there is frequently a backup of your website available or being made.
Backups allow for the quick and total restoration of a website after purging bad code, moving hosting, or even switching hosting companies completely if a hosting account becomes too corrupted.
Keep Everything Updated
This is absolutely crucial for WordPress. Hackers, people creating malware, and other threats online are continually improving and adapting, and security must do as well. Most of the frequent updates for WordPress are security based: closing potential security problems that have been (or could be) exploited by new threats that are appearing online. If you don’t keep WordPress updated, it is only a matter of time until something infects your site.
This doesn’t just refer to the overall WordPress updates, either. Plugins frequently update not only to improve performance but to shut down any security issues they find, as well. The same applies to themes under the “Appearance” area. In fact, one of the most common ways for a hacker to damage a website is to sneak in through an old theme that is just sitting around unused or un-updated on that page.
Uploading multiple themes to test out which one looks best on your website isn’t unusual. In the very beginning, it is a move that makes sense but doesn’t keep those additional themes around. Each of those is code that can be found, hacked, or corrupted. Delete any themes that aren’t being used and update the one that you are using every single time an update becomes available.
One important thing to note: whenever a new yearly “base” theme is released by WordPress it often automatically appears under the appearance/theme section of your WordPress Admin page. If you don’t pay attention, that becomes another potential security issue that needs to be taken care of.
In addition to keeping everything updated you want to:
- Delete any plug-ins that you aren’t using
- Delete any themes you aren’t using
- Delete any new themes WordPress automatically adds in the “Appearance” area
- Limit the number of people with admin, contributor, or editor access to the site
Make Appropriate File Permission Changes
Some basic settings make it much easier to hack than others. That means when you’re setting up WordPress you want to have your web developer change file permissions. Make sure you avoid setting up directories with a 777 permission configuration. 750 or even 755 are much better options. Files should be set to 644 or 640. This cuts off many potential weaknesses at the pass before they can get any footing to work on your site.
Keep Your Home Computer Safe
Don’t put your passwords on file on your machine, which is often far easier to hack than a WordPress website. In addition to this, make sure you install a firewall on your computer to defend it from viruses, malware, or hackers and follow the same rules for the password to sign into your computer as you follow for creating a great WordPress website password.
Advanced WordPress Security Options
While the previous sections are more than enough for well over 99% of all WordPress sites, some more advanced strategies can be used by web designers who feel comfortable enough with coding to make some changes on the code level. As for the all-important disclaimer: these are DIY options for a reason. Always back up your work ahead of time and remember that with any of these advanced options if you mess it up, it’s on you to fix it, no one else is responsible.
Eliminate PHP Error Reporting
Once again, to state the obvious, make sure they are different passwords, as well. If your hosting and WordPress accounts are secure, but your laptop or tower computer isn’t, that is yet another way for hackers to find their way in. You need to protect your website from every possible intrusion.
Error reports can be useful, but they include long strings of information that include a clear path through your website’s security. Advanced hackers can often bypass all your security with one detailed PHP report. Look at your wp-config.php file and add the code:
This will disable PHP error reporting.
Hide Author Usernames
Often an author’s username is their admin name. Unless you take specific steps to make sure this is never the case, you want to override the WordPress default that makes it easy to get an admin name to attempt to hack the password with. Once again adding a few lines of code in the right file can change this.
This time the code that needs changing is in the functions.php file. Add the lines:
wp_redirect( home_url() ); exit;
Change The Log-In URL
The default log-in URL for a WordPress website is URL/wp-admin. Everyone knows this, which makes that /wp-admin a problem. An excellent security plug-in like iThemesSecurity plug-in allows you to change this URL. This can be /my-personal-login or whatever you want to change it to – but this makes it much harder for hackers to make a brute force attack when they don’t have a straight route to force their way in.
Tying It All Together
While the issue of WordPress security can seem a tad overwhelming at first, the truth is that this topic is important and many of these steps involve simple maintenance and an occasional update. That is an extremely small price to pay compared to the hassle of a severely hacked website.