Preventing your WordPress blog from being hacked should be your number one priority.
We all know that cyber attacks are on the rise. It’s something that we know that we should be taking seriously, but we never get around to it. Local bloggers in particular believe that their blogs are shielded from such attacks, often questioning why any ‘hacker’ would want to attack their blog.
Unfortunately in a lot of WordPress hack cases, blogs are automatically attacked by bots that look for vulnerabilities in plugins, themes and missing basic blog security.
We are by no means professional cyber security professionals, but we wanted to share some of the things that we’re doing to toughen up our security.
Don’t use admin as your WordPress login
The first thing that you should do is change your administrator username from admin, as it’s often set to this by default. Many hackers and bots know this, so they are already one step closer to attacking your blog. Change it now if you haven’t done it already.
Update to the latest version of WordPress
Make sure that you’re running the very latest version of WordPress. Better yet, set it to automatically upgrade every time a new version is released. You’d be surprised at how many sites are attacked because they’re running an older version.
Manage your plugins
Similar to the WordPress installation, keep your plugins up to date. If you’re stopped using plugins, remove them altogether. Not only will this lower the risk of your blog getting hacked, it will also help to make your WordPress blog run quicker too. Remember to only download plugins from official sources!
Make regular backups
Backup your blog files and database regularly. We recommend that you backup your blog at least once monthly, but you may want to consider more frequent backups if your updating your blog weekly or daily. You should be doing this every time before you install a new plugin or update your WordPress files too.
Install a firewall and antivirus (on your computer)
This may sound really basic, but there are a still a lot of people out there that don’t have a basic antivirus installed on their own computers. This will reduce the risk of your computer hacking your own site, seriously it happens. There is clever malware out there that may be logging every keystroke that you make. it also means that when you make a backup of your blog on your computer, you’re also scanning those files too.
Change your WordPress admin URL
You can get to the login page of every WordPress site just by typing in /wp-admin or wp-login.php. Not only will this tell a potential hacker that you’re using WordPress, but they’re now one step closer to attempting to login. In some cases, it’s not as simple to change the URL of this page, as it may interfere with how users login to your site. Instead, we only strongly recommend this if you’re the only one (or one of only a few) that login to the blog.
Lock down access to empty directories and check file permissions
This is when we start getting a little geeky. Your WordPress blog is made up of hundreds of files and folders. If some folders don’t contain an index file, it will automatically display all of the files in that folder… allowing hackers to access them. Using some simple and free plugins, you can close off this access.
Prevent access to wp-config.php
Carrying on with the geekness, we recommend that you prevent access to the wp-config.php file. This is a file located in your WordPress installation that basically controls the website. It usually contains the username and password information needed to access your database. If a hacker gains access to this, game over.
Block multiple login attempts
There are a number of plugins that can help with this, such as Login Lockdown listed below. Essentially, this helps to precent hackers from trying to bombard your blog with multiple login attempts. It can block access to your site if a login attempt fails a number of times. They can also block IP addresses from accessing your blog altogether. This is essential.
WordPress security plugins that we recommend:
- iThemes Security (formerly Better WP Security) – https://ithemes.com/security/
- Wordfence Security – https://www.wordfence.com
- Login Lockdown – https://en-gb.wordpress.org/plugins/login-lockdown/
Each of the first two plugins offer multiple security features and we highly recommend that you choose at least one of these. There are premium versions available if you want added security such as two factor authentication and remote scanning etc. They can also provide you with premium support to help you get started with WordPress security. 800,000 installs can’t be wrong, right?
Before making any changes to your WordPress blog or installing any plugins, please read up and make a backup copy of your files and database first. We can’t stress this enough!
It’s also important to note that these tips and plugins do not guarantee your blog won’t get hacked, these are merely the very basics that you should be doing.