There’s no escaping the fact that thousands of websites get hacked every day.
Many hacks go by without notice and with the problem rectified before any serious harm is done, while some security breaches hit the world’s largest corporations, creating PR disasters and lengthy periods of downtime.
If your WordPress website gets hacked, you’ll not only lose an invaluable channel for new business; Google may also remove it entirely from their index.
Google blacklists over 30,000 hacked websites every day, and, while WordPress is a perfectly secure platform, there are still plenty of steps you can take to bolster the security of your website.
In this blog post, we’re going to look at seven ways you can do just that.
1. Keep your core files up-to-date
One of the most important things every WordPress website owner should do is ensure that the platform itself is always up-to-date.
WordPress security team and its contributors patch the system at regular intervals in order to combat the newest forms of Cybercrime, security vulnerabilities and zero day exploits.
If you don’t feel confident leaving your WordPress site to the auto-update mode then we advise to change this setting and consider updating it manually so you can have a better control of the process. Actually this is one of the many reasons it pays to have an experienced pair of hands help you with keeping WordPress core files up-to-date.
2. Get shot or rename the admin user account – now!
One of the most tempting signs for hackers looking to break into a WordPress site is the presence of the default ‘admin’ user account.
Every installation of WordPress will create this account for you, but you can delete it once you’ve created your own. Another option is to rename the admin username; this can be done either through the phpMyAdmin tool or using a plugin like Username changer by Daniel J Griffiths.
Instead of the default admin username, go for something that’s harder to guess. Add numbers to it and don’t make it your own name – the more difficult you make it to guess, the less chance you have of your WordPress site being compromised.
3. Rename your WordPress Dashboard login url
The WordPress Dashboard is where all the plugin and theme settings lie. For this reason is a common target for almost every hacker and bruteforce attacks.
By renaming your WordPress login url, you’ll make it much harder for hackers to get or bruteforce their way into your site Dashboard. Fortunately there are lots of plugins which you can use and apply this change like Rename wp-login.php by Ella Iseulde Van Dorpe.
4. Turn off file editing in the WordPress dashboard
WordPress includes a brilliant file editing feature that enables you to edit your plugin files and theme directly from the dashboard.
Unfortunately, it’s something of a haven for hackers, too, because they can also use the editor to inject malicious code into your websites.
The trick here is to disable file editing by placing the following code at the end of the wp-config.php file:
define(‘DISALLOW_FILE_EDIT’, true);
It can then simply be enabled (replace ‘true’ with ‘false’) whenever you need to edit files yourself.
5. Block brute force attempts
Brute force login attempts are when hackers throw a massive number of potential username and password combinations at your WordPress site in order to gain access.
These aren’t always successful, but there’s a chance they might get in, and such attacks can impact the performance of your site considerably.
WordPress allows unlimited login attempts by default, but that makes it vulnerable to brute force attacks. There are several plugins you can use to mitigate this, such as Login Lockdown.
Installing a plugin of that kind will block visitors once they’ve made a specific number of failed login attempts and should keep brute force hackers at bay.
6. Use long, complex passwords
It might be tempting to use a simple password for your WordPress account. After all, how often do you need to log into the back end of your website?
Regardless of how frequently or infrequently you log in, a strong password is absolutely essential. Thankfully, WordPress does a pretty good job at automatically generating complex passwords for you, but there are plenty of tools you can use on the web to achieve the same thing.
Go for long, complex passwords that include letters, numbers and characters. Avoid using anything that can be easily associated with yourself or the business; hackers will try the obvious stuff first, after all!
7. Implement two-factor authentication
Two-factor authentication is available for most online services, devices and apps these days, and for good reason; it represents one of the best ways to secure digital assets.
This method of logging in requires two pieces of information to gain access. Firstly, you’ll enter your username and password as usual, and then an additional piece of information that is sent to a trusted device (normally, your smartphone, via a text message).
The free Google Authenticator plugin for WordPress is a good option if we’ve tempted you to implement two-factor authentication on your website.
Wrap up
The tips above are relatively easy to undertake – if you’re experienced with WordPress management. We don’t recommend undertaking the more technical tricks yourself (or installing plugins with which you’re unfamiliar) – we’d much rather do them properly for you.
Contact us today to find out how we can help secure your WordPress website from hackers.
I would also recommend using a tool like wpscans.com or the opensource wpscan
Thanks for the heads up Jonas 🙂