There’s no escaping the fact that thousands of websites get hacked every day.
Many hacks go by without notice and with the problem rectified before any serious harm is done. At the same time, some security breaches hit the world’s largest corporations, creating PR disasters and lengthy periods of downtime.
If your WordPress website gets hacked, you’ll lose an invaluable channel for new business, and Google may also remove it entirely from its index.
Google blacklists over 30,000 hacked websites every day, and while WordPress is a perfectly secure platform, there are still plenty of steps you can take to bolster the security of your website.
This blog post will look at seven ways you can do just that.
1. Keep your core files up-to-date
One of the most critical things every WordPress website owner should do is ensure that the platform is always up-to-date.
WordPress security team and its contributors regularly patch the system to combat the newest forms of Cybercrime, security vulnerabilities, and zero-day exploits.
If you don’t feel confident leaving your WordPress site to the auto-update mode, we advise you to change this setting and update it manually to control the process better. This is one of the many reasons it pays to have an experienced pair of hands help you keep WordPress core files up-to-date.
2. Get shot or rename the admin user account – now!
One of the most tempting signs for hackers looking to break into a WordPress site is the presence of the default ‘admin’ user account.
Every WordPress installation will create this account for you, but you can delete it once you’ve created your own. Another option is to rename the admin username, either through the phpMyAdmin tool or using a plugin like Username changer by Daniel J Griffiths.
Instead of the default admin username, go for something more challenging to guess. Add numbers to it, and don’t make it your name – the more difficult you make it to guess, the less chance you have of your WordPress site being compromised.
3. Rename your WordPress Dashboard login URL
The WordPress Dashboard is where all the plugin and theme settings lie. For this reason, it is a common target for almost every hacker and bruteforce attack.
Renaming your WordPress login URL will make it much harder for hackers to get or bruteforce their way into your site Dashboard. Fortunately, you can use many plugins to apply this change, like Rename wp-login.php by Ella Iseulde Van Dorpe.
4. Turn off file editing in the WordPress dashboard
WordPress includes a brilliant file editing feature that lets you edit your plugin files and themes directly from the dashboard.
Unfortunately, it’s also a haven for hackers because they can also use the editor to inject malicious code into your websites.
The trick here is to disable file editing by placing the following code at the end of the wp-config.php file:
define(‘DISALLOW_FILE_EDIT’, true);
It can then be enabled (replace ‘true’ with ‘false’) whenever you need to edit files yourself.
5. Block brute force attempts
Brute force login attempts are when hackers throw many potential username and password combinations at your WordPress site to gain access.
These aren’t always successful, but there’s a chance they might get in, and such attacks can considerably impact your site’s performance.
WordPress allows unlimited login attempts by default, making it vulnerable to brute-force attacks. You can use several plugins to mitigate this, such as Login Lockdown.
Installing a plugin will block visitors once they’ve made a specific number of failed login attempts and should keep brute-force hackers at bay.
6. Use long, complex passwords
It might be tempting to use a simple password for your WordPress account. After all, how often do you need to log into the back end of your website?
A strong password is essential regardless of how frequently or infrequently you log in. Thankfully, WordPress does a pretty good job at automatically generating complex passwords for you, but you can use plenty of tools on the web to achieve the same thing.
Go for long, complex passwords that include letters, numbers, and characters. Avoid using anything easily associated with yourself or the business; hackers will try the obvious first!
7. Implement two-factor authentication
Two-factor authentication is available for most online services, devices, and apps, and good reason; it represents one of the best ways to secure digital assets.
This method of logging in requires two pieces of information to gain access. Firstly, you’ll enter your username and password as usual, and then additional information will be sent to a trusted device (usually your smartphone, via a text message).
The free Google Authenticator plugin for WordPress is a good option if we’ve tempted you to implement two-factor authentication on your website.
Wrap up
The tips above are relatively easy to undertake – if you’re experienced with WordPress management. We don’t recommend undertaking the more technical tricks yourself (or installing plugins with which you’re unfamiliar) – we’d much rather do them properly for you.
Contact us today to learn how we can help secure your WordPress website from hackers.
I would also recommend using a tool like wpscans.com or the opensource wpscan
Thanks for the heads up Jonas 🙂