WordPress is a very popular content management and blogging system! According to wikipedia, WordPress is the most popular blogging system in use with over 60 million websites using the platform. Because it is so popular, it is an attractive target for hackers.
Here are 7 steps to keep your WordPress site from getting hacked:
1. Keep your WordPress version current and up to date
Most upgrades of WordPress include security updates to fix problems in the code. If you are running older versions of WordPress, you are at risk. Hackers realize that website owners either don’t have the knowledge or don’t take the time to update their installation of WordPress when new versions come out. They create code that targets the known security flaw and then injects their hack into the system. They create bots that go out and check to find websites that are running wordpress (remember there are millions), determine what version they are running, and if they aren’t current, they inject their hack into the system and then you are toast. To keep yourself protected – always upgrade to the latest version of WordPress.
2. Keep your plugins up to date
Hackers target plugins the same way they target WordPress. They find a security hole in a plugin and then target those sites that have that version of a plugin and you are toast. To avoid this problem, you have got to choose good plugins. Limit your site to just those plugins that are critical to your business. I have seen many sites that are using MANY plugins, sometimes 3 and 4 to accomplish the same task. Choose your plugins carefully by selecting those that have lots of downloads and reviews. When you choose to stop using a plugin, don’t just deactivate it, delete it from your server.
Also when choosing a plugin, make sure that it supports the most current version of WordPress. You don’t want to be using a plugin that is not being actively updated by its author. Finally, spend the time (regularly) to update your plugins, especially when a new version of WordPress comes out.
3. Don’t use the username admin
When you setup WordPress, don’t use the default username of admin. Pick a different name for the administrator account. Hackers know that many sites use the default admin username. They will brute force attack that username to break the password and then they have access to your system. When setting up WordPress, choose a different user than admin to administer your site and if necessary, delete the admin user if your WordPress installation currently has an admin user account. Stay away from other easy to guess usernames, i.e. the name of your blog, administrator, support, etc. This will make it harder for hackers to target your WordPress install.
4. Choose complex passwords
I had a customer account that was constantly being hacked. It seemed that every week over a couple of months it would get hacked and the hacker would replace the blog with a homepage that had all sorts of nasty things on the frontpage. As a consultant, I was getting frustrated because I couldn’t figure out how the hacker was getting access to the system. I was checking things on the backend and couldn’t find the security hole. I finally asked the customer what their admin password was. It was a single word that was related to the sitename. We ended up deleting the admin user account and then created a complex password for the admin user account and we haven’t been hacked since. There are sites out there like random.org that will help you to create secure passwords, but they will not be easy to remember 🙂
Make sure that you also consider who has administrative rights to the server. Not everyone needs to be an administrator just to submit content to your blog. Limit those with admin access to keep your site secure and make sure all users have complex passwords.
5. Secure your login with a good login security plugin
I use a login security plugin on my customers site to restrict brute force login attacks. These plugins will delay the time between login attempts to reduce the chance of a bot script trying to brute force break a password. Eventually after so many failed attempts, they will ban the IP address of the machine trying to login. This will reduce the brute force attacks on your site and keep it more secure. Two plugins that I recommend: Login Security Solution and Simple Login Lockdown.
6. Choose a good hosting provider
Hosting providers are a dime a dozen. There are thousands of hosting providers out there that provide cheap hosting for your site. However, you want to choose a hosting provider that understands WordPress. I have found 3 that I recommend: Dreamhost, Bluehost and OLM. They have expertise in their IT departments to make sure that they can support WordPress in their datacenter. Be smart, choose a hosting provider that is a WordPress expert.
7. Backup your WordPress site regularly
A good backup can save yourself from completely having to redo your site. This especially comes in handy when you have hundreds of posts. Pick a backup program that will allow you to have scheduled backups and make sure that the backup file is not on the same server as your site. The backup program that I recommend is Backupbuddy from Ithemes.com. It allows the administrator to backup both the database and the complete site including all the files – especially theme customizations, and modifications to stylesheets, etc.
There are lots of other steps that you can take to protect yourself from getting hacked, but if you start with these 7 steps, you will avoid many of the common methods of getting hacked.
Ping me with questions.