Lock It Down! 10 Ways to Secure Your WordPress Site from Hackers
Online security is of utmost importance because we’re doing everything digitally and our data should be protected well. About 20% of the web is powered by WordPress so that makes sites built on there targets for hackers. You’re susceptible to being hacked, not necessarily because someone has personal beef with you but because hackers may be bored and use your site for practice. They gotta sharpen their skills somehow, right?
There’s no real foolproof way to make sure you NEVER get hacked but there are things you can do to make your site harder to compromise. These steps can make a huge difference if you’re ever targeted.
1. Hackers immediately try the username “admin”. Change it.
When you install your WordPress site, “admin” is usually the default username created for you to use to login as the administrator. This is a well-known fact, and this is why the moment you log into your WordPress dashboard for the first time, you should create an additional user, give the account admin privileges, log out of the “admin” username account and login with the new one. While you’re logged into the new one, delete the “Admin” account.
Let me state the obvious: the new username you create should not be “admin2” or anything like that.
2. Hackers go for the predictable passwords. Make yours stronger.
“12345678” and “Password” are not good passwords and they should NEVER be used (although they are the most popular passwords in the world). Your website needs a strong password so hackers (or computer programs) using brute force (guessing passwords and username and trying over and over again) will have an incredibly tough time.
Also don’t use your birthdate for it. Anddd use a password generator to come up with hard ones. Just keep your password stored in a secure program like Keeper.
3. Hackers will keep trying to get in. Limit their login attempts.
If someone or something like a robot tries to login to your website using brute force, a plugin like Limit Logins Attempts will lock their IP address out after a specific number of tries (usually 5 or 10). Yes, they can create new IP addresses but this will make them compromising you just that much tougher.
The one caveat is that if YOU forget your password and you try too many times in a row, you can get locked out of logging into your own dashboard. But you can tell the plugin what your computer’s IP address is when you set it up and “whitelist” it. That means it won’t apply the rules to you.
“Limit logins” is not the only plugin that does this, either. You can use one like Sucuri Scanner (which is a comprehensive security plugin) and enable the feature.
4. Hackers go for the old versions of WordPress first. Keep everything updated all the time!
Your WordPress software needs to remain updated. There are many times that I log into a client’s dashboard and I see they’re still on a version of WordPress from 2 rounds ago. That isn’t good because these updates come with bug patches and everything. Leaving yours in an old version leaves you susceptible to being compromised.
Also, keep your plugins updated too. You don’t have to make updates the moment new ones are available. Wait a couple of days and then do it.
5. Hackers look for plugin heavy websites. Delete unused plugins and themes.
You want to minimize the ways you can be hacked and part of how you do that is by removing anything you aren’t using from your WordPress dashboard and control panel. Plugins that you no longer use and are inactive need to be deleted. They’re just taking up space and serving as extra windows to being compromised. Don’t be a plugins hoarder. Same for themes. Delete old themes because they do not serve you and they might have bugs that will create an avenue for hacking.
6. Hackers look for an easy way in. Disable the ability for others to register for your site
WordPress allows you to let people register for your site. Unless you have a multi-user site or a site that really requires tons of people to get accounts (maybe member only sites), then you do not need to allow just anyone to register. To check if you do, go to your WordPress dashboard, on the left side, go to “Settings” and then “General.” The box that says “Anyone can register” should be unchecked.
7. Make sure you back up your site!
You need to back up your website regularly and often because if you get hacked, sometimes the easy fix is to revert your site to the last known healthy version. If you don’t have a recent copy of your site saved somewhere, you might lose your data, which could be disastrous. I’ve written a post on How to Backup Your WordPress Site. Look there!
8. Get Google Webmaster Tools.
Google Webmaster Tools (aka GWT) is a free set of well, tools, that gives you high-level and detailed information on your site and its health. If you’re ever hacked, you’ll need this tool to get a clean report from Google, otherwise you will be stuck with what I call the red screen of death that appears as a warning to anyone who tries to visit your website. Most people quickly hit the back button at this (for good reason).
Webmasters will alert you to this and you have to clean up your site and then tell Google to re-scan it and give you the green light. How do you do this? Through Google Webmaster Tools. I’ve written a post on Google Webmaster Tools: Why You Need It and How to Set It Up. Read that and make sure you’ve signed up your site.
9. Hackers look for those who are using free themes. Avoid them!
When you install WordPress, it comes with 4 free themes that their official developers have created. Those are fine. However, if you go looking for a theme elsewhere and it’s free, BEWARE. You really do get what you paid for and free themes are more likely to have bad code already included. You do not want that. Most premium themes are a reasonable $20-$200. In fact, you can find a great one for $50 or less on Themeforest. Pay it.
10. Hackers will find a way in through your File Manager. Change file privileges ASAP!
The Wordpress files that are on your server have certain permissions that dictate who has the ability to make changes. Weak assigned privileges can make it easier for someone from the outside to wreak havoc in your files and add bad code. Directories (folders) are recommended to have a 755 permission while individual files should have 644. If you don’t know what I’m talking about, ask your site’s host to help you check to make sure your permissions are what they should be.
Like I said, there’s no foolproof way to keep your site from being hacked. Stuff happens. BUT you want to make your site a hard one to target. If it will be hacked, they need to work at it. Put your defenses up so you can be more proactive than reactive.
If you found this post helpful, pin the image below (hover over it)! You can also pin it from HERE.