1. How to Lock Down and
Secure Your Wordpress
Site From Hackers
2. There are millions of websites operating on the WordPress
software platform. In fact, 17% of the world’s websites are using
WordPress. It’s easy to use, with a user-friendly interface that
allows someone to create and update their site even if they don’t
have a programming background. It has hundreds of thousands of
plugins available to give it a multitude of functionalities to
accommodate mostly all of your basic website needs. It’s also free.
4. For example, if you don’t change your default configuration, hackers and
some pesky users with too much curiosity immediately know where to log
in to get into your admin area. In WordPress, you can type in
“domain.com/wp-admin” and it will take you right to the login screen. At
that point, the only thing left to get into your site is to crack your password.
The most common method hackers use is brute force, which allows them
to test millions of login combinations in a short amount of time.
5. Your website can never be 100% secure. Hackers are always
trying new things and discovering new vulnerabilities to exploit.
The online world changes quickly and the same is true of security.
6. Good security is about minimizing risk. If anybody tries to sell you a
100% secure solution, they’re scamming you. You’ll never be completely
safe, but there’s a lot you can do to minimize your risk. There’s also a
balance between security and usability. Sometimes locking down your
site makes it secure, but it’s harder to use. You’ll have to find the balance
that works for you…and take measures to keep it as secure as possible.
That being said, there’s a few preventive measures you can take in order
to lower your risk of getting your site hacked.
7. Here’s 6 quick steps to make your
WordPress website more secure:
1. Keep It Up To Date
8. One of the biggest security vulnerabilities in WordPress is old software.
WordPress is updated fairly often and whenever there’s a new security issue they
roll out an update immediately. But you need to stay on top of keeping your
WordPress software updated on a regular basis by logging in and checking to see
if there’s a notification to “update” and a link in your WordPress Admin area.
You also need to keep your themes and plugins up to date—they can have security
issues as well. Sometimes people put off updates for fear of breaking their site,
but you’d rather break your site with an update than risk a break-in.
Also, if a plugin is deactivated, you need to delete the plugin entirely so that it is
not an open, unused folder left on your server that a hacker can take over.
9. Here’s 6 quick steps to make your
WordPress website more secure:
2. Strengthen Your Passwords
10. Your security is only as good as your password. If you’ve got
a simple password, you’re making it very easy for a hacker to
walk right in. Your password should have numbers, capitals,
special characters (@, #, *, etc.) and be long and unique. Your
WordPress password can even include spaces and be a
passphrase. Remembering different passwords for different
sites is tough, but a hacked site is worse.
11. Here’s 6 quick steps to make your
WordPress website more secure:
3. Manage Your Users
12. Your own strong password is useless if another admin has a weak one. You need
to manage your users. Not everybody needs admin access. The more people
with admin access, the more chances to hack your site. If someone is writing
blogs for you, give them “Editor” access rather than “Admin”, for instance.
Remember to update or remove users when you have staff transitions. If you
have someone working on development or editing for a temporary period,
create a new user account for them and then delete once they are finished.
13. Here’s 6 quick steps to make your
WordPress website more secure:
4. Back It Up
14. If anything ever goes wrong with your site, you want to be able to get it back up quickly. That
means you need to have backups available to restore the site. In order for backup to work, it
needs to be complete and automatic. Backing up your database isn’t enough. That will save your
content, but you’ll still have to rebuild your entire site, including theme tweaks and plugin
settings. And if your backup isn’t automatic, you’ll forget to do it regularly.
Get a powerful backup tool, such as BackupBuddy, to keep your site safely backed up and ready
to be restored. It’s a premium plugin that makes backing up and restoring a seamless process.
15. Here’s 6 quick steps to make your
WordPress website more secure:
5. Don’t use
“Admin” as Your
Username
16. If you use “admin” as your
username, and your
password isn’t strong enough
(see #2), then your site is
very vulnerable to a
malicious attack. Until
version 3.0, installing
WordPress automatically
created a user with “admin”
as the username. This was
updated in version 3.0 so you
can now choose your own
username.
Many people still use
“admin” as it’s become the
standard, and it’s easy to
remember. Some web hosts
also use auto-install scripts
that still set up an ‘admin’
username by
default. Simply create a
new “admin” user account
for yourself using a different
username. Then log out and
then log in as that new user
and delete the original
“admin” account. If you have
posts published by the
“admin” account, when you
delete it, you can assign all
the existing posts to your
new user account.
17. Here’s 6 quick steps to make your
WordPress website more secure:
6. Use Security
Plugins or Security
Services to Protect
Your Site
18. As well as all of the measures above, there are tons of plugins you can use to tighten your site’s
security and reduce the likelihood of being hacked.
Here are a handful of popular options:
http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.
19. Personally, after trying to find a free plugin that protected my site and getting frustrated, I
switched to using Sucuri Security. It’s a monitoring service that protects your site as well as
fixes it if it gets hacked. It’s saved me and multiple clients websites after getting hacked. I
haven’t had an issue since I signed up for their service. You can find them at Sucuri.net.
If you’re interested in learning more about hardening your website’s security, please check out
these two resources:
http://codex.wordpress.org/Hardening_WordPress
http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site
While all of this may sound overwhelming or intimidating…I am not intending to scare you. It’s
just important to understand the best measures to take so that the hours of time and effort put
into building your website are protected.