WordPress sites are regular targets to brute force attacks. These attacks are automated across all the hosting platforms and attempt to find bloggers that are using default usernames, weak passwords and outdated WordPress installations.
Most content publishers aren’t aware of the threat posed by hackers and may not even know that a successful attack has taken place so it is important to keep your site safe. These are the simple security measures that any blogger can implement today to make their sites more secure and be protected against these types of attacks.
1. Create a new user account
It is harder for a hacker to break into your site when both username and password have to be cracked. That is why you should create a new user and delete the WordPress default “admin” user. You create a user by going into “Users” then “Add New” in the WordPress menu. When creating the new user, make sure to give it the role of an “Administrator”.
That will make sure that you have the full authority over your site. Now simply logout from your default “admin” account and log in with the new user details. In “Users” delete the default admin username. Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account. Do this first before going to the next step.
2. Use a strong password
Do not use simple passwords on your WordPress. Simple passwords might be easy for you to remember it, but they are also easier for a hacker to crack. Use stronger and more secure passwords instead. Your password should be at least eight characters long, it should include numbers, it should include special characters, and uppercase and lowercase letters. Change your password now before going to the next step.
3. Set a new nickname
You do not want your new username to be the author name that is shown on all posts. Set the nickname WordPress uses as author name to something different than your username. You do this in “Users” under “Your Profile” in the Nickname field. Choose a new nickname and set “Display name publicly as” to your new nickname.
4. Disable logins from certain IP addresses
Login LockDown plugin records the IP address and timestamps of every failed login attempt to access your WordPress. If more than a certain number of login attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that IP range. An alternative for this plugins is Limit Login Attempts and does the same.
5. Blacklist all IP addresses except your own
A better solution for some bloggers is to blacklist everyone from logging in to your admin except yourself. You do it by going into the wp-admin folder of your WordPress installation and opening the .htaccess file. Add this code anywhere in the file and make sure to add your IP numbers in there (type “what is my IP” in Google to find your IP address):
deny from all
# whitelist home IP address
allow from YOURIPNUMBER
# whitelist work IP address
allow from YOURIPNUMBER
# whitelist holiday IP address
allow from YOURIPNUMBER
You can put different IP addresses in there if you move quiet a lot but if one is enough for you, that is fine as well. Now when someone tries to access the login page of your site they will get this message:
Forbidden. You don’t have permission to access /wp-admin on this server.
The only downside of doing something like this is that if your IP address changes you would need to go into your FTP and update the document with your new IP. This can become a boring thing to do especially if your IP address changes often. Another negative is if you travel a lot of use internet from different locations. Basically every time you would need to login to FTP, find your IP address and put it into the htaccess file.
6. Do not allow guest user registrations
If you do not have a membership site, then there is no reason to allow visitors to register for a guest account on your site. To check that you’ve got registration turned off, click “Settings” and make sure that “Anyone can register” option is not checked.
7. Always upgrade
Always upgrade to the latest version of WordPress, latest version of your WordPress theme and latest version of plugins you use. One of the reasons for developers creating new versions of software and plugins, is the security vulnerability found in older versions. With WordPress all of these upgrades are simple, automated, one-click processes within the WordPress interface.
When there is a new upgrade available, WordPress will give you a notice on top of your dashboard. It will say “WordPress X is available! Please update now”. Click on it and your upgrade is a simple one-click away. I made this video a while ago to show you how easy the upgrade process is – no excuses not to upgrade.
If you are afraid to upgrade because of some old WordPress theme you are using that you think is not compatible with the new WordPress, then please switch over to something more modern and something that you know has a serious developer and community behind it.
8. Backup regularly
Taking regular backups of your content and database is important. In case something happens to your site, you can always use the backup to recover your files. There are several plugins that make it simple to backup your files. One of them is BackWPup. Activate the plugin and set it to automatically backup your site and send the backup file to your email address. Two minutes work to install it, activate it and set it so it sends you a new email with a new backup automatically every day, every week or whenever you decide.
No more hacking problems
These 8 simple steps can be executed fairly quickly and should make your site so much harder to break down and break into. It means that you probably would never have a hacking problem, you will feel safer and will be able to focus your time on creating thrilling content and building an audience.