WordPress is a very popular platform for publishing content online and this makes sites hosted on it a regular target to brute force login attempts. Insecure WordPress installations are also commonly used to attack other sites through DDOS attacks. These attacks are automated across all the hosting platforms and attempt to find authors that are using default usernames, weak passwords and outdated WordPress installations.
Most content publishers aren’t aware of the threat posed by hackers and may not even know that a successful attack has taken place before it is too late and they lose their visitors and search engine rankings. Don’t let this happen to you. These are the simple security measures that any blogger can implement today to properly secure their WordPress blogs and help prevent hacking attacks.
1. Create a new user account
It is harder for a hacker to break into your site when both username and password have to be cracked. That is why you should create a new user and delete the WordPress default “admin” user. This is one of those things I do as soon as I setup a new site. Usernames such as the default “admin” are the most common target of these attacks so they should be deleted and not used.
You create a user by going into “Users” then “Add New” in the WordPress menu. When creating the new user, make sure to give it the role of an “Administrator”. That will ensure that you have the full authority over your site. Now simply log out from your default “admin” account and log in with the new user details. In “Users” delete the default admin username. Make sure to choose the option to transfer your old posts to your new username when deleting the “admin” account. Do this first before going to the next step.
2. Use a strong password
Do not use simple passwords on your WordPress. Simple passwords might make it easy for you to remember it, but they are also easier for a hacker to crack. Use stronger and more secure passwords instead. Your password should be at least eight characters long, it should include numbers, it should include special characters, and uppercase and lowercase letters. Change your password now before going to the next step. This is a tool that helps you create strong passwords.
3. Set a new nickname
You do not want your new username to be the author name that is shown on all posts. Set the nickname WordPress uses as author name to something different than your username. You do this in “Users” under “Your Profile” in the Nickname field. Choose a new nickname and set “Display name publicly as” to your new nickname.
4. Disable logins from certain IP addresses
Login LockDown plugin records the IP address and timestamps of every failed login attempt to access your WordPress. If more than a certain number of login attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that IP range. An alternative for this plugins is Limit Login Attempts and does the same. BruteProtect is another plugin which monitors all failed login attempts over the network of blogs that use the plugin and automatically blocks the failed IP’s. If you actually review what login tries have been done on your blog you will recognize why the step number one is key. Most login tries are done by using “admin” as the username so please do make sure to remove it and use a different username.
5. Blacklist all IP addresses except your own from logging into your admin
A better solution to the step 4 above for some is to blacklist everyone from logging in to your admin except yourself. You do it by going into the wp-admin folder of your WordPress installation and opening the .htaccess file. Add this code anywhere in the file and make sure to add your IP numbers in there (type “what is my IP” in Google to find your IP address):
deny from all
# whitelist home IP address
allow from YOURIPNUMBER
# whitelist work IP address
allow from YOURIPNUMBER
# whitelist holiday IP address
allow from YOURIPNUMBER
You can put different IP addresses in there if you move quiet a lot but if one is enough for you, that is fine as well. Now when someone tries to access the login page of your site they will get this message:
Forbidden. You don’t have permission to access /wp-admin on this server.
The only downside of doing something like this is that if your IP address changes you would need to go into your FTP and update the document with your new IP. This can become a boring thing to do especially if your IP address changes often. Another negative is if you travel a lot of use internet from different locations. Basically every time you would need to login to FTP, find your IP address and put it into the .htaccess file.
6. Block bots from accessing WP-Admin login page
This is actually simply to do and means that if and when a bot stumbles upon your site and tries to login to your WP-Admin it will be blocked and won’t be able to do any damage. To block the bots you just need to locate your .htaccess file on your server in your main directory (not the one in /wp-admin/ folder like in the step above) and paste this list at the top of your file. Alternatives to this are plugins such as Lockdown WP-Admin and Stealth Login Page that hide your login page so bots cannot access it similar to the step above.
7. Do not allow guest user registrations
If you do not have a membership site, then there is no reason to allow visitors to register for a guest account on your site. To check that you’ve got registration turned off, click “Settings” and make sure that “Anyone can register” option is not checked.
8. Do not allow pings
WordPress sites that have pingback option enabled can be used in DDOS attacks against other sites. This option is enabled by default so it is important to disable it. In “Settings” go into “Discussion” and in “Default Article Settings” tick off “Allow link notifications from other blogs (pingbacks and trackbacks)”.
9. Activate a security plugin
There are several security plugins that can help protect your site and prevent any hacking attempts. Two of the best options are Wordfence Security and Better WP Security. They both do quite a few things to make your site safer including forcing you to use stronger passwords, making you delete the admin username and they also do block bot traffic and help you do regular security scans.
10. Keep an eye on the Webmaster Tools
Google Webmaster Tools is a valuable resource even for your site security. The “Security Issues” section of your profile notifies you if Google have detected malware or any other security issues with your site. Keep an eye on this and act quickly.
11. Always upgrade
Always upgrade to the latest version of WordPress, latest version of your theme and latest version of plugins you use. One of the reasons developers upgrade their software and plugins is the security vulnerability found in older versions. With WordPress all of these upgrades are simple, automated, one-click processes within the WordPress interface. When there is a new upgrade available, WordPress will give you a notice on top of your dashboard. It will say “WordPress X is available! Please update now”. Click on it and your upgrade is a simple one-click away. No excuses not to upgrade. Since WordPress 3.7 the upgrades are now automated with automatic background updates so you may find that your WordPress upgrades to the latest version while you sleep.
If you are afraid to upgrade because of some old WordPress theme you are using that you think is not compatible with the new WordPress, then please switch over to something more modern and something that you know has a developer and a community behind it.
Speaking of plugins and themes it is recommended not to download them from any unknown source other than the official WordPress directory and the official websites of premium themes and plugins. Quality signs to look for in a plugin or a theme are a high number of downloads, regular and recent updates and good reviews.
12. Backup automatically
Taking regular backups of your content and database is important. Any upgrade of WordPress could possibly lead to an unforeseen situation. The site’s database may become corrupted for example. Although hosting providers execute their system backups on their part, we should take personal responsibility in doing regular backups as well. WordPress site consists of two parts:
- Database: a place where all settings, pages, posts and comments are stored
- Files: which comprise of media, attachments, themes and plugins.
It is always recommended to perform a full backup of the entire site, which means both database and files. In case something happens to your site, you can always use the backup to recover your files.
The most convenient and most acceptable way even for non tech-savvy users is doing backup by using plugins. There is a plethora of available plugins. One of them is BackWPup. Activate the plugin and set it to automatically backup your site and send the backup file to your email address. Two minutes work to install it, activate it and set it so it sends you a new email with a new backup automatically every day, every week or whenever you decide.
Do the first backup, right after you read this article, if you haven’t done that already. Really. You will continue building and growing your website with a much bigger confidence.
No more hacking problems
These simple steps can be executed fairly quickly and will make your site so much harder to break into. It means that you probably would never have a hacking problem, you will feel safer and will be able to focus your time on creating thrilling content and building an audience. Happy blogging!