How to Protect Your WordPress Website From Hackers
WordPress Security! We’re all concerned about it, we hear about being hacked virtually everyday. The question is are we doing enough? How do we keep our WordPress website safe?
If you’ve ever been an owner of a brick & mortar store of any kind, you’ll know that if you’ve ever been broken into, it’s not so much about the fact someone broke in, (After all, you have insurance). It’s the fact of dealing with the aftermath: Cleaning up the glass, bording up the window, waiting to get things back to normal. The same can be said for your website. The fact that someone hacks your site can, in some cases, cause irreparable damage.
What a Hacked Site Really Means:
Being a web designer, over the years I’ve had several people come to me asking for help after their website has been hacked. Here are a few things that can happen as a result.
- Lost your website and have to rebuild it
- ‘this website may be hacked’ notification on Google Search Results
- Your email address is blacklisted (it’s blocked and nobody receives your emails anymore)
- Any domain authority for your website takes an instant nosedive.
- Cost hundreds of dollars to get your site fixed and running again.
How to Start Protecting Your WordPress Website:
Many people and even some web designers out there may be of the opinion that by simply installing a plugin or two will protect them. While there is some truth to that, security plugins typically slow down your site, and can interfere with updating plugins and other core WordPress components.
Change Your User Name:
The first thing that would be hackers search for is your username. DO NOT use ‘admin’ as your username for your website. I strongly encourage you to also not use your company name either.
There are a couple of ways that hackers will try and figure out your username if ‘admin’ isn’t working for them. 1) Find the name of the person that owns the site – Especially if it’s a site based around a person, and run variations based on their name.
A more typical way of find out a username is to look at the meta tags on blog posts for the author. By default, WordPress author meta-tags displays the username of the person posting. It’s the easiest way to figure out someone’s username.
Change Your Password:
I come across a stat the other day that stated 80% of websites get hacked because their passwords were too simple. Hackers know that people often use the birthdays of themselves, kids, spouses for PIN numbers and part of their passwords, so if they do a little research, they can find out more about you and get some ideas as to what your password might be – or at least part of it.
Create a completely separate username and password for the administrator role and use a “Generated Password” that WordPress creates when adding a new user. This way, it protects your website from anyone guessing your username and password. Create a new user for yourself as an “Editor” This way, you’ll still be able to write blog posts, and edit pages.
Keep Your Site Updated:
The plugins chosen to be used on your site are important. There are thousands of WordPress plugins out there and many are often abandoned. That is to say, the developer who built a said plugin no longer puts effort into keeping it up to date.
Hackers will look for vulnerabilities in plugins as a way in because they require administrator access to the site. If they can corrupt a plugin, they can potentially get to the rest of your website. While you may keep your plugins up to date, it’s difficult to know if the code is out of date and therefore vulnerable to attacks. However, I must state that this type of attack doesn’t happen too much unless the plugin is pretty well-known and seriously out of date. Hackers are looking for plugins that are widely used so they can exploit them on a larger scale.
WordPress itself of course is the greatest vulnerability. This is why there are so many updates to WordPress. They are constantly looking vulnerabilities and fixing them. No platform is perfect. But because WordPress is used by over 25% of all websites on the internet today, it makes it a priority for attackers.
Keep WordPress and the plugins updated as soon as an update is available. This will help to keep your website more secure.
Keep Multiple Backups of Your Website:
One of the biggest things I see is that people do not back up their website. Instead, they may rely on, or expect their hosting provider to do it for them. Hosting Providers do regular and incremental backups on a regular basis, they only keep that data for a relatively short period of time – Typically a week or 2. This means that if your site does get hacked of if something goes wrong, you likely don’t have too much fallback by relying on your hosting provider. You could get stuck with an infected backup.
Rebuilding some data is much easier than rebuilding your entire website.
While managing your login credentials and keeping your site up to date play the largest role in WordPress Security, I still recommend using a security plugin. You can never be too careful and it’s good practice to layer your security in such a way that does not slow down your website.