Do you have a WordPress website? Then you need to learn how to secure WordPress sites!
WordPress is a very widely-used website publishing platform… lots of people use it! Unfortunately, this also makes it a popular target for hackers on the prowl for websites to compromise.
With just a few basic steps you can stop these attacks against your WordPress website, or least make it a difficult target.
WordPress attacks have been particularly bad over the past week, and it is likely that at least some of you may have received an email from your web host, warning about this.
The current WordPress attacks are “brute force” attacks where the culprits are using a bunch of computers to hit WordPress sites and hack into them by trying to guess the username and password of the WordPress Admin panel.
You can read more about this here.
How To Secure WordPress Against Attacks
As I said, these WordPress attacks will always be around, even after this current spike, so how can you stop your WordPress site from being penetrated by such hacker attacks?
Here are some of the things that I recommend and have done to minimize WordPress attacks on the sites that I manage:
Step 1 Of How To Secure WordPress: Get Rid of the Admin Username
By default, WordPress comes with one username called admin after installation. Many people just continue using admin. Hackers know this. If you are still using it, you need to stop doing that.
It is one half of the equation that the brute force attack is trying to solve. Why make it easy for hackers by providing them with 50% of the information they need?
Here’s how to get rid of the default admin username:
- Log on using admin. It will be the last time you do that 😉
- Go to the Users menu and add a new user. The username you pick can contain the word “admin” if you want it to, but add something to that. You will have to use an email address that is different from the one you are currently using for the admin username. Give this new username Administration privileges. Pick a strong password (see below).
- Log out from admin and log back in using your new username.
- Go back to the Users menu and delete the old admin username. During this step, you will be able to transfer all earlier posts created under admin to your new username.
- You’re done! Continue using the new username in the future.
Step 2 Of How To Secure WordPress: Pick A Strong Password For Your Admin Username
It’s amazing how many people use a simple word for a password… a word that can be found in a dictionary. Don’t ever do that, even for low-level websites!
For something as important as your online banking or the administrative logon of your WordPress site, you definitely want to pick strong passwords. I have written another article on creating strong passwords. Please read over that.
In a nutshell, use long passwords of 8 or more characters that include uppercase and lowercase letters, special characters like @ # $ %, and a number or two.
Step 3 Of How To Secure WordPress: Install WordPress Security Plugins
There are several excellent security plugins that you can install to further help protect your site against WordPress attacks. Here are the plugins that I use:
- Wordfence: This is my favorite! Mark Maunder and his colleagues did an excellent job with this! Wordfence scans your WordPress core files and looks for modified files. If it finds anything, it has a feature that lets you easily restore the original version of the file. It will also email you if it finds anything that needs attention. It has helped me find several compromises in the past.
- Limit Login Attempts: This does exactly what the name says… By default, after 4 failed attempts to log on, it won’t allow another attempt for 20 minutes.
- SI Captcha AntiSpam: This plugin makes it easy to add captchas to pages on your site where people submit information, like comments boxes. I’m using it to add a captcha to my WordPress Admin panel logon screen. By default, this feature is disabled, so you’ll have to go to the plugin settings page to turn it on.
- Bad Behavior: This one attempts to stop bots from even reaching your website. If they can’t reach your site, they can’t post spam or otherwise try to interact with it.
If you’re only going to install one of these plugins, let it be Wordfence.
Step 4 Of How To Secure WordPress: Keep WordPress Updated
Lastly, always make sure that you are running the latest version of WordPress. Many updates include security fixes that have become known since the last update.
If you install Wordfence, it can be configured to email you when updates are available for your WordPress installation or plugins.
If you follow these steps on how to secure WordPress, you will go a long way towards protecting your WordPress website and your hard work against attacks!