Why is WordPress such a target for hackers? Because it is popular. No content management system is exempt from being hacked, but because WordPress is so incredibly popular and because so many do not do everything they can to keep themselves protected, they are an easy target for spammers and hackers.
Studies show that as many as 170,000 WordPress websites were hacked in 2012! The break down of how these hacks happened as noted on WP White Security is as follows:
- 41% of hacked WordPress were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress Theme they were using
- 22% were hacked via a security issue in the WordPress Plugins they were using
- 8% were hacked because they had a weak password.
The best way to prevent a hack from happening to you? BE AWARE & PROACTIVE! A website is part of your business and should be something that is monitored often to ensure it is running well and is secure. The items below are steps you can take to ensure your WordPress website is as secure it can be.
KEEP WORDPRESS UPDATED
You always want to make sure you have applied all updates to WordPress as they come out. By not keeping your website updated you are putting your website at risk since many updates are done just to keep your website secure. Before you do an update, make sure you run a full backup of your website.
If you see this message when you login to your WordPress – take a few minutes to make sure you have a recent backup and then you can update your WordPress to the latest version.
Also, consider following the WordPress blog which will show you the latest updates and releases: WordPress News
BACKUP YOUR WEBSITE
Make sure you always have a backup of your website! Every 2 Dogs Design client website launches with an automatic backup feature that will save a full copy of your website every week on your server so you always have a fresh copy. But if you are not a client you can install a plugin that will do this for you.
Here are a few that we personally like.
Updraft Plus is the one we primarily use on our clients websites. Single click backup of files and database that you can have upload to so many different places!
WordPress Backup To DropBox syncs with Dropbox so you can keep a copy off of your server for the ultimate security.
Backup WordPress allows you to upload to your server, Dropbox, Google Drive and more.
Finally we have VaultPress which does have a small subscription fee, but it is worth it.
UPDATE YOUR PLUGINS
Wordpress plugins also need to be updated – an outdated plugin can leave a lot of ways for hackers to get in!
Also use caution when downloading plugins, since plugins are open-source and can be created by anyone for use – you have to use caution and be sure you are downloading ones that are free from malicious code. Make sure you are doing your research on plugins before installing any on your website!
Look at the reviews, learn about the author and be sure to see how often they are updating it. Some extensions have not been updated in a long time – that is a signal that issues could arise. By reading the reviews and looking at the support questions you can see the issues that the plugin may have – and make better choices in the plugins that you choose to use.
Before downloading any plugin, we do recommend doing a quick check to make sure there are no vulnerabilities!
CHANGE YOUR USERNAME & PASSWORD
If you are still logging in to your WordPress admin with the username of “admin” – you are putting yourself at risk. This is the FIRST thing you should change when you launch your WordPress website – or your developer should have changed it for you before handing your site over to you.
If you need to change your username – here are the simple steps:
a) Create a NEW user and make sure they are set to have administrative access.
b) Make sure your new username is unique and your password includes a variety of numbers and letters in both capital and lowercase.
c) Logout from the old admin user once the new user is created
d) Login with the new user login you just created
e) Go to users and DELETE the old admin user name – it will ask you where you want to transfer all posts, make sure you choose the NEW username you just created
By removing the “admin” username you now have a much more secure website. If you need help choosing a really secure password, here is a great tool that can help: Password Generator
CHOOSE SECURE HOSTING
Hosting is one of the top reasons for hacking issues – as noted above reports show that 41% of hacking attempts were caused at the host level. If you are on a cheap host or one that is not doing everything it can to prevent hack attempts then you are opening yourself up to allow the hackers in. If you are hacked at the host level, there is nothing you can do to prevent it and you are at the mercy of the host to fix it!
It is important to invest in a host that will be a step ahead of the hackers, and while no host is immune to hackers completely – some do a lot more than others to keep them at bay.
Here are some things to consider when signing on for hosting.
a) Choose a host that provides free backup recovery – although you should have your own as well, it is a great addition so that you never loose your data
b) Ask if the host offers security monitoring services that monitor for malware – do a search for “hosts offering free daily malware scanning”
c) If you are considering a host do your research! Do searches for things like “my site was hacked on whatever host you are considering”
d) Review the recommended WordPress hosting list at WordPress Hosting Recommendations
Be sure to do your research! If you are doing research about hosts, be sure to find websites that give actual insight via comments and dialogue – there are many web pages that are “website hosting review” sites, but those are just affiliate websites trying to make money – do not use those to make such an important decision!
If hackers can get access to your wp-config.php file – they can wreak havoc!
This is a file in your root directory that contains all the data and details about the configuration of your blog, by securing your website to make sure no one has access to this file it is a major way to prevent a hack.
By adding the following code to your .htaccess file – you can prevent anyone from accessing the wp-config.php file. This will also block the website owner from accessing the file as well – so if for some reason you need to edit this file in the future, you will need to remove this code from the .htaccess.
Deny from all
Yes, what is going on on your own personal computer can impact what happens on your website. Imagine you have malware on your computer that is tracking your every move (called a keystroke logger). Then the hackers can see every keystroke and gain access to your WordPress files just from this malware.
No matter how secure you may make your WordPress website, if you have malware on your computer it is all in vain. Make sure your computer browsers are up to date, you run frequent malware scans and keep your operating system updated to avoid computer malware issues that can cause issues with your website.
USE A WP SECURITY PLUGIN
There are a few great plugins that you should definitely install that will do a great job of monitoring your website for a variety issues from malware to file integrity to activity auditing. Here are a few to consider, each have their own advantages and some offer a free and premium version.
We use Wordfence on our website and here is a screen capture of a recent scan that we have done on 2 Dogs Design:
You can see that is found an issue in the old themes, plugins and core files section. When we scroll down we can see exactly what plugin has the issue and take action to fix it. In this case it was our Shareaholic plugin – which needed to be updated. But this is a great way to see at a glance where you may have vulnerabilities.
By default your WordPress database will typical be wp_ and since that is the default, every hacker in the world knows it too and will use it to their advantage to possibly inject malicious code into your database files.
We highly encourage you to rename your prefix of your database to something custom that the hackers cannot easily guess. Examples can be “cattygirl2354_” or “jessupb6923_” – just a unique array of letters and numbers.
More experienced website owners, can do this via your SQL database with some custom commands, but for those that are less knowledgeable you may want to hire someone to help.
Be sure before you update your database prefix that you run a full backup of your website in case any issues arise! Then when you do the change and ensure everything on the site is working as it should you should run another backup that has the new database prefix.
PROTECT YOUR ADMIN AREA
There are a couple of ways you can keep your admin area safe. If you are a small website that only has a few people who need access to the admin and you have no need for visitors to access it, you can restrict access by applying the following code to your .htaccess file:
# Block access to wp-admin.
allow from x.x.x.x
The allow from should be your IP address. If you are not sure what that is you can visit whatismyip.com where you can get your IP address.
You will need to add that line that starts with Allow for EACH person that needs access to your admin with their specific IP address.
As an alternative – if you have several people who require access or if you often rely on Wi-Fi networks that can change IP addresses often, you can use a plugin that will allow you to set limits on your login settings.
A couple of good ones that have several login related features to protect you are:
Better WordPress Security
We use Wordfence on our website and for a short while had it set to email us when there were attempts at logins to our admin. We stopped that email notification quickly as it became overwhelming! Yes, there are really that many attempts every day to access your WordPress login. This is a simple step that can have great rewards.
Here is a sample of an email received that showed an attempt that someone was trying to make to access our admin login. You can see in the email that they used an invalid username “admin” – which is why it is critical that you change that!
[box]This email was sent from your website “” by the Wordfence plugin at Wednesday 17th of December 2014 at 11:45:14 AM
The Wordfence administrative URL for this site is: https://www.2dogsdesign.com/wp-admin/admin.php?page=Wordfence
A user with IP address 220.127.116.11 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
User IP: 18.104.22.168
User hostname: 93-61-66-215.ip145.fastwebnet.it[/box]
This list is a basic list of some of the most common types of security measures we put in place for our clients and some of the easier options that you can do yourself! While no one can guarantee that you will not be hacked – by following some of these steps and keeping a close eye on your website and the activity that is going on – you can decrease your chances significantly.
As things change we will continue to add to this list and modify things as needed to help you keep your site secure!