Why is WordPress such a target for hackers? Because it is popular. No content management system is exempt from being hacked, but because WordPress is so incredibly popular and because so many do not do everything they can to keep themselves protected, they are an easy target for spammers and hackers.
Studies show that as many as 170,000 WordPress websites were hacked in 2012! The break down of how these hacks happened as noted on WP White Security is as follows:
- 41% of hacked WordPress were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress Theme they were using
- 22% were hacked via a security issue in the WordPress Plugins they were using
- 8% were hacked because they had a weak password.
The best way to prevent a hack from happening to you? BE AWARE & PROACTIVE! A website is part of your business and should be something that is monitored often to ensure it is running well and is secure.
The items below are steps you can take to ensure your WordPress website is as secure it can be.
Keep Core WordPress Updated
You always want to make sure you have applied all updates to WordPress as they come available. By not keeping your website updated you are putting your website at risk since many updates are done just to keep your website secure.
Before you do an update, make sure you run a full backup of your website.
If you see this message when you login to your WordPress – take a few minutes to make sure you have a recent backup and then you can update your WordPress to the latest version.
Also, consider following the WordPress blog which will show you the latest updates and releases: WordPress News
Schedule WordPress Backups
Make sure you always have a backup of your website! If your WordPress security is at risk or if you have in fact been hacked this will allow you to easily restore your website to a previous version – then you can take some of the steps in this post to have it not happen again!
Here are a few WordPress backup plugins that we personally like.
Important Backup Tip
Make sure you store a backup on a 3rd party website like Dropbox or Google Drive!
Update Your Plugins
WordPress plugins also need to be updated – an outdated plugin can leave a lot of ways for hackers to get in!
Also use caution when downloading plugins, since plugins are open-source and can be created by anyone for use – you have to use caution and be sure you are downloading ones that are free from malicious code. Make sure you are doing your research on plugins before installing any on your website!
Look at the reviews, learn about the author and be sure to see how often they are updating it. Some extensions have not been updated in a long time – that is a signal that issues could arise. By reading the reviews and looking at the support questions you can see the issues that the plugin may have – and make better choices in the plugins that you choose to use.
Before downloading any plugin, we do recommend doing a quick check to make sure there are no vulnerabilities!
Change Your Username & Password
If you are still logging in to your WordPress admin with the username of “admin” – you are putting yourself at risk. This is the FIRST thing you should change when you launch your WordPress website – or your developer should have changed it for you before handing your site over to you.
If you need to change your username – here are the simple steps:
a) Create a NEW user and make sure they are set to have administrative access.
b) Make sure your new username is unique and your password includes a variety of numbers and letters in both capital and lowercase.
c) Logout from the old admin user once the new user is created
d) Login with the new user login you just created
e) Go to users and DELETE the old admin user name – it will ask you where you want to transfer all posts, make sure you choose the NEW username you just created
By removing the “admin” username you now have a much more secure website. If you need help choosing a really secure password, here is a great tool that can help: Password Generator
Choose Secure Hosting
Hosting is one of the top reasons for hacking issues – as noted above reports show that 41% of hacking attempts were caused at the host level. If you are on a cheap host or one that is not doing everything it can to prevent hack attempts then you are opening yourself up to allow the hackers in. If you are hacked at the host level, there is nothing you can do to prevent it and you are at the mercy of the host to fix it!
It is important to invest in a host that will be a step ahead of the hackers, and while no host is immune to hackers completely – some do a lot more than others to keep them at bay.
Here are some things to consider when signing on for hosting.
a) Choose a host that provides free backup recovery – although you should have your own as well, it is a great addition so that you never loose your data
b) Ask if the host offers security monitoring services that monitor for malware – do a search for “hosts offering free daily malware scanning”
c) If you are considering a host do your research! Do searches for things like “my site was hacked on whatever host you are considering“
d) Review the recommended WordPress hosting list at WordPress Hosting Recommendations
Be sure to do your research! If you are doing research about hosts, be sure to find websites that give actual insight via comments and dialogue – there are many web pages that are “website hosting review” sites, but those are just affiliate websites trying to make money – do not use those to make such an important decision!
If hackers can get access to your wp-config.php file – they can wreak havoc!
This is a file in your root directory that contains all the data and details about the configuration of your blog, by securing your website to make sure no one has access to this file it is a major way to prevent a hack.
By adding the following code to your .htaccess file – you can prevent anyone from accessing the wp-config.php file. This will also block the website owner from accessing the file as well – so if for some reason you need to edit this file in the future, you will need to remove this code from the .htaccess.
# Deny access to wp-config.php file <files wp-config.php> order allow,deny deny from all </files>
Yes, what is going on on your own personal computer can impact what happens on your website. Imagine you have malware on your computer that is tracking your every move (called a keystroke logger). Then the hackers can see every keystroke and gain access to your WordPress files just from this malware.
No matter how secure you may make your WordPress website, if you have malware on your computer it is all in vain. Make sure your computer browsers are up to date, you run frequent malware scans and keep your operating system updated to avoid computer malware issues that can cause issues with your website.
Use A WordPress Security Plugin
There are a few great plugins that you should definitely install that will do a great job of monitoring your website for a variety issues from malware to file integrity to activity auditing.
Here are a few to consider, each have their own advantages and some offer a free and premium version.
We use Wordfence on our website and here is a screen capture of a recent scan that we have done on 2 Dogs Design:
You can see that is found an issue in the old themes, plugins and core files section. When we scroll down we can see exactly what plugin has the issue and take action to fix it. In this case it was our Shareaholic plugin – which needed to be updated. But this is a great way to see at a glance where you may have vulnerabilities.
By default your WordPress database will typical be wp_ and since that is the default, every hacker in the world knows it too and will use it to their advantage to possibly inject malicious code into your database files.
We highly encourage you to rename your prefix of your database to something custom that the hackers cannot easily guess. If you are wanting to do this on a live website – we recommend you hire someone if you do not feel confident enough to handle it as it can break your website!
Examples can be “cattygirl2354_” or “jessupb6923_” – just a unique array of letters and numbers.
More experienced website owners, can do this via your SQL database with some custom commands, but for those that are less knowledgeable you may want to hire someone to help.
Be sure before you update your database prefix that you run a full backup of your website in case any issues arise! Then when you do the change and ensure everything on the site is working as it should you should run another backup that has the new database prefix.
Protect Your Admin Area From Unwanted Access
There are a couple of ways you can keep your admin area safe from unwanted access.
If you are a small website that only has a few people who need access to the admin and you have no need for visitors to access it, you can restrict access by applying the following code to your .htaccess file:
# Block access to wp-admin. order deny,allow allow from x.x.x.x
The allow from should be your IP address. If you are not sure what that is you can visit whatismyip.com where you can get your IP address.
You will need to add that line that starts with Allow for EACH person that needs access to your admin with their specific IP address.
As an alternative – if you have several people who require access or if you often rely on Wi-Fi networks that can change IP addresses often, you can use a plugin that will allow you to set limits on your login settings.
A couple of good ones that have several login related features to protect you are:
We use Wordfence on our website and for a short while had it set to email us when there were attempts at logins to our admin. We stopped that email notification quickly as it became overwhelming! Yes, there are really that many attempts every day to access your WordPress login. This is a simple step that can have great rewards.
Here is a sample of an email received that showed an attempt that someone was trying to make to access our admin login.
You can see in the email that they used an invalid username “admin” – which is why it is critical that you change that!
This email was sent from your website “” by the Wordfence plugin at Wednesday 17th of December 2014 at 11:45:14 AM
The Wordfence administrative URL for this site is: https://www.2dogsdesign.com/wp-admin/admin.php?page=Wordfence
A user with IP address 220.127.116.11 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username ‘admin’ to try to sign in.
User IP: 18.104.22.168
User hostname: 93-61-66-215.ip145.fastwebnet.it
Protecting your WordPress website is important! You will hear people say “WordPress is not secure” but that is just not true. When you integrate many of the steps above you will have a super secure website and a stress free online business!
As always – if you have questions or concerns just leave a comment below!