4 Dead-Easy Steps to Protect Your WordPress Site Against Hackers

wp_lockNewsflash: If you run a WordPress website, you should absolutely take basic steps to secure it against hackers.

OK. This is not really news to you and me.

The problem is, that if you are like most people, you don’t consider website security to be an exciting topic. You acknowledge it’s important, but, hey, it’s also kinda boring and technical.

Also there’s that catchy old “It won’t happen to me” chorus playing at the back of your mind.

So website security languishes at the very bottom of of your to-do list, and never gets any attention.

But what if I told you could ramp up your website security right now, all by yourself, in 18 minutes or less, without spending a penny?

Now that’s news!

Just follow these 4 dead-easy steps, you’ll soon be free to get back to the other, more thrilling tasks on your to-do list:

(Note these steps refer specifically to WordPress sites, but can be applied to most other content management systems.)

1. Delete the username “admin”

The default username when creating a WordPress site is “admin.” Most people keep this username. This makes it dead easy for hackers to guess your username. Then they are already half logged in to your site.

So delete any account with the username “admin.”

Note: if the account with username “admin” is the only user that currently has Administrator-level access, you won’t be able to delete it until you first create and login with a different Administrator-level account. WordPress needs to ensure that there is some way to access Administrator functions for your site.

Time needed: 4 minutes

2. Strengthen Your Password

password_generatorHackers use software to instantaneously test every word in Wikipedia against your password. So anything that is a real word or name in any language should not be used. Any logical or significant number sequence should not be used.

That means don’t use your pet’s name, your kid’s birthday, or anything else that vaguely makes sense.

The best passwords include a random arrangement of uppercase and lowercase letters, as well as numbers and symbols. In other words, they should be gibberish.

You can use a password generator to help you do this – just make sure to save your passwords in a secure place.

So go now and change your website login password to something really incomprehensible. Ask other users to do the same.

Time needed: 2 mins

3. Delete and Update

WordPress has a bit of a bad rap for being “insecure.” In fact, a WordPress site only becomes insecure when you fail to keep it up to date. Any part of your site that is not updated to its latest version presents a security risk. Hackers find vulnerabilities in sites through outdated files, themes and plugins.

So go now and make sure that you are updated to:

  • The latest version of WordPress
  • The latest version of all installed plugins
  • The latest version of all installed themes

While you’re in there, it’s best to delete any plugins or themes that you don’t use or need. These are likely to become outdated without you noticing, creating future security risks.

Time needed: 8 mins

4. Limit Login Attempts

login_attemptsAt illuminea, we install a plugin like this on all our clients’ WordPress sites: the Limit Login Attempts plugin. It’s really a clever little thing-a-ma-jig.

One of the common ways that hackers attempt to gain access to a site is by using software that bombards the login page with an infinite number of username and password combinations, until they strike gold. And if you are not following steps 1 and 2, they will strike gold pretty fast. This was how the Brute Force attacks were so successful in destroying many WordPress sites in 2013.

That’s the beauty of this plugin: it limits the number of times that anyone can attempt to login to your site within one single hour to some reasonable human number, like five.

If you are the forgetful type, set it to 10 :)

So off you go to search for and install the “Limit Login Attempts” plugin on your site.

Time needed: 4 mins

OK. We’re done.

That’s all you need to do to take your website security up a notch.

But Wait, Will This Really Protect My Site Against Menacing “Hacktivists”?

You may ask yourself: Malicious hackers have taken down expertly-secured sites belonging to the US Government and PayPal. What chance do I have of protecting my site against them, with a few simple DIY measures?

In reality, these tips are not fool-proof but they do raise your security level over most of the sites on the web. The average hacker prefers to target the weakest among us, so by raising your site out of that category, you can really help to protect your site.

If you have reason to believe that your site could be a specific target of expert hackers, then you will need much stronger measures than this. The best way to know if you are in this high-risk category is if you have already been subject to more than one hacking attempt.

If this is you, you need to consult an expert.

For the rest of us, extreme measures are not usually necessary. At the same time, a few simple security steps could save huge headaches and a lot of money rebuilding a site that has been maliciously hacked.

So set a timer for 18 minutes and go for it!

Responses (7)

Miriam R. Johnson

January 14, 2014 7:03 pm

Thanks for this information on security breach in word press. I have really been looking for more information on this.

    Naomi Elbinger

    January 15, 2014 10:58 am

    You’re welcome, Miriam

Ruth Hirsch

January 16, 2014 3:43 pm

Thanks for this post, Naomi. I just installed the limit login attempts plugin you suggested. However, I don’t see where to fill in the number of attempts to be allowed. Ideas?

    Naomi Elbinger

    January 19, 2014 9:01 am

    Hi Ruth,
    In your WordPress dashboard in the left menu bar, go to Settings>Limit Login Attempts. Over there is gives you an option to specify the number of retries after the first failed login attempt. As a default, there are 4 retries allowed.
    Hope this helps
    Naomi

Ali

January 24, 2014 3:11 pm

Hello,

First of all, I want to say that you have written very nice article on wordpress security. I have some suggestions as well to secure wordpress site:

1: Change wp-login or wp-admin to some thing else.
2: Always change database prefix when setting up new wordpress website.
3: Make your files non-editable on wordpress.
4: Install any good Captcha plugin.

    Naomi Elbinger

    January 26, 2014 8:43 am

    HI Ali,
    These are all great tips for someone with a bit higher skill level. Except the Captcha plugin – that is pretty simple for anyone to do.
    Thanks for the tips
    Naomi

Abdul Alim Khan

March 5, 2014 9:01 am

Thanks for giving such a great info about wordpress security…..

Leave a comment