Prevention is better than cure, that’s why I’m going to talk you through how to prevent a WordPress hack. You’ve spent months working on your WordPress site, selected a theme and customised it. It’s almost time to launch your new site and then you realise it’s been compromised! That’s every WordPress authors worst nightmare. There are several steps you can take to prevent that from happening and I’m going to show you how.
It’s big business. When a person or persons are successful at a WordPress Hack they often insert pop-up adverts on your site and when one of your audience is shown these pop-ups and clicks, the hacker earns money. The first thing to do on this list is to make sure when you install your WordPress site, you change a few things in the configuration.
Be sure when installing WordPress on your server you select the latest version. Latest software versions will have the latest security features and patches. The longer a specific version is out in the public domain, the longer hackers have to find bugs. They’ll use these bugs to find exploits and break into the system. Another benefit of upgrading to the latest version is that you’ll be able to have the latest features available to your readers.
When you set your WordPress installation don’t keep the ‘admin’ username. The fastest supercomputer can do 38,360,000,000,000,000 keys per second right now. That’s the amount of keys it can type into your username or password fields to brute force attack your WordPress installation. By changing the ‘admin’ username to something else, you’ll automatically create an extra step of complexity for potential hackers. Not only do they need to crack your password, they also need to get your username!
It’s also really easy for hackers to target your MySQL database with SQL injection or hacking tools if you don’t change your database table prefix from ‘wp_’ to something else. If you don’t do it at the installation phase it can be a little more difficult to change at a later date so make sure to do it before you finish installation.
I recommend installing WordFence. It’s a web application firewall plugin and it’s really good. Even the free version provides powerful features as standard. For instance, you can block IP addresses for entire countries. If you are getting a lot of failed login attempts for a particular country and your audience isn’t primarily in that country you can block it and protect your site. You can find out more about WordFence on their website. I also recommend installing a two factor authentication plugin to make your admin page even more secure.
Two Factor Authentication
You should also enable two factor authentication (2FA) via a plugin. 2FA is a security feature in which a user provides two different authentication methods to verify that they are the owner of the account. It provides a much higher level of security than only having a username and password. The 2nd factor is usually a one time password that is generated and sent as a text message to the users phone. This will prevent hackers logging into your account even if they have your admin password.
Hide your WordPress Login Page
Another step to harden your WordPress site is to Hide your login page by changing it’s URL. I’ve found a fantastic article to help make your WordPress Site even harder to hack.
The article gives a detailed description, code snippets and screen shots to help you set it up. The site is over on Pagely, take a look at the Hide your WordPress Login Page article.
Have you been Hacked?
My WordPress cleaning services can restore your site and help prevent you from becoming a victim again. I can also offer advice via my contact page.
I hope this article helps and you are able to secure your site too, so you don’t become the victim of a WordPress hack.