Preventing a WordPress Hack
Prevention is better than cure, that’s why I’m going to talk you through how to prevent a WordPress hack. You’ve spent months working on your WordPress site, selected a theme and customised it. It’s almost time to launch your new site and then you realise it’s been compromised! That’s every WordPress authors worst nightmare. There are several steps you can take to prevent that from happening and I’m going to show you how.
Also, whilst I’ve got you here, take a look at my other WordPress how to guides, for example; this guide on how to Fix a PHP memory limit error is extremely useful!
Table of Contents:
- WordPress Hack
- Latest Version
- Admin Credentials
- Database Name
- Two Factor Authentication (2FA)
- Hide your WordPress Login Page
- Have you been Hacked?
It’s big business. When a person or persons are successful at a WordPress Hack they often insert pop-up adverts on your site and when one of your audience is shown these pop-ups and clicks, the hacker earns money. The first thing to do on this list is to make sure when you install your WordPress site, you change a few things in the configuration.
Be sure when installing WordPress on your server you select the latest version. Latest software versions will have the latest security features and patches. The longer a specific version is out in the public domain, the longer hackers have to find bugs. They’ll use these bugs to find exploits and break into the system. Another benefit of upgrading to the latest version is that you’ll be able to have the latest features available to your readers.
When you set your WordPress installation don’t keep the ‘admin’ username. The fastest supercomputer can do 38,360,000,000,000,000 keys per second right now. That’s the amount of keys it can type into your username or password fields to brute force attack your WordPress installation. By changing the ‘admin’ username to something else, you’ll automatically create an extra step of complexity for potential hackers. Not only do they need to crack your password, they also need to get your username!
It’s also really easy for hackers to target your MySQL database with SQL injection or hacking tools if you don’t change your database table prefix from ‘wp_’ to something else. If you don’t do it at the installation phase it can be a little more difficult to change at a later date so make sure to do it before you finish installation.
I recommend installing WordFence. It’s a web application firewall plugin and it’s really good. Even the free version provides powerful features as standard. For instance, you can block IP addresses for entire countries. If you are getting a lot of failed login attempts for a particular country and your audience isn’t primarily in that country you can block it and protect your site. You can find out more about WordFence on their website. I also recommend installing a two factor authentication plugin to make your admin page even more secure.
Two Factor Authentication
You should also enable two factor authentication (2FA) via a plugin. 2FA is a security feature in which a user provides two different authentication methods to verify that they are the owner of the account. It provides a much higher level of security than only having a username and password. The 2nd factor is usually a one time password that is generated and sent as a text message to the users phone. This will prevent a wordpress hack. Hackers logging into your account won’t be able to, even if they have your admin password.
Hide your WordPress Login Page
Another step to harden your WordPress site is to Hide your login page by changing it’s URL. I’ve found a fantastic article to help make your WordPress Site even harder to hack.
The article gives a detailed description, code snippets and screen shots to help you set it up. The site is over on Pagely, take a look at the Hide your WordPress Login Page article.
If you are currently running a WordPress site via WordPress.com and want to move to a self hosted instance check out this fantastic step by step guide to moving to a self hosted WordPress Installation.
Have you been Hacked?
My WordPress cleaning services can restore your site and help prevent you from becoming a victim again. I can also offer advice via my contact page.
I hope this article helps and you are able to secure your site too, so you don’t become the victim of a WordPress hack.
As of the 18th September 2019, here is an updated view of how many times username ‘admin’ has been tried on the site, it’s really important you take steps to prevent a WordPress hack. You don’t want your site being compromised, especially if it contains customer data! I find the number of hack attempts on this site daily simply mind boggling.
Web Application FireWall:
I mentioned above installing a 3rd party plugin. Here are some stats from WordFence that’ll make you think twice before launching an unprotected blog.
As you can see, I get hack attempts all over the world. I am considering blocking certain countries from having access to this site but it won’t be a decision I’ll take too lightly. I do have genuine visitors from all over the world.