How to stop a WordPress hack
How To Guide Tutorial

How to prevent a WordPress hack – the best how to guide

This article details how to prevent your WordPress site getting hacked. When it comes to your website security, prevention is better than cure.

You’ve spent months working on your WordPress site, selected a theme and customised it. It’s almost time to launch your new site and then you realise it’s been compromised!

It sounds like a WordPress authors worst nightmare and you’d be right to be worried about it happening to you. There are several steps you can take to prevent that from happening and I’m going to show you how.

Table of Contents:

  1. How to Prevent a WordPress Hack
  2. Latest Version
  3. Admin Credentials
  4. Database Name
  5. Security Plugins
  6. Suggested Reading
  7. Two Factor Authentication (2FA)
  8. Hide your WordPress Login Page
  9. Have you been Hacked?
  10. Theme and Plugin Updates
  11. Summary

How To Prevent a WordPress Hack

It’s big business. When a person or persons are successful at a WordPress Hack they often insert pop-up adverts on your site and when one of your audience is shown these pop-ups and clicks, the hacker earns money. The first thing to do on this list is to make sure when you install your WordPress site, you change a few things in the configuration.

Preventing a WordPress Hack
Preventing a WordPress Hack starts at the installation phase.

Latest Version

Be sure when installing WordPress on your server you select the latest version. Latest software versions will have the latest security features and patches. The longer a specific version is out in the public domain, the longer hackers have to find bugs. They’ll use these bugs to find exploits and break into the system. Another benefit of upgrading to the latest version is that you’ll be able to have the latest features available to your readers.

Select latest version to ensure you aren't the victim of a hack.
Select latest version to ensure you aren’t the victim of a hack.

Admin Credentials

When you set your WordPress installation don’t keep the ‘admin’ username. The fastest supercomputer can do 38,360,000,000,000,000 keys per second right now. That’s the amount of keys it can type into your username or password fields to brute force attack your WordPress installation. By changing the ‘admin’ username to something else, you’ll automatically create an extra step of complexity for potential hackers. Not only do they need to crack your password, they also need to get your username!

The failed login attempts for 'admin'
The failed login attempts for ‘admin’

Change your WordPress Database Name

It’s also really easy for hackers to target your MySQL database with SQL injection or hacking tools if you don’t change your database table prefix from ‘wp_’ to something else. If you don’t do it at the installation phase it can be a little more difficult to change at a later date so make sure to do it before you finish installation.

Be sure to also change the database table prefix.
Be sure to also change the database table prefix.

Install Security Plugins 

I recommend installing WordFence.

It’s a web application firewall plugin and it’s really good. Even the free version provides powerful features as standard. For instance, you can block IP addresses for entire countries. If you are getting a lot of failed login attempts for a particular country and your audience isn’t primarily in that country you can block it and protect your site.

You can find out more about WordFence on their website.

I also recommend installing a two factor authentication plugin to make your admin page even more secure.

I’ve detailed further steps about 2fa further sown the article.

Suggested Reading

Make sure your PHP Memory Limit is sufficient to ensure your WordPress sites stability. Check out our other articles.

Two Factor Authentication – give hackers a hard time

You should also enable two factor authentication (2FA) via a plugin. 2FA is a security feature in which a user provides two different authentication methods to verify that they are the owner of the account. It provides a much higher level of security than only having a username and password. The 2nd factor is usually a one time password that is generated and sent as a text message to the users phone. This will prevent a wordpress hack. Hackers logging into your account won’t be able to, even if they have your admin password.

Hide your WordPress Login Page

Another step to harden your WordPress site is to Hide your login page by changing it’s URL. I’ve found a fantastic article to help make your WordPress Site even harder to hack.
The article gives a detailed description, code snippets and screen shots to help you set it up. The site is over on Pagely, take a look at the Hide your WordPress Login Page article.

Have you been Hacked?

My WordPress cleaning services can restore your site and help prevent you from becoming a victim again. I can also offer advice via my contact page.

I hope this article helps and you are able to secure your site too, so you don’t become the victim of a WordPress hack.

Theme and Plugin Updates

Another really good way of staying one step ahead of WordPress hackers and preventing a wordpress hack, is to keep your theme and plugins up to date. Installing the latest version of your theme or plugin ensures you have the latest security features and bug fixes.

With theme and plugin updates the developer will list whats changed. They’ll say something like ‘Fixed Vulnerability in…’. Keep an eye on those as updates that say they have fixed a security flaw, you really should be installing!

Latest Update:

As of the 18th September 2019, here is an updated view of how many times username ‘admin’ has been tried on the site, it’s really important you take steps to prevent a WordPress hack. You don’t want your site being compromised, especially if it contains customer data! I find the number of hack attempts on this site daily simply mind boggling.

How many failed logins!
How many failed logins!

Web Application Firewall – to harden your WordPress Security:

I mentioned above installing a 3rd party plugin. Here are some stats from WordFence that’ll make you think twice before launching an unprotected blog.

Top IP addresses blocked by Firewall.
Top IP addresses blocked by Firewall.
Countries blocked by firewall
Countries blocked by firewall

As you can see, I get hack attempts all over the world. I am considering blocking certain countries from having access to this site but it won’t be a decision I’ll take too lightly. I do have genuine visitors from all over the world.

Summary

I hope this article helps and you are able to secure your site too, so you don’t become the victim of a WordPress hack.

Is it easy to hack a WordPress site?

It depends how up to date the core WordPress version is and any theme and plugins.

How can I clean malware from my WordPress site

If your site or WordPress installation has been hacked or compromised you’ll need to remove it. There are plenty of services online that’ll do it for you. A quick google search will yield plenty of results.

What is the best security plugin for WordPress?

We recommend WordFence. Scan your site regularly and keep it secure.

Leave a Comment

Your email address will not be published. Required fields are marked *

*