4 Simple Ways to Make Your WordPress Site More Secure

Business Owners

security photoSince its launch in 2003, WordPress has grown to power more than 1 in 5 websites on the internet, or more than 75 million sites. And hackers have noticed.

Why do hackers go after websites?

When a business comes to me with a hacked site they invariably ask this question: WHY? (Usually followed by a fair amount of cursing against the hackers). It might seem useless to hack a site that doesn’t store credit card numbers or have a massive following. After all, what could a hacker gain by hacking your site?

Unfortunately, they gain enough. Hackers hack sites for a variety of reasons, and not all of them include immediate payoffs. Some do it for status or fun or even to practice. Sometimes it will be to add links to your site (hidden or otherwise). Sometimes they do it to attack you and hurt your business. And every once in a while, they’ll hack your site for data.

Can it happen to you? Yep.

Will it happen to you? More than likely if you don’t take precautions.

What can you do to keep your site safe?

Fortunately, there’s several small steps you can take to keep your site safe that can mean the difference between keeping your site up and running or losing sales and customers when NSFW links start showing up all over your site.

Your WordPress Usernames

First, none of your users with Administrator access should have the name “admin” or “Admin” or “administrator” or “user”. If you do, create a new user with administrator access with a different username, sign in with the new one, and delete the old one.

Under your user’s profile (click Users -> Edit User) there’s an option called “Display Name Publicly as”. Set that to something other than your username. It makes it just that much harder for hackers to have to guess the username as well.

Your WordPress Password

All those who’s password is “password”, raise your hand. After all this time, “password” is still the most used password in the world, followed by “123456”, “12345678”, “abc123”, “qwerty”, and weirdly “monkey” and “dragon”. Who knew those animals were so popular?

Just changing your password to over 10 characters can be a huge deterrent for hackers, but adding in numbers, symbols, and staying away from dictionary words can make it not worth their time. If in doubt, use a Passphrase – something like: “DoctorWhoisAwesome1963!”

Limit Login Attempts

The most common form of hacking for smaller sites is called a “Brute Force Attack”. They basically have a program that runs on your login page that continuously tries a username with various passwords. If your username must also be guessed (see above), it makes it doubly hard.

Limiting the number of tries a person can make from one IP address can push your website into the “not worth their time” category. Basically, it only allows a specified number of tries before it locks them out for several hours (timeframes and number of tries can be set by you). They can get around this – by going through another IP address – but it’s enough to make hacking your site annoying. And let’s be honest – we all like annoying the hackers.

WordPress & Plugin Updates

One of the easiest ways hackers can get into your site is a known vulnerability in WordPress or your plugins. In fact, over 40% of WordPress hacks happen because WordPress wasn’t updated. WordPress is a great community and when someone finds a vulnerability, it’s fixed pretty quickly. But if you don’t update, that fix doesn’t do you any good. Instead, you’re providing hackers an open door into your website.

All you have to do is press those little update buttons – and pray that the new coding in the new plugin/Wordpress will work with your site. That’s where having a programmer in your pocket is incredibly useful. Instead of clicking the button with bated breath, you can just off-load those updates to someone else. Ideally, any “monthly maintenance packages” offered by a programmer will include fixing issues that come up with updates (and backing up your site regularly). If you’re looking for someone to take that off your plate, let me know!

Also, if you’ve got old plugins and/or themes, make sure you remove them as they’re most likely outdated.

Here’s the Thing

At some point, someone is going to try to hack into your site. It’ll happen, but you don’t need to freak out. Or rather, you don’t need to freak out if you’re ready for them. Doing the simple fixes above can protect your site from the majority of the hackers out there.

Need something more advanced? Contact me about adding additional security to your site.