If you have a WordPress site, the chances are your site is being attacked by hackers all the time.
They are constantly looking for weaknesses that will let them in, whether it’s an out-of-date plugin or theme or an easy-to-figure out password. Once they are in, they can obviously wreak havoc.
Just to prove what I am talking about, here is what my WordPress dashboard says right now.
This is why your WordPress site needs to be absolutely bulletproof. Here are the best ways to go about that based on my consulting conversations with businesses.
Get The Best Username & Password Possible
If I’ve seen it once, I’ve seen it a thousand times. People set up WordPress websites with the username and password both set at “admin” and then wonder why they were hacked.
Your log-in page is essentially the front door of your website. So it makes sense to make it as difficult as possible for an intruder to enter. You wouldn’t leave the front door of your house open, would you?
A lot of web hosts will automate the setting up of WordPress for you and when they do, you should specify a different username than “admin”. If you use “admin”, you are making a hacker’s job too easy for them.
Get a username that is impossible to guess by someone else. Do not use a username that you use elsewhere on the Internet. Somebody only has to Google you to find those usernames.
As for the password, do yourself an enormous favour and get a password manager. A free open-source one I highly recommend is KeyPass. Then make your WordPress password a minimum 30 characters long with special characters thrown into the mix. Yes that’s right. 30 characters.
Install An Anti-Brute-Force Plugin
To be clear, Google Authenticator and Authy do the same thing. You get a code on your smartphone and you enter it on the login page. Without it, you are denied entry.
Login Lockdown is a plugin which limits the number of wrong login attempts before the person’s IP address is blocked for a certain period of time that you specify. You can even install this alongside Authenticator for super-duper security.
reCAPTCHA is not my favourite but it’s better than nothing. It’s also not foolproof as it has been cracked before. But as I said, better than nothing. reCAPTCHA forces the user to type in a sequence of words or click on certain pictures.
Make Sure All Themes & Plugins Are Updated
The next step is to make sure that all of your themes and plugins are updated on a regular basis. Again, any vulnerabilities – both known and unknown – can be used by a hacker to exploit a way into a site.
You should keep an eye on the “Updates” page where all available upgrades are listed. This should be done on a daily basis. You can find the Updates page as a sub-tab under the Dashboard tab.
Disable Any Unneeded Themes & Plugins
Just as you should keep all themes and plugins up to date, so should you also disable any that you don’t need.
There’s no reason to keep unused themes and plugins active, and doing so only increases the risk of a vulnerability being discovered large enough to let an attacker in. So delete all the themes you are not using. They can always be reinstalled later.
As for plugins, either delete them entirely, or at the very least deactivate them.
Do Not Allow Anyone To Make User Accounts
If the WordPress site is being used by a company or a team of some sort, then user accounts are obviously going to be necessary. But if you are a single user of the site, do not allow anyone to make user accounts. Especially people you don’t know.
You can stop people from doing this by going to Settings–>General. Scroll down to “Membership” and uncheck “Anyone can register”.
Downgrade All Other Authorized Users
If you do need to give user accounts to people, make sure they have the appropriate access role.
For example, the person who owns the site should be the Administrator. But if someone is guest blogging for you, they only need to be listed as an Author. Don’t give someone elevated privileges if they don’t need them.
Just go to Users–>All Users and choose which person you want to change the role for. Then choose from the dropdown box.
Stop All Access To Directories With An Index.HTML File
You may not know this but if you make a new directory on your website, add files to it, and not add an index.html file in it, all of the contents of that directory are publicly viewable.
To stop this from happening, create a blank text file and call it index.html. Then upload it to the new directory. Any attempts to view the directory will now bounce the person back to the blank index page.
Get An SSL Certificate
One of the best things you can do for your website is to get it a SSL certificate. Google now gives SSL sites higher priority in the search results and of course it also secures your site.
SSL quite simply secures the connection between the user browser and the web server where the website resides. So it makes it extremely difficult for hackers to break into the connection and steal data.
There are two ways of getting a SSL certificate. You can buy one but you can also get one for free from Let’s Encrypt. Many web hosts now offer Let’s Encrypt as a free automated service.
Backup Your Wordpress Website EVERY Day
Finally, if the worst does come to the worst, and you ARE hacked, you need a way to get your site back up and running as quickly as possible. That is why you need a daily backup of all the installation files.
The easiest solution by far for this is Jetpack, which is run by the same people who created WordPress. At only $3.50 a month for one site, it is definitely the most cost-efficient.
There are many other ways to lock down your site but many of them involve complex coding or installing plugins with complex options. If you are just starting out on this topic, then it’s best to cover the basics first, which is what I have attempted to cover here today.