WordPress Security Tips

WordPress is one of the most popular website tools out there. It’s incredibly developer friendly – allowing you the freedom you need to tweak it to your standards. However, that very popularity presents some very real problems.

For example, if you fail to change your default configuration, it’s very easy to access your log in area. By simply typing in domain.com/wp-admin, users with malicious intent can access your login screen. From here, they have free reign to crack your password. The most common method is known as a brute force attack. This lets them use millions of password combinations in a short amount of time.

Giving Hackers a Headache
Hackers are a constant threat. However, there are some measures you can take to protect yourself.

Avoid Easy Passwords

This is probably the simplest, and most effective, piece of advice I can give you. Don’t choose anything that has to do with your name, website name, or other publicly available information.

Password examples:

Bad OK Excellent
password John1978! C@$aBL(%)ri926
admin StarB68$ 897Val$!Nth3tic
john *john68Kla5t (*&YTHgfn%$

I realize that the best passwords are hard to remember. For this reason, I suggest using a password-keeper app such as Dashlane. Their data is heavily encrypted so on the random chance they get hacked, your information is secure. Another option is if you are the sole user of your computer, then consider having your browser remember your passwords for you.

Username
Another way that hackers will attempt is to crack your admin username. By changing your username from admin to something different, you’re already one step ahead of the game.

If you’ve already setup your website with admin as the username, don’t worry! Here’s how to fix it: simply register another user and give that user admin permission. When you login as the new admin, delete the old admin username.

If you have too many posts and pages assigned to your user and don’t want to re-assign them, it’s possible to alter the username through PHPMyAdmin. Login to cPanel and access PHPMyAdmin. Select your WordPress database and then go into wp_users table. Once you are here, edit the user_login field.

Back It Up!
Make sure that your website is updated at least once a week. I recommend using WP MayDay. It will cost about $29 a month, but it’s a small price to pay to be able to restore your website if it’s brought down by hackers.

For a cheaper alternative, in this case free, I recommend Ready! Backup. This plugin will let you create automated backups for Dropbox or FTP. Yet another option is UpdraftPlus. The reviews are positive but the the user interface isn’t as polished.

Limit the Login
By limiting the failed number of login attempts, you can stump would be hackers. You can even ban an IP for a specified number of hours. I recommend using the following plugin: Limit Login Attempts. You can customize every single option: number of failed log ins, lockout length and when to issue an IP ban.

Limit IP Addresses
A more draconian measure is to limit the addresses that are allowed to visit the admin section of your site. To do so, simply block all entry except to your own IP by using an .htaccess file.

Here’s how to do it: create a text file in your /wp-admin/ folder. Then, change the name to .htaccess and add code that denies access to your /wp-admin/ except from your IP address. However, don’t forget to allow access to the admin-ajax.php file. This is needed for the themes and plugins that utilize that file.

These are just a few many things you can do to lock your WordPress website down. Contact me today if you need help regarding this or if you want to get going on your own website project.