WordPress is a very popular CMS (content management system); about 100,000 new installations are being made each day. Many people choose WordPress because it is a great blogging tool, but others use it to create full blown company websites, online magazines, news sites, and so on.
According to Wikipedia’s WordPress page, this CMS drives about 22% of the world’s newly created websites. Still, its popularity has made it one of the hackers’ favorite targets; it is estimated that about 30,000 WordPress-based websites are hacked each day.
Not only that, but the attacks have intensified recently; a huge botnet consisting of tens of thousands of zombie computers (hacked without the owners knowing anything about it) is constantly trying to log into the WordPress admin accounts, utilizing a list of frequently used passwords. And with each successful attack, the botnet grows bigger, allowing the attackers to target more and more WordPress installations.
But why would anyone want to attack your site? Some of the hackers are interested in getting your data; it may be the credit card numbers stored in your website’s database, confidential information, and so on. But the sad reality is that most people will try to hack your website not because they are interested in stealing something from you, but because they want to become famous in the online world. And if your website is hacked, linking out to all sorts of dubious websites, it may lose its good SEO rankings for a long time.
WordPress Security Tips
Fortunately, there are a few simple things that can be done to fix the problems for good. Read on to discover several powerful tips and tools that can help make your WordPress-based website impenetrable.
The first problem starts with the default WordPress installation, which has “admin” set as the user name for the administrator account. Not only that, but WordPress will also tell you if the “admin” user name is actually used with that particular WordPress installation or not – see for yourself.
Based on this info, any decent coder can write a simple script that tests if WordPress uses the admin account or not; then, he can make use of another simple script to try as many passwords as possible in conjunction with the “admin” user name. There are lots of places on the net where you can download lists with the most used passwords; you’d be surprised to see how many people use the “12345” and “monkey” passwords to protect their websites, for example.
If the hacker has determined that your WordPress installation uses an “admin” account, it’s just a matter of time until he manages to log into your website. Sure, the attacker might not have plenty of time at his disposal, but the log-in attempts can be run much faster when the work is done by a big botnet.
1. Pick Strong Passwords
Did you know that a six character password can be broken in only a few hours, especially if it doesn’t include special characters like $, # and so on? And if your password is a word that can be found in a dictionary, chances are your website was either hacked a long time ago or will be hacked in the near future. Remember this crucial tip: by adding a special character to your password (“monkey” becomes “monkey%”, for example) you are increasing the amount of time needed to break the password by 297.
Ironically, the default WordPress passwords are quite strong, but many people prefer to change them to something that they can remember without going through too much trouble, rather than writing them down on a piece of paper.
Why not keep the passwords in a computer file? Well, your computer might get hacked as well, and in this case all your data would be compromised. If you really want to store the passwords on your PC, put them in encrypted files; even a cleverly password-protected zip file will do the job.
Using a password manager which saves the passwords to an encrypted file is an acceptable solution, even though I would stay away from all the programs or services that store the data online (guess why). Resist the temptation to use the same password for several websites, tough; choose a strong, unique pass for each one of them.
2. Set a Proper Admin Account
By creating a new admin account, you are increasing WordPress’ security significantly. Give the new account a secret user name like “canthackthis23” and use a strong password that has 12 characters or more and includes at least 2 or 3 of the special characters we’ve talked about, numbers, lower & upper case letters, etc. And don’t forget that there are lots of online password generators, in case that you run out of ideas.
Once you have created the new administrator account, log into WordPress using the new user name and password, and then delete the old “admin” account. Attribute the old “admin” posts to the new administrator account and you are done with it.
On a side note, don’t utilize your new admin user name as a blog post nickname. It would be a huge mistake to pick a good admin name, and then have it revealed as “posted by canthackthis23” under your blog posts. Your user profile data can be changed easily, just like in the left side picture.
Did you know that a simple Captcha plug-in will keep most hackers at bay? Here’s one that can be used not only for WordPress’ admin log-in section, but also for registration forms, comment forms, and so on.
3. Update and Backup Your Website
Another important tip is to keep the WordPress installation up to date. The WordPress developers release updates that not only help make their CMS better, but also fix the known security issues. The same thing goes for the theme(s) and the plug-ins that you are using. Better stay away from plug-ins and themes that have encrypted code and / or links pointing to other websites – you may never know who you are linking out to, and this can have a devastating effect on your SEO rankings.
In fact, some plug-ins are known for their many vulnerabilities and should be avoided; just search the web for “plugin_name vulnerability” before deciding to install a new plug-in. And why would you want to install a plug-in that allows file uploads? By doing this, you are creating a huge security breach that can lead to lots of problems. Better ask your customers to email you the needed files, rather than offering an upload form on your website.
Most WordPress themes are free, but some of them may contain malicious code. Theme Authenticity Checker will search the installed themes, looking for strange code snippets and outbound links. And the good news doesn’t stop here: there is a similar tool that will check for potential vulnerabilities not only in the WordPress database, but also in the installed plug-ins: Exploit Scanner.
Back up your WordPress site on a regular basis. I would use a commercial plug-in for that, but I’ve heard lots of good things about Duplicator, so you may want to try it.
Do you have a good antivirus installed on your computer? I like a freebie just like the next person, of course, but if you are using a free antivirus you are exposing your computer (and therefore your website) to a great risk. Check out independent antivirus review sites like AV Comparatives to find one that really does its job.
Post Hacking WordPress Security
But what should you do if your WordPress website has already been hacked? This article section is a bit more technical, so you might need some help from the website hosting company as well. To begin with, you should log into your CPanel, and then use the file manager to see your website’s files.
This is how Hostgator’s file manager looks like; the things might be a little bit different if you use another hosting company, of course. Sort the website files according to their “Last Modified” date and you will quickly discover what files were modified and when. If you know a bit of php you can open and fix the files yourself, or you can simply overwrite them with clean WordPress installation files. Don’t forget to make backup copies of the affected files before attempting any repairs, though.
If your hosting company supports phpMyAdmin, it will be easy to examine the database and all its tables; you might find intrusion signs there as well. As an example, some hackers will put their email address in the “user_email” field, so they’ll receive the new WordPress password by email each time you change it.
Once again, if you aren’t a tech guy, it’s best to take care of these things using the services offered by qualified personnel or the support offered by the website hosting provider.
Best WordPress Security Plug-in?
So is there a “best” WordPress security plug-in? As you can probably guess, this question doesn’t have a simple answer. There are quite a few paid options, but if you are looking for a free alternative, Better WP Security is definitely one of the best plug-ins out there, offering better protection than many of its paid rivals. As always, make sure to back up your website before installing any new plug-in; this will allow you to easily restore it in case that something goes wrong.
As a conclusion, if you are interested in securing your WordPress site, it is important to understand that this is an ongoing process which involves updating WordPress, the themes and the plug-ins on a regular basis, as well as having a solid backup strategy in place. Follow these steps and you will be able to sleep sound at night, knowing that your precious website is safe.