WordPress Security

In 2009, I wrote an article on my blog called “How to Protect your WordPress Website“. It provided instructions to help make your WordPress site a little less ‘hackable’. Unfortunately, hackers are smarter and more and more WordPress websites are being compromised. Here are some old tricks that still apply, as well as some new ones.

If you are not a web developer and have no idea how to implement any of the following, please contact us. We offer affordable WordPress security packages that include backups.

1. Change the Default ‘admin’ Username

This is the easiest way for a hacker to get into your website because they know most of the login usernames are ‘admin’. They run a password script on your site, and they’re in before you know it! Log into your site, click on ‘Users’ on the left, create a new Administrator username (that has NOTHING to do with your site) and choose a difficult password (try this Password Generator). Log out of your ‘admin’ profile and login with your new details, then DELETE the ‘admin’ profile.

2. Keep WordPress and Your Plugins Up-to-Date!

Another common security risk is not maintaining your WordPress version and plugins. Always make sure you have upgraded to the latest version of WordPress and that all your plugins are up-to-date.

3. Install Security Plugins

Despite all my efforts to keep my websites safe, hackers still get into my sites, in ways I cannot even begin to imagine. They can get in through a compromised hosting provider, cPanel, malicious scripts, you name it! My best defence has been these two security plugins:

  • Wordfence Security: A nifty plugin that scans your site for malicious code, let’s you permanently block IP addresses from accessing your site and emails handy notifications (like if someone is locked out from trying to log into your site). It then gives you the offending IP to block. They also have a paid version that let’s you block countries (Useful if you’re audience is local, then you can block common offending countries like Russia and China).
  • WordPress Firewall: Exactly what it says it is – a firewall for WordPress. Make sure you set up notifications for blocked attacks. You can then permanently block the IP from accessing your website with Wordfence. (Although outdated, it is still one of the most useful plugins I use)

4. Backup Your Website!

No matter how much security you put into place, there is always a chance your site may still get hacked, WordPress or not. Make regular backups (depending on how often you update your website) or check with your hosting company to see if they make backups. This is also useful if an upgrade goes wrong or you make a change you cannot undo.