WordPress is one of the easiest platforms you can use to build a website. While there are other online website building platforms such as Wix, Shopify, and 1&1, Wordpress gives you the most control while still being a WYSIWYG editor. But there is one problem that almost all WordPress websites have to contend with … Hackers!
Now, why would hackers want into your website? You may think that after all, it’s not a Fortune 500 website … but, here are a few quick reasons:
- Store illegal files.
- Store viruses and malware.
- Blackhat SEO
Do you want to be a part of that? Absolutely not! All those are illegal activities and your WordPress website could be vulnerable to hackers looking to do one, or all of those activities, from your hosting account.
So what can you do to secure your WordPress website from hackers? Below, we’ll go over some things you can do to secure your website and keep the hackers away.
As a disclaimer, hackers are looking for easy targets. What these tips will do is make it harder to gain unauthorized access to your website. A targeted hacking attempt may not be stopped by these methods.
Stop The Brute Force Attack
Hackers generally have access to your username via your blog entries (the author tag). Which means that they only need to worry about cracking your password. And there are few ways in which they can do this. One method is a dictionary-based attack where they use a password list to try and crack your password (which is why you shouldn’t use words). The other method is pure brute force where they attempt to crack your password using a sequencer to step through every iteration possible until they find a match.
Brute force attacks work great for short/weak passwords. To check your password strength, you can use The Password Meter to see where your password scores. A higher score means it will be harder for a brute force attack to be successful.
(Example of a weak password.)
Of course, there’s more you can do to really protect your Wordpress website. You can install a plugin like the iThemes Security plugin (former Better WP Security) to lock out brute force attempts. It will detect unauthorized login attempts and block the IP from making multiple attempts (which you can limit yourself).
If a hacker tries to log in a few times, the plugin will place a temporary ban on the hacker’s IP and he won’t have access to the login page for a certain amount of time. Remember, the goal is to make it harder for them so they’ll go elsewhere - this makes it harder for the hacker and they’ll generally go somewhere else.
Use Two-Factor Authentication (2FA)
2FA is a great way to stop hackers from staying on your website. The best 2FA system incorporates a strong password along with another confirmation source such as a phone or email verification code. If you need to know how long it might take to crack your password, use this tool to see how fast your password could be guessed through a brute force attack.
You can use the Google Authentication plugin with your Wordpress website and it will do a good job of keeping hackers at bay.
Rename Your Login URL
If hackers know where your login URL (a.k.a. your door), then they know where to get in. Most WordPress installations use wp-login.php or wp-admin as the login gateway, and hackers know this.
But what if you changed the
no_access or your
secret_portal? It’s a lot harder for a hacker to find your login page now and you’ve reduced the likelihood that they’ll keep trying to find a way in.
Monitor Your Files
There are times when a breach can’t be visibly seen from the website itself. But the files on your server can tell a completely different story. If a hacker has breached your system, they could be storing all kinds of illegal and/or malicious files on your server. And because nothing is showing on the front end, you would not know, unless … You can install the Wordfence plugin to monitor all of your file changes and alert you whenever a change is made.
If you know that you, or your team, has not been making changes to the website, there’s a good chance that a breach occurred. Once a breach has occurred, you need to run a security audit, find the breach, change the usernames and passwords, remove the vulnerability, patch the system, and restore the backup.
Backup Everything Regularly
If a website has been hacked, you have to revert back to a clean copy of your website before it was hacked. If you haven’t been backing up your website, you could be in for some major headaches. Generally, cleaning up the damage a hacker has left behind is nearly impossible - especially in a time crunch. If your website is your “bread and butter”, being down for days is not an option. But without a backup, you’ll have to start from scratch. With a backup, you can be up-and-running in a matter of minutes (sometimes hours).
Even when you restore a backup, you still need to figure out how the hacker breached your system by performing a security audit.
Protect the wp-config File
The wp-config file contains all the information about your WordPress installation, where files are stored, database prefixes, and so much more. This is where a hacker can do a TON of damage. Most WordPress installations are done at the ROOT level and this is a HUGE security risk. Instead, WordPress installations need to be done under the ROOT level.
Then the wp-config file needs to be moved up out of the WordPress direction and place at the ROOT level. Doing this will protect your wp-config file from hackers and make it more difficult to gain unauthorized access to your server.
There’s a lot going on here right? Wrong! In fact, this is a short list of suggestions to help you lock down your WordPress website. There’s a lot more that you can do that we didn’t even touch on.
If all that seems time-consuming, then maybe you need to consider outsourcing your WordPress security needs.
Let Someone Else Deal With It
For a lot of website owners, this is all too much to deal with. Which is why they use an all-in-one security service provider like Bulletproof to which they can outsource their data protection responsibilities to, in addition, their vulnerability testing, penetration testing, and threat monitoring — as well as a plethora of other security-related services.
As a business owner, you can make a lot more when you’re focused on your customers - not when you’re trying to keep hackers out. And while you can save a little bit by doing everything yourself, you’d have to ask if you’re making the best use of your time and money?
Securing Your Wordpress Website
Hackers see WordPress, Magento, Wix, 1&1, Shopify and other online building platforms as an easy target. Most website owners aren’t versed in security and leave their doors wide open.
But you aren’t like most website owners. Now you understand what needs to be done to make life more difficult for hackers. Remember, the goal is to slow them down so they’ll go elsewhere. Even so, you may still become a target for reasons unknown. And if a hacker decides they want access to your server, do you have what it takes to keep them out.
Always be willing to accept that you might not know enough and that outsourcing your security needs may be worth it. Either way, the goal is to secure your website and make it unappealing to a hacker. Following these tips, you should be able to do just that.