11 Ways to Secure Your WordPress Website Against Hackers
It’s a cruel world. There are unscrupulous, tech-savvy people who would love to hack into your WordPress site and wreak havoc all over your files and data. Fortunately, you can take steps to prevent that from happening.
We regularly hear stories about hackers gaining access to private data from high-profile companies or websites. The most recent example, familiar to anyone with a web browser and an Internet connection, is the recent Ashley Madison data breach. That episode was particularly troubling because Ashley Madison is a site dedicated to philandering. The information gained by the hackers was later released online, embarrassing many people and lining the pockets of divorce attorneys worldwide.
If it can happen to Ashley Madison, it can happen to your site.
According to WP White Security, almost three-quarters of all WordPress installations are vulnerable to hacker attacks. That makes WordPress sites prime targets for hackers looking for a quick score.
Fortunately, your website doesn’t have to be a victim. Here are 11 ways you can secure your WordPress blog from hackers.
1. Keep Your Plugins Up to Date
It may seem odd that, to keep your WordPress website secure, you need to keep your plugins up-to-date. However, there is a precedent here.
According to WP White Security, plugins account for more than half of all security vulnerabilities in WordPress installations. That statistic is backed up by recent reports.
WordPress made news in March when researchers discovered a couple of different vulnerabilities in WordPress plugins. This news sent plugin developers back to their source code to ensure that their software couldn’t be exploited. In some cases, the developers had to patch their code and release an update.
That’s where you come in.
Just because a developer releases an update, that doesn’t mean it’s automatically applied on your site. Often, WordPress will alert you when one or more of your plugins has an update available. Typically, it will appear color-coded, as you see below.
When you see that, update the plugin immediately. The latest patch could fix a security breach that the author (or somebody else) discovered.
2. Avoid Using the “Admin” User Name
In some cases, your WordPress installation will create the administrator account with the name “admin”. Change that name as soon as possible.
Experienced WordPress hackers are quite familiar with default installations. They know that “admin” is often created as a default administrator account and they might try a so-called “brute force” hack (attempting various passwords over and over again) with that user name.
Many host providers are aware of this potential for an attack and, as a result, avoid creating the administrator account with the name “admin” – but it’s still worth checking.
3. Grant Admin Access by IP
This is a bit of an advanced step, but it’s worth the effort if you’re the only one who’s authorized to perform administrative tasks on your WordPress site. You can restrict administrative access by IP address.
Your IP address is a quartet of numbers that identifies you on the internet. You can think of it as your digital address.
You can tell WordPress to only enable people to access the administration console if they are doing so from a specific IP address. That means hackers who are trying to access your site from any other IP address will be unsuccessful.
To implement this important security feature, first go to whatismyip.com to discover your IP address. Then, you’ll need to modify your .htaccess file on your host provider’s admin directory to implement the security change. If you don’t know how to do that, just call your hosting company’s tech support line and ask a technician to do it for you.
Specifically, you’ll want something that looks like this added to the file:
<Files wp-login.php> order deny,allow Deny from all Allow from xxx.xxx.xxx.xxx </Files>
Replace the “xxx.xxx.xxx.xxx” with the IP address you saw when you visited whatismyip.com. Once that’s done and the file is saved, only people who access the WordPress administration console from your IP address will be authorized.
However, keep in mind that it’s often the case that your Internet Service Provider (ISP) will sometimes change your IP address. In that case, you’ll be locked out of your own site. The solution is to call tech support and ask a technician to update the IP address accordingly. Do this at your own risk!
4. Use a Strong Password
It might be tempting to use your pet’s name as a password because it’s easy to remember. However, you’re better off going with something more secure.
A best-practice to use a password with at least 12 characters. Those characters should consist of an assortment of numbers, symbols and letters in uppercase and lowercase. The password shouldn’t be found in the dictionary, either – it should be appear to be gibberish to the naked eye. That will keep hackers from guessing it.
Use a strong password generator to make life even easier. Or even better, make sure that your WordPress installation is updated to 4.3, and it will generate a strong password for you!
5. Limit Login Attempts
To further protect your site against the threat of brute force attacks, you can limit login attempts. That way, when someone enters the wrong password repeatedly, that person is locked out of the site for a time.
There is a plugin called Limit Login Attempts that you can use to implement this feature. It will enable you to specify the maximum number of incorrect passwords allowed before locking out the IP address of the user entering the incorrect password. You can also arrange to have an email sent to you when there is a login failure.
6. Encrypt Important Data With Security Keys
WordPress Security Keys exist to encrypt information that’s stored in your visitor’s cookies. However, you might find that those keys are not populated by default in your installation.
To verify that your keys are populated, view the wp-config.php file in your own installation. It’s in the root file of your website. If you have trouble locating it, call tech support for your host provider.
If you see that your config file contains a stanza that looks like the following image, your keys are not populated:
In that case, you’ll need to populate those keys yourself. You can generate keys with the WordPress Salt Keys generator. Then, you can just copy and paste the code that appears on the screen over the block of code that you see above. Your new block should look something like the image below:
Save the file and you now have added security.
7. Keep WordPress Updated
Your WordPress installation will alert you when a major update is available. It’s in your best interest to update the files in the event that there is a security threat that’s been resolved.
WordPress will often automatically perform minor security updates and just alert you to the fact via email.
8. Disable Error Reporting
It’s intuitive that error reporting is useful. Unfortunately, it’s also useful to hackers because it might display your server path.
Access your wp-config.php file and add the following lines to disable error reporting:
error_reporting(0); @ini_set(‘display_errors’, 0);
9. Implement Two-Step Authentication
Two-step authentication makes the login process for legitimate users more complicated and annoying, but it goes a long way in keeping the undesirables out of your site.
As the name implies, two-step authentication requires users to go through two security steps before they’re authorized to use the site. The first step is usually the traditional name/password challenge. The second step typically involves entering a security code that’s sent to them via text message or other secure device.
There are plenty of plugins available that facilitate two-step authentication for WordPress. Here are a few of them.
- Google Authenticator: Requires your users to enter a key or QR code that’s delivered to their smartphones.
- Clef: Facilitates ‘passwordless’ two-step authentication using mobile devices.
- Clockwork SMS: Handles two-step authentication with the assistance of text messaging.
- Authy: Requires users to enter an API key from a smartphone application.
- Stealth Login Page: Creates an additional authorization code required for login.
10. Conceal Your Login Page
Almost all hackers know that a WordPress admin page is typically accessed by adding /wp-admin after the domain name. For example, if your domain name is xyz.com, your admin page is probably accessed by the following URL: http://xyz.com/wp-admin. They also know that the name of the login page is wp-login.php.
Fortunately, you can change that. There are plugins available, such as WPS Hide Login, that enable you to customize your login URL.
It becomes much more difficult for hackers to break into your system if they can’t even find your login page.
11. Scan Your WordPress Site for Possible Dangers
You probably already have some type of anti-virus software installed on your PC that scans your hard drive every so often for potential threats. You should scan your WordPress installation as well.
It’s possible that your host provider already scans your files, but you can’t be too careful when it comes to hackers. To that end, consider installing the Sucuri plugin. It will scan your WordPress installation for various types of threats and alert you if it finds malware or evidence that a hack has recently occurred. It’s a great way to proactively maintain system security.
Your WordPress site is just as susceptible to intrusion as any other site on the web. However, you can mitigate the risk of an attack by following best practices when it comes to WordPress security.
Let’s recap those 11 ways for preventing hackers accessing your site:
- Keep your plugin up to date.
- Avoid the “admin” username.
- Grant admin access by IP.
- Use strong passwords.
- Limit the number of login attempts allowed.
- Encrypt important data with security keys.
- Keep WordPress up to date.
- Disable error reporting.
- Use two-step authentication.
- Conceal your login page.
- Scan your site for dangers.
How do you protect your WordPress site? What plugins do you use to ensure that only authorized people are allowed into your system? Feel free to sound off in the comments section.