Time to get on the IMPORTANT topic of how to Prevent a WordPress Hack!
In this day and age, it’s common to hear about hacks and data breaches. From big businesses to small websites, nobody is safe from this threat. In fact, data breaches and hacks are on the rise. It’s more likely than ever that your WordPress website will become the next target.
The good news is you don’t have to sit around waiting for an attack to come your way. With WordPress, there are a number of steps you can take to protect your website, your information, and your users.
In this guide, we’ll review not only how to prevent a WordPress attack, but why it’s important to take these steps seriously in the first place. Your safety is only as good as your prevention, so let’s get started.
Why Is WordPress Susceptible to Cyber Attacks?
First of all, you might be wondering why WordPress is such a popular choice for hackers. Why do WordPress sites get hacked at all?
WordPress is the world’s most popular website builder. It powers over 30% of all sites on the planet, and that means it’s easy to find websites that aren’t secure.
In addition, WordPress is an open source platform. Because of this, it’s easy for new hackers to learn the system, and there are a lot of opportunities for plugins or third-party add-ons to open a website to vulnerabilities.
Whenever you add something to your WordPress website, you need to be careful. A reported 73% of the most popular WordPress installations are at risk of security problems. Ultimately, the reason WordPress is so prone to attacks is simply because it’s so popular with all types of website owners. The good news is you have a lot of things you can do to make sure your website is secure.
1. Use Up-to-Date Versions
If you’re not running the most recent update of WordPress, you’re opening yourself to security problems. With each update comes patches for known security issues, making your website much stronger.
While this might sound simple, over 86% of WordPress installations are now running outdated versions. If your WordPress version is out-of-date, hackers will know the most vulnerable areas to target.
The same goes for your own computer and devices. Sometimes your website can be corrupted or accessed through some form of malware or virus on your own device. Keeping both your computer and your version of WordPress up-to-date is a must. If possible, set reminders to update every time a new version is available.
2. Choose Your Themes and Plugins Carefully
Finding the right WordPress theme or plugin isn’t always easy. With so many options, how do you know what’s best for your website?
One of the biggest red flags is an outdated theme or plugin. While they might be functional, these tools don’t have the latest security features that protect your website from outsiders.
Always be selective when choosing your themes and plugins. Look for themes that are verified by sources other than the developer’s site. In addition, check for the update date. If the theme or plugin hasn’t been updated in months or years, odds are it’s no longer secure. You want to make sure the developer is taking a hands-on approach to keeping their product secure.
When it comes to WordPress themes in particular, it is far more secure to choose a WordPress theme over picking the free version. Free versions might seem easy, but they’re often prone to attack and don’t offer ongoing developer support.
3. Moderate Your WordPress Users
WordPress is a great platform to use if you have multiple users who need to access your site. However, this can quickly become a problem if you’re don’t remove users that are no longer active.
Take a careful look at your WordPress users. Be mindful of who has administrative access. Unfortunately, most people use weak passwords with their account, and this can open your website to hackers.
If you must keep inactive users, consider changing their role to subscriber to prevent them from performing too many actions. Be mindful of everyone who has or has previously had access to your WordPress website.
4. Disable WordPress File Editing
Through your WordPress dashboard, you can edit PHP files for plugins, themes, and more. This might seem like an easy way to make changes when you need to, but it could also give hackers more access to your website.
When an attacker gains access to your dashboard, they’ll usually go right to file editing. This allows code execution on the server, and it can be catastrophic for your website security.
Because there’s no real reason to have file editing through WordPress, consider disabling it. To disable editing, enter this code into wp-config.php. This will completely disable any editing from within WordPress:
5. Protect Your Login Page
By default, your WordPress login page will be your URL + wp-login. This makes it really easy for anyone to brute force their way into their website since they can easily find the login page.
It’s a smart idea to customize this login page URL so it’s much harder to find. This is also an easy thing to change. For this, you’ll need to download a security plugin like iThemes Security. WIthin this plugin, you can easily change your login URL to something else.
If you want to keep it simple, changing it to my_new_login is already a big improvement that will deter brute force hackers. However, making it more unique and original is always a good idea.
6. Add Two-Factor Authentication
Two-factor authentication is becoming more and more popular on social media platforms and with online banking. This is great news when it comes to our own personal security, but we can also enable two-factor authentication on WordPress as well.
What is two-factor authentication? Instead of just entering your username and password, you’ll also be asked to complete a second step to verify that you are who you say you are. Depending on the option you choose, your second step could be one of the following:
- Verify a code sent to your email or phone
- Answer a security question
- Enter a unique pin number
- Enter a set of characters
The best way to secure your website is to enable two-factor authentication with a code sent to your phone. As long as you have your device with you, you’ll always be able to login easily. Similarly, you’ll also know immediately if someone is trying to access your account with an alert directly on your phone.
To enable two-factor authentication, the Google Authenticator plugin can have you set up in a few clicks. From there, you can choose the type of authentication that’s right for you.
7. Change Your Admin Username
Does your admin account username go by “admin?” It’s easy to set this when you first get started and forget to change it, but this is the default guess when hackers are trying to access your website.
If you set your WordPress username as “admin,” it’s time for a change. You can change this in your WordPress user information. Choose something that is difficult to guess.
8. Use SSL to Encrypt Your Data
SSL stands for Secure Socket Layer, and it’s a smart way to secure your admin panel. In simple terms, SSL ensures that all of the data transferred between your browser and your users’ browsers are secure. This makes it difficult for hackers to breach this connection.
In this day and age, having an SSL is also essential for search engine optimization. Google announced in 2018 that SSLs would be necessary when determining search ranking, so this should already be a part of your WordPress strategy.
You can easily get a SSL through your host or a third-party company. Many hosting providers offer them for free, so contact yours to see what your options are. From there, Really Simple SSL is an easy plugin to add your SSL to your website.
9. Limit Login Attempts
WordPress allows users to login an unlimited number of times by default. While this is good if you have a hard time remembering specifics of your password, it’s a recipe for disaster when it comes to security
Hackers often use brute force to gain entry to your website, and by allowing unlimited attempts, you’re giving them all the time they need to get through. Instead, limit your number of login attacks. If a user keeps getting the password wrong, they’ll be temporarily blocked. Most security plugins come equipped with this feature.
10. Remove Your WordPress Version Number
Advertising your WordPress version number on your website or admin page might sound harmless, but it could tip off hackers to what strategy to use to gain access to your site. You can see your current WordPress version number in your website’s source view and also at the bottom of your dashboard.
You can hide this using just about any security plugin. Check with your specific security plugin to make sure you’re taking the right steps. Though simple, removing your version number is something you can’t overlook.
11. Run a WordPress Security Plugin
Because keeping your website secure can sometimes feel like a full-time job, it helps to use a security plugin that can do some of the heavy lifting for you. While there are a number of options available, some of the best are listed below:
All of these will monitor login activity, verify user identity, and help hide your admin and login pages. In addition, they can alert you if something suspicious is happening on your website, even when you’re not nearby to watch it yourself.
11. Alter Your WordPress Database Table Prefix
When you install WordPress, you probably noticed the table prefix wp- that’s used with all the files. If you haven’t installed WordPress yet, you can change it to another term during the installation such as mywp-.
However, if you’ve already installed WordPress with the default prefix, you can still change it. The plugins WP-DBManager and iThemes Security have an option for changing the table prefix in just the click of a button. However, always make sure you have a backup installed in case something goes wrong.
13. Beware Public Wi-Fi Networks
How vigilant are you about public Wi-Fi networks? Whenever you login to your WordPress site on a public network, you could easily be giving away your login credentials to anyone else on that network.
If you have an SSL certificate on your site, you should be safe. However, if you don’t or you’re unsure, make sure you use a Virtual Private Network (VPN). This is a service that encrypts your traffic on any network. It’s always better to be safe than sorry, even if you’re just working at your favorite coffee shop.
14. Review Your Web Hosting
Web hosting is a tricky subject when it comes to maintaining your WordPress site. It’s often a battle between price and quality. While shared, inexpensive hosting might seem like a great deal, you might be opening your website to hackers and other problems.
These services routinely do security scans to ensure your site is safe. If you’re using a shared server, you never know what types of security compromises might be happening on your neighbor’s websites. Don’t risk your website over cheap hosting! Review our 10 tips for choosing the best hosting for your needs.
15. Always Backup Your WordPress Website
Finally, it doesn’t matter how secure your WordPress site is, you should always be prepared with a backup. Backups are something we often don’t want to think about.
However, the best plan of action is to just be prepared for anything. Having an off-site backup is the best way to keep your website safe no matter what happens.
With a working backup, you can easily restore your WordPress site to a working state whenever you want, often in a single click. A great free option for automatic backups is UpdraftPlus. You can easily store backups in Google Drive, Dropbox, or another secure off-site location.
How often should you save a backup? While some might argue every hour, that’s likely overkill. If you’re updating your website regularly, a weekly backup is likely more than enough to cover all your bases.
Is Your WordPress Website Secure From Hackers?
These tips are a lot to take in when it comes to making sure your WordPress site is secure. If you’re just getting started, they might even be overwhelming. The important thing is that you start taking some action to keep your website safe.
Having a website that’s resistant to hackers will go a long way towards securing your data and your users’ information. It’s all about making sure you’re not an easy target.
Now that you know exactly what to do, there’s nothing holding you back from becoming a master of WordPress security. Hackers are targeting websites of all shapes and sizes. Start taking these steps above before it’s too late.