How often are bots, spammers, and hackers trying to get into your site? It might be more often than you think. One of our smaller, local clients has had over 18,000 attempts at getting into their WordPress site in the past year. Fortunately, we have the security in place to prevent attacks like this from getting through. What can you do to secure your site? These tips apply primarily to a self-hosted version of WordPress (not WordPress.com). Although many of these tips can be used with a WordPress.com website.
Use a Security Plugin
WordFence and All In One WordPress Security are two of the most popular plugins out there — because they work. Plugins like this will help guide you through the changes you need to make to keep your WordPress website secure. They work by modifying the .htaccess file on your server, helping you easily block bots and IP addresses attacking your site. They also provide assistance in changing some common WordPress URLs and installation settings as well as securing WordPress common files (such as wp-config.php). Just be careful when using these, because it is possible to lock yourself out of your own site — trust us, we’ve seen it happen.
Change the Admin Username
Seriously, change the administrator username to something other than “admin”. Since the WordPress default installation uses “admin” as the administrator user name, that is the first username bots and hackers try. Of the 18,000 failed login attempts above, more than half tried admin or some variation (i.e. adm or domainadmin). Do not use a significant part of your domain name either. For example, if your domain is mycompany.com, do not use “mycompany” as your username. That was the second most used user name in the failed login attempts. Others to stay away from include the full domain name, “Webmaster”, “Webadmin” or other similar usernames.
While you are changing the admin username, make sure there is a “real” name attached to the user. When a post or page is published, the author is often public. If you do not set a first and/or last name for the user, WordPress defaults to the login username. The bots then pick up that username and attempt to get in. Secondly, be careful with the usernames. For example, when “Jane Smith” posts, bots will try “Jane”, “JSmith”, “Smith” and other various combinations trying to login to her account.
Change the WordPress Database Table Prefix
When WordPress is installed, it puts “wp_” in front of all its database tables. This is to help you identify which tables belong to WordPress if you are using the database for more than one application. Change “wp_” to something else. Ideally, you would like to use more characters and mix of letters and numbers.
While you are checking on your database, make sure the database name, username, and password are secure. cPanel accounts default database names to your account username followed by an underscore and then a name you choose. Pick something nonsensical for that name — make it a string of characters that would not appear in a dictionary. The same is true for your usernames and passwords. Passwords for databases should be at least 12 characters long with a mix of uppercase, lowercase, numbers, and special characters.
Keep WordPress and Plugins Updated
Always make sure you have the current version of WordPress and your plugins running. Also make sure all your plugins come from reputable sources and are listed in the WordPress plugin repository. Do NOT download a “free” version of a premium plugin you find somewhere–there is no way to verify the veracity of that plugin and you are hurting the people who have put hundreds of hours into developing and supporting something that is making your life easier.
WordPress is excellent at releasing patches to fix bugs and secure vulnerabilities. You can turn on automatic updates, which will automatically update your installation for the smaller releases (i.e. 4.7.1 to 4.7.2). For the bigger releases, you will need to update WordPress yourself, which is as easy as clicking a button. ALWAYS make sure you have a backup of your site files and database before starting an update process.
Backup Your Site Regularly
Speaking of backups…your hosting provider should be able to provide backups for you – some will charge an extra fee. Your hosting provider should also be storing offsite backups – ask if they do. You can also use plugins such as JetPack and Updraft Plus. They provide backups right from your Dashboard. Premium versions will allow automatic scheduling and some offer automatic backups to the cloud. Having a clean version of your database and files is important in case your site is compromised.
WordPress is a great and popular platform for building websites — because of that, hackers try to take advantage of the uninformed. Keeping your site secure is easy, but takes a little vigilance on your part to make it happen. If you have ANY questions about how to secure a WordPress website, find a reputable web development firm with WordPress experience. For a small fee, they will be happy to review your security settings and provide recommendations.