Is being hacked fun? Certainly not.
The worst part about it is that you could potentially lose everything. Your content. Your media. Personal data. It's natural to want to protect your site from being hacked. It’s just as important as protecting your home from burglars.
There are a few ways to lock your website and WordPress install down. Unfortunately there are never any guarantees when it comes to security. That’s why extra care is important. Even the most obvious or seemingly unimportant stuff could bring your security down. It's never good to leave your site vulnerable when you can take action and better protect it. At the very least, it may slow down an intruder even if it doesn't stop them completely.
Today, we present you eight things you can do to your WordPress site to ensure it remains as secure as a locker. A locker in a bank. A bank that’s inside a bunker. A CIA bunker. Pretty secure, all in all.
It could be tiresome to update. Sometimes stuff like plugins won’t work properly. However: when you see updates available for WordPress, your themes, or plugins you should download and install them immediately. Why?
Those updates often include security patches and fixes that seal off potential vulnerabilities. In fact, a lot of times hackers gain access to a WordPress site simply because it was out-of-date. The attacker was able to take advantage of a known vulnerability. In fact, hackers seek out older versions of WordPress for this very reason.
Updating your site won't necessarily keep everyone out, but it will certainly ensure certain doors remain closed – doors that can be taken advantage of. If you want to install a theme, find a source that is updated often (like this one ). Same goes for plugins – make sure there are people working on them. Installing something that will stay out-of-date forever is certainly not pleasant.
Bonus tip: although most of the times WordPress updates are a good thing, sometimes they may be compromised. That’s why before actually updating you should read something about that update on the Internet (on sites like this one, for example!). Don’t ignore updates, but don’t update blindly, too.
The version of WordPress you have installed can be easily identified by viewing a page's source header. Unless you installed a theme that removes this info, the version number is included in the metadata. In other words, hackers can easily find this information. Not to enjoy it. To exploit it.
To remove this information, you need to add the following code to your ‘functions.php' file:
function wpbeginner_remove_version( ) { return ''; } add_filter('the_generator', 'wpbeginner_remove_version');
This code removes the version number from the source view and RSS feeds, effectively hiding it from view.
A small thing? Yes. Is it important? More than you think.
By default, WordPress assigns the main administrative account under the name “admin.” It makes a lot of sense, sure. But that’s exactly why it's used on hundreds – if not thousands – of other WordPress powered sites. It’s obvious.
In 2013, hackers volleyed a series of brute-force attacks at WordPress websites, repeatedly attempting to login by pairing the main account “admin” with common passwords. They were pretty successful.
Even if you have a complicated, secure password, it's still not a good idea to use a well-known username. There are two ways you can fix this: one involves creating a new account, and the other requires logging into your Cpanel and changing the username through PHPMyAdmin.
The first method is easier – create a new account with the desired username, then provide that new account admin privileges before continuing. Once that's done, you can simply delete the original “admin” account and it will give you an option to associate all existing posts and content with the new account.
The more involved method – which requires access to the website's hosting account –is to login to Cpanel and PHPMyadmin. Once there, you need to select the database where your site is hosted, and then navigate to the “wp_users” table. You should then see all the usernames for your site. You can simply change the “user_login” value under the account you want to the new name. For example, you can change “admin” to “hackersaresuchlosers” or something like that.
Unfortunately, there's another way for resourceful hackers to identify your WordPress username thanks to the author archive URL. By default, WordPress will display the account username there. For instance, if the username is “bobwrites”, the author archive will look something like:
http://yoursite.com/author/bobwrites .
Luckily, the fix for it is pretty simple, although it does require digging into your site's database. You can find a full guide here . In a few words: disguise yourself under a different name, one that wouldn’t give anything important about your website.
Yes. Open your calendar and mark a day when you’re going to change your passwords – and then make it a regular event. It’s boring and it’s crucial.
There's a reason you're told to change your passwords often across multiple platforms. That rule is no different when it comes to your WordPress account. In addition, make sure you are using secure passwords when you pick one. About 8% of WordPress sites are hacked due to a weak password. Use a combination of numbers, symbols and different case letters (upper and lower) or a password manager.
Even though most sites recommend using eight characters, try to keep your passwords above ten characters. And keep them in mind, not in a plain text document stored in Dropbox.
It's possible to block a single IP from trying to hack your website by limiting the amount of login attempts that can be made. Of course, resourceful hackers can always resort to switching between multiple IP addresses but it's a lot more work. For many of them it’s going to be much easier to switch to another site. That’s the reason it's worth locking down the amount of login attempts for your site.
This can be done with plugins, such as the Limit Login Attempts plugin. It automatically blocks an IP after it breaches the login limit, and allows you to specify how long that IP address remains locked out.
It’s like an automatic cop car that comes and takes away a prankster who’s banging on your door for 15 minutes straight, at night.
Having as little executable code as possible on your site also helps maintain security. Remove or delete any plugins and themes you are not using on your site. There's no reason for them to be there taking up space on your server anyway.
Through the explorer view in certain web browsers, anyone can peek at your WordPress files and folders unless you disable the option. This can be done by adding the following line of code to your .htaccess file in the WordPress install directory:
Options All – Indexes
You must also include a blank ‘index.php' file in your “wp-content/themes” and “wp-content/plugins” directories.
Here’s a list of some useful security plugins that will help you secure your WordPress powered site.
Of course, you can't overlook the basics either such as performing regular backups of your site and database, using secure web hosting and limiting user access to the dashboard. If you play it safe you should be just fine.
Even if there are no guarantees when it comes to security, there are still things you can do to better protect yourself and now you have the means. Prepared means armed, after all.
Stay safe.