WordPress – a free and open-source content management platform – is currently being used on over 75 million websites. This equates to roughly 28% of all existing websites. The fact that it’s ubiquitous should tell you that building your site on WordPress has its advantages.
However, its popularity alone has made WordPress a frequent target of hack attempts.
You may be asking yourself why in the world anyone would want to hack your site. Actually, there are a number of reasons:
- To use it to store illegal files such as malware or adware that can infect your visitors
- To use it as a stepping stone to launch targeted and untraceable attacks on other sites
- To embed keywords and backlinks on your site in an effort to boost another site’s search engine ranking
- To get search engines to penalize your website for having spammy content
- Just for kicks
Now that you’ve got a better understanding of hack attempts, here are some best practices you can employ in order to secure your site and safeguard against them.
Securing Your WordPress Site: Tips from a Pro
1. Use a backup plugin
Installing a backup plugin is quite possibly the most important step you can take to protect your site. Your site’s backup files should be sent to a remote storage area such as Google Drive or Dropbox, or even emailed to you. That way, if anything causes your site to crash, you’ll be able to quickly restore it with clean, uncorrupted files.
The last thing anyone wants to deal with is having to rebuild their site from scratch. There is simply no need for this to happen, so don’t let it.
2. Install and configure a security plugin
This one seems like a no-brainer, but you’d be surprised how many people overlook this step when setting up their site. Powerful plugins such as IP Geo Block will enable you to blacklist certain IP addresses or entire countries from accessing your site, and with plugins such as iThemes Security and Wordfence, you can enable two-factor login authentication, scan your site for vulnerabilities and much more.
3. Keep your WordPress version up-to-date
One of the many perks to using WordPress is that the platform is constantly being improved to fix bugs, patch security holes or just make it more user-friendly. You may be tempted to ignore your site’s notification of an available WordPress update for fear of breaking something if you install it (a valid concern), but don’t. Keeping current with platform updates will ensure that your site has the latest security holes all closed up.
4. Keep plugins and themes up-to-date
Similar to platform updates, plugin updates are frequently being made available and it’s important to keep up with those as well. Keep in mind that, although most plugin updates are simple to perform, you never know when an update will conflict with another plugin or even your site’s theme. So always remember to take a backup of your site before installing any updates.
As far as themes go, it’s important to note that if you have any customization on your site, updating your theme can wipe all of that out with one click of a button. If your site doesn’t use a child theme (which inherits the functionality and styling of the main theme but can be safely modified), it’s best to leave updating your WordPress theme to a professional.
5. Limit login attempts
When your site is under a brute force attack, the login attempts are typically being performed by a bot, or automated program. This means that the attempts can be relentless, and if your password isn’t strong enough, will eventually lead to success.
Many security plugins will allow you to decrease the amount of login attempts your site will allow before lock-out, as well as increase the amount of time a particular IP address will be locked out.
iThemes Security will allow you to disable access to your WordPress dashboard for a specific time period on a daily schedule (like overnight, when you’re presumably sleeping), which can have a significant impact on the amount of hack attempts you receive.
6. Don’t use admin as a user name!
The most often attempted user name by hackers is admin, since it’s the default WordPress installation set-up. This can easily be changed, making it much more difficult for a hack attempt to occur.
If you’ve already set up admin as your user name, it’s not the end of the world, provided you pay attention to the next tip. However, you should be able to create a new user name and remove the admin one. If you do this, you may need to assign your existing content to your new user name within your WordPress dashboard (WordPress will prompt you to do this).
7. Choose a strong password and change it often
Most hack attempts are performed by bots as opposed to humans, which means the attempts can be limitless and quite intelligent. Although using complicated and ridiculously long passwords is highly recommended, most people avoid doing so because it’s difficult to memorize all of them for so many sites. One noteworthy solution for keeping track of them is to use password management software.
8. Remove unused plugins
If you’re like most people, oftentimes you try out several different plugins before landing on one that meets your needs. Make sure to not only deactivate, but uninstall any plugins that you aren’t currently using on your site, in order to minimize the amount of security holes that may be lurking. This can also help increase site speed and the time it takes to perform important backups.
9. Remove unused themes
Whether you’re using a free or premium WordPress theme on your site, chances are your WordPress site came loaded with a few default themes that you aren’t planning on using. These can and should be deleted to avoid any unnecessary security holes. To do this, go to your WordPress dashboard and click on Appearance > Themes. Click on an unused theme and then click Delete.
10. Install an SSL certificate on your site
This one is not as complicated as it sounds. Using a secure protocol on your site (https as opposed to http), not only secures any data transfers on your site, such as form submissions, but also helps improve your site’s Google search rankings.
Contact your web hosting company to find out about getting an SSL certificate installed on your site. A free, open-source SSL option such as Let’s Encrypt may even be included with your hosting plan.
Hack attempts happen all the time, so you need to take the proper precautions to protect your site. Follow these tips and secure your site today!