Of the top 1 million websites, WordPress has a 65% share of all Content Management Systems (CMS) being used. There are currently around 64 million WordPress blogs and websites in existence, making it an incredibly attractive target to hackers.
Just recently, [pullquote position=”right”]WordPress made headlines when it was the subject of a massive botnet hacking attempt, which managed to compromise 90,000 sites.[/pullquote] It did this with a brute force attack, trying to log in with the standard “admin” username and a list of thousands of potential passwords.
I myself have been the target of WordPress attacks in the past, but by following these simple steps, I’ve managed to thwart off potential attackers since.
- The number one most important thing is to make sure your WordPress version, themes, and plugins are all updated to the latest version. These updates often include bug fixes and patches to secure against attacks. Updating all of these is easy! When you log into WordPress, the admin bar at the top of the screen will alert you if there are any updates available. Simply click on the update button and you can update everything to the latest version in just a few seconds!
- It’s also important to delete any themes and plugins that you’re not using. Every theme and plugin is another potential way that hackers could get into your site. If you’re not using it, get rid of it!
- Change your default username. The username “admin” should be one of the first things you change. In fact, if you’re doing a new WordPress installation, just choose a different username to begin with. This default username is how 90,000 WordPress blogs were hacked recently. Unfortunately, it’s all to easy to figure out if someone has changed the default username or not. If you want to see, just look at the screenshot below. If you try to log in with the username “admin” and the wrong password, WordPress actually comes back with an error saying, “The password you entered for the username admin is incorrect.” If that username doesn’t exist, WordPress returns a different error: “Invalid username.” I’m not sure why it announces to the whole world which usernames exist and which don’t, but changing from the default username is one of the best things you can do to improve the security of your WordPress installation.
- You should also change the standard log-in URL from yoursite.com/wp-admin to something else. It amazes me how many BIG websites haven’t even made these simple changes! Give it a try on some of your favourite websites; you’ll be surprised how many haven’t even covered the basics when it comes to security.
- Set a secure password – don’t use dictionary words. Use a combination of upper and lower case letters, numbers, and special characters. This is not unique to WordPress; you should be employing this practice on anything that requires a password, like internet banking or computer passwords.
- Enable 2-step authentication on your WordPress site. This is pretty straightforward to do and is something you’ve probably seen if you use internet banking. An example is if you try to transfer money, it will send a unique code via SMS to your phone, which you have to enter in addition to your regular password.
- Remove all default posts, comments, pages, etc. as these indicate that your site might be fairly new and make it a more attractive target.
- Change the prefix on your database tables from the default “wp_” to something else. As with the default username, this is something you can actually set when first installing WordPress.
- Hide your WordPress version number. This way, it won’t stand out to hackers if you’re not using the latest version.
- Back Up! There are plenty of great backup plugins available, and many are free. If the worst happens and you are hacked, you’ll be back up and running in no time.
Are you ready for some great news? You can implement most of the ideas above and MORE with the click of a button. How? Install the Better WP Security plugin. It even has some advanced features like blocking IP addresses that attempt to log in (incorrectly) too many times, and you can create a blacklist of IPs. I’m surprised how many e-mails I get alerting me that people are trying to either log into my site or trying to access a URL that doesn’t exist (usually the default log-in page at /wp-admin/). You can also use the IP tracer to see where the attempt originated from (most of mine seem to be from Russia or China).
Do you have a great WordPress security tip? Leave it in the comments below!
And if you want to take WordPress to the next level, check out this article: Top WordPress Plugins for the Smart Blogger.