The recent brute force attacks on WordPress blogs have brought attention to an important concern for WordPress.org users: security. And it’s not just an issue when there’s a brute force attack going on — security is always an issue. With the great customization options of WordPress.org come great potential for hacking. All you have to do is install the Limit Login Attempts plugin and see often the default username “admin” is targeted by automatic hackers, and you’ll realize that WordPress hacking is not an infrequent happening.
Please Note: Automated hacking issues don’t apply to WordPress.com users (which is why I recommend that some of my less technically inclined friends stick with WordPress.com for their blogs). However, no matter your blogging platform, it’s always important to use a strong password and make frequent backups!
Here are some simple steps to protect your WordPress.org site now and in the future:
1. Never use the default username “admin”.
Nor “administrator”, “owner”, “test”, etc. Your username is publicly viewable, so don’t make it weird or secret — just use your first name. Click here for directions on changing your username if it’s admin or something like it.
2. Create strong passwords and change them regularly.
Create a strong, long password, filled with upper and lowercase letters, numbers, and special characters like ! ” ? $ % ^ &. If it’s easy for you to remember, it’s probably easy to hack. If it’s impossible for you to remember and retype difficult passwords, try 1Password or LastPass.
3. Keep WordPress, themes, and plugins up to date.
The techs behind WordPress and its highly rated themes and plugins are always working hard on more updates to protect your WordPress site against newly discovered vulnerabilities. But you can’t be protected if you don’t update your WordPress install, themes, and plugins! Having an out-of-date WordPress installation is like hanging out a welcome sign for hackers, advertising that you have all the latest security vulnerabilities. So update, update, update.
4. Delete unused and outdated plugins and themes.
WordPress hacks often come through the “back door” of easy-to-compromise files in outdated plugins and themes. If you’re not using them, or if they have not been updated within the past two years, it’s safest to not only deactivate them, but completely delete them.
5. Create regular backups.
Your host probably backs up your site on a daily or weekly basis (check with them — this is a fact you should know!). But they often pay a fee for you to retrieve the backup from them. Be the master of your own backups. Install a plugin like BackWPup to automatically backup your database, xml export, and even your uploaded files on a daily or weekly basis. Most backup plugins have the option to backup straight to an email address or cloud like DropBox.
Know where your files are being backed up and how often it’s happening. Check on them once in a while to make sure they are really, truly being backed up.
6. Install security plugins.
Free security plugins are just that — free. They don’t come with a warranty. But they’re better than nothing! Choose the ones with directions you can follow. But be careful to make sure the plugins are compatible if you install more than one security solution!
- Sucuri Security (free version)
- Limit Login Attempts
- Wordfence Security (does what Limit Login Attempts does and more)
- Better WP Security (compatible with WordFence)
- BulletProof Security
- Bad Behavior
- CloudFlare (follow install directions from Amy Lynn Andrews)
For additional security tips, check out:
- WordPress Brute Force Attacks, and What You Need to Do About it from WPBeginner
- Ongoing WordPress Security Attacks, The Details and Solutions from iThemes
- WordPress is Being Attacked: 3 Precautions You Can Take from Blogging With Amy
- 6 Things I Tell My Friends About WordPress.org