How to Lock Down and Secure Your Wordpress

Site From Hackers

There are millions of websites operating on the WordPress software platform. In fact, 17% of the

world’s websites are using WordPress. It’s easy to use, with a user-friendly interface that allows

someone to create and update their site even if they don’t have a programming background. It has

hundreds of thousands of plugins available to give it a multitude of functionalities to accommodate

mostly all of your basic website needs. It’s also free.

Unfortunately, there’s some downsides as well.

For example, if you don’t change your default configuration, hackers and some pesky users with too much curiosity immediately know where to log in to get into your

admin area. In WordPress, you can type in “domain.com/wp-admin” and it will take you right to the login screen. At that point, the only thing left to get into your site is to crack your password. The most common

method hackers use is brute force, which allows them to test millions of login combinations in a short amount of

time.

Your website can never be 100% secure. Hackers are always trying new things and discovering new

vulnerabilities to exploit. The online world changes quickly and the same is

true of security.

Good security is about minimizing risk. If anybody tries to sell you a 100% secure solution, they’re scamming you. You’ll never be completely safe, but there’s a lot you can do to minimize your risk. There’s also a balance between security and usability. Sometimes locking down your site makes it secure, but it’s harder to use. You’ll have to find

the balance that works for you…and take measures to keep it as secure as possible.  

That being said, there’s a few preventive measures you can take in order to lower your risk of getting your site

hacked.

Here’s 6 quick steps to make your WordPress website more secure:

1. Keep It Up To Date

One of the biggest security vulnerabilities in WordPress is old software. WordPress is updated fairly often and whenever there’s a new security issue they roll out an update immediately. But you need to stay on top of keeping your WordPress software updated on a regular basis by logging in and checking to see if there’s a

notification to “update” and a link in your WordPress Admin area.

You also need to keep your themes and plugins up to date—they can have security issues as well. Sometimes people put off

updates for fear of breaking their site, but you’d rather break your site with an update than risk a break-in.

Also, if a plugin is deactivated, you need to delete the plugin entirely so that it is not an open, unused folder left on your

server that a hacker can take over.  

Here’s 6 quick steps to make your WordPress website more secure:

2. Strengthen Your Passwords

Your security is only as good as your password. If you’ve got a simple password, you’re making it

very easy for a hacker to walk right in. Your password should have numbers, capitals, special characters (@, #, *, etc.) and be long and unique.

Your WordPress password can even include spaces and be a passphrase. Remembering

different passwords for different sites is tough, but a hacked site is worse.

Here’s 6 quick steps to make your WordPress website more secure:

3. Manage Your Users

Your own strong password is useless if another admin has a weak one. You need to manage your users. Not everybody

needs admin access. The more people with admin access, the more chances to hack your site. If someone is writing blogs for

you, give them “Editor” access rather than “Admin”, for instance.

Remember to update or remove users when you have staff transitions. If you have someone working on development or editing for a temporary period, create a new user account for

them and then delete once they are finished.

Here’s 6 quick steps to make your WordPress website more secure:

4. Back It Up

If anything ever goes wrong with your site, you want to be able to get it back up quickly. That means you need to have backups available to restore

the site. In order for backup to work, it needs to be complete and automatic. Backing up your database isn’t enough. That will save your content, but you’ll still have to rebuild your entire site, including theme tweaks and plugin settings. And if your backup isn’t automatic, you’ll forget to do it

regularly.

Get a powerful backup tool, such as BackupBuddy, to keep your site safely backed up and ready to be restored. It’s a premium plugin that makes

backing up and restoring a seamless process.

Here’s 6 quick steps to make your WordPress website more secure:

5. Don’t use “Admin” as

Your Username

If you use “admin” as your username, and your password isn’t strong enough (see #2), then your site is very vulnerable to a malicious attack.   Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username.

Many people still use “admin” as it’s become the standard, and it’s

easy to remember. Some web hosts also

use auto-install scripts that still set up an

‘admin’ username by default.   Simply create

a new “admin” user account for yourself

using a different username. Then log

out and then log in as that new user and delete the original

“admin” account. If you have posts published

by the “admin” account, when you delete it, you can

assign all the existing posts to your new user

account.

Here’s 6 quick steps to make your WordPress website more secure:

6. Use Security Plugins or Security

Services to Protect Your

Site

As well as all of the measures above, there are tons of plugins you can use to tighten your site’s security and reduce the likelihood of being hacked.

Here are a handful of popular options:http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.http://wordpress.org/plugins/wordfence/ – full-featured security plugin.http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.

Personally, after trying to find a free plugin that protected my site and getting frustrated, I switched to using Sucuri Security. It’s a monitoring service that protects your site as well as fixes it if it gets hacked. It’s saved me and multiple clients websites after getting hacked. I haven’t had an issue since I signed up for their service. You can find them at Sucuri.net.

If you’re interested in learning more about hardening your website’s security, please check out these two resources:

http://codex.wordpress.org/Hardening_WordPress

http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site  

While all of this may sound overwhelming or intimidating…I am not intending to scare you. It’s just important to understand the best measures to take so that the hours of time and effort put into building your website are protected.