This is a guest contribution from Caleb Lane, WordPress security expert.
I am sure you already have on your to do list that you need to respond to emails, return phone calls, show up for meetings, write more content, and a whole lot more.
But, what if I told you that the effects of being hacked could cause all of your work to be destroyed and you would have to start over? I bet your to do list would change a little bit if all of the work you have done on your website was gone forever.
That is why WordPress security is very important and you need to add it to the top of your to do list.
For those who use WordPress there are some things that you can do to make sure your site is as secure as possible. Here are 11 things that you should do to help ensure your site is as safe and secure as possible:
1. Create Strong Passwords
This is one of the easiest things to do to ensure your website is secure. Many people make excuses due to it taking too much time, but should be taken very seriously. Each of your sites should have a different password.
- Every password should be at least 15 characters long, and it’s best if your password does not contain a real word.
- You should use capital and lowercase letters, numbers, and special characters such as a question mark.
- Your password is your first form of protection against hackers, so make sure you come up with a strong one.
Once you have secure passwords for all of your sites, you should never just write them down.
The only two places your passwords should be are in your head or within a password manager with a strong master password.
If you are going to use a password manager, LastPass or KeePass should do the job for you. LastPass offers a free version and a premium version for $12 a year, while KeePass is open-source and completely free. If you decide to use KeePass, make sure you keep a backup of the password database file in case the file becomes corrupted or your hard drive fails.
2. Keep Your Site Updated
When it comes to WordPress, many people do not want to take the time to make sure they have all of the current updates.
Remember WordPress is not releasing these updates just so they can get media attention. The updates are released to fix bugs, patch security holes, and to introduce new features.
Will any solution always remain a step ahead of the hackers? No, but when there are security holes that are known and there are patches available, you need to implement them on your site. There are no excuses for not keeping up with the updates.
You should also make sure to keep your plug-ins and themes up-to-date. Also, if you have a VPS or dedicated server, keep all of the things associated with the server up-to-date as well.
Now you may be thinking, how do I do this with all my websites? Thankfully Infinite WP and Manage WP allow you to manage and update all of your sites from within one dashboard.
3. Changing the WordPress Login Username
Change the username that is provided as the default admin user when you first set up your account.
Since most brute force attacks on your website are automated, they most likely will either use “admin”, “administrator”, “manager”, or your domain name to try to hack into your account, so use a random username instead. Of course the username should be backed by a strong user password using the guidelines that were covered earlier.
4. Guarding Against Brute Force Attacks
Many people do not realise that most sites have at least a few hundred unauthorised login attempts each day.
In addition to the possibility of successfully hacking into your blog, these attacks can also put a strain on your server resources. To guard against these brute force attacks, make sure you have taken the steps listed above. You can install a plug-in such as Limit Login Attempts that will lock out the hacker after a certain number of failed login attempts.
5. Malware Monitoring
You need to have a solution in place that will constantly monitor your site for malware.
A perfect free solution for this is WordFence which will scan your WordPress core, plug-ins, and themes for changes against the files in the WordPress repository. If there are changes to the files it will send you an email notification if you provide an email address within the plug-in options page.
Another malware monitoring solution that includes server side scanning as well as a variety of other features is Sucuri. Although it costs some money, it is well worth it for the additional features it provides.
6. Fix Malware Issues
In addition to your efforts to prevent malware from infecting your blog, it is always a good idea to find a way to clean up any malware issues that are detected. One of the costs that many blog and website owners tend to overlook is the cost of downtime that is associated with security problems and the time it takes to clean up those issues.
A good solution that will remove malware in the event that you are hacked is Sucuri. If you have been hacked already, you can sign up for their service and they will remove the malware even if you were hacked before signing up.
7. Choosing a Hosting Provider
A substantial security risk comes from having your blog on a server that is shared. Consider the risks of your single blog and then multiply it by the number of blogs and websites on the same server.
If you choose shared hosting, it is likely that you are going to be lumped in with hundreds of other sites. The reason shared hosting is a big risk is because if another website on the same server as you gets hacked, your website can possibly be hacked as well.
While your own VPS or dedicated server may not be the right choice for you due to the knowledge to manage it and the cost, managed WordPress hosting may be a good alternative. They offer hosting that is more expensive, but well worth it considering the risks that comes with generic shared hosting.
With managed WordPress hosting you get better security, a faster site, better support, and full backups done automatically for you. The 3 managed WordPress hosts that stand out are WP Engine, Pagely, and Synthesis. All of them are slightly different and have different benefits, so look into each one and pick the one that fits you best.
8. Clean Up Your Site
As well as protecting your blog you need to make sure you keep your blog tidy. Get rid of any old plugins and themes that you are not using anymore.
This also includes separating websites that are in production and still being developed by having them on separate servers. Often times you will be working on a new website, but then forget about it for a few months. This causes the website to become out of date and vulnerable to being hacked. For this reason, it is always a good idea to separate websites on different servers that you are still working on from live websites in production.
9. Control Sensitive Information
When you are cleaning up your blog files make sure that you are not leaving any important information available for the world to access. Check your phpinfo.php and i.php files. These are like roadmaps to your set up and a hacker will be able to use this information to break in.
Another area of caution: don’t store backups of your site directly on your website’s server. This is just inviting potential hackers to download the backups and hack into your website without any work!
Disabling directory browsing is a good idea to prevent a hacker from browsing your blog site’s folders and files for information that could lead to them finding a way to exploit you.
You can disable directory browsing by adding (without the quotes), “Options –Indexes,” to your .htaccess file.
The last thing you have to be careful with is using the file manager within CPanel and having it save temporary copies of important files such as wp-config.php. That is why it is always better to use secure file transfer protocol (SFTP) with a program such as FileZilla.
Bonus Tip: Never store your passwords within FileZilla because they are not encrypted. If you were ever to get malware on that computer, it is very common for malware to search for passwords stored within FileZilla and use them for malicious intent.
10. Backup Your Site
It is always a good idea to backup your blog site in case your site gets hacked or even if you made the wrong change to a file and want to restore a prior version.
The two best solutions for backing up your site are BackupBuddy and VaultPress. If you are using another backup solution already that is fine just make sure it isn’t overwriting the previous backup and that you have backups going at least a few weeks back. It’s also very important to test the backup to make sure it works even if you don’t need it.
11. Be Vigilant
This is fairly simple to explain. You need to stay on top of everything that is going on in the WordPress security world.
Remember, preventing issues in the first place is better than detecting and fixing them later. While a managed WordPress host will have your back, it is also important that you have your own back as well.
Take the steps that are listed above to help make your WordPress site as secure as possible and keep an eye on stories about website security as well. Never think that the security issues are only affecting other sites… they can just as easily affect yours.
Caleb Lane is the WordPress security expert for Lockdown 2013, where you can learn how to secure your WordPress website. He spends his time consulting with companies about their website security and keeping his clients updated about the latest changes and news in website security.
Nice post and a great reminder about the blog hacking issue. I gotta admit that I was not too keep on this matter . I hate updating wordpress , use generic usernames and passwords and certainly don’t backup my sites. This blog is an eye opener to me.
You are lucky you haven’t had to go through the awful experience of getting hacked. A lot of people who have websites don’t take the time to think about securing their websites.
Once you do all of the initial work to secure your site, the maintenance part of keeping your site secure is pretty easy. Make sure you take action on applying these tips to your sites instead of just reading it and moving on. Good luck!
Now a Days WordPress has been hacked easily. Bcaz of these hacking your site data is lost.
The list Provided here are going to help you a lot. I like the few ways Like Changing the username and password regularly and updating the site plugin so that you can be save.
Tips how you can be save:
1. Use Login Lockdown
2. Take Regular Backups of your WordPress
3. Secure Passwords (use 16 digit with alpha and numeric with character)
I am afraid of these type of hacking bcaz if my site is hack all my data and article will be loose i really worked hard on my site. I am Going to follow these tips and i suggest you. You should also follow these tips.
Thanks for sharing such a nice article :D
The reason I recommend using Limit Login Attempts instead of Login Lockdown is because Login Lockdown is very outdated, so I would recommend not using Login Lockdown actually.
Yes, loosing all of the hard work you put into a site is horrible, so backing up your site is a great idea. Thanks for some of the suggestions you had!
Thanks so much for this post! I’ve been focusing more on my WP site security recently but there are still a few things I need to do, backing my site up being one of them.
Thanks so much for sharing. Have a great week!
That is good you are focusing on securing your sites, but backing up your sites is one of the most important things to do. Although Backup Buddy and VaultPress are awesome, I would also recommend considering Sucuri’s new backup product for only $5 a month.
Nice post! I recently learned some this the hard way on one of my niche blogs. DAMN YOU HACKERS! lol
That definitely is tough when you do have one of your sites get hacked. I hope you had a complete backup that was recent, so you can easily restore your blog pretty easily. Good luck!
Another important thing is NEVER use free stuff shared, almost all of these free things include some malware as a bonus lol.
Yes, that is true and on top of that they often don’t work at all anyway. :) Thanks for adding a valuable tip!
Great info in helping to keep you site secure from hackers.
All the 11 tips are awesome; usually bloggers simply make a backup of their blog regularly and get stick to their login details which they had developed first time. Everything should be in rotation while taking care of the security of your blog. Widgets are machines they can do mistakes that is why bloggers should personally protect their blogs from hacking by keeping vigil eye over any spam-like activity on your blog by the visitors.
I use the plugin Better WP-Security that performs most of the actions that are mentioned in this post. Thanks for sharing.
I don’t recommend Better WP Security for several reasons, but the biggest reason is due to the problems it causes with websites and compatibility with other plugins and themes. Although it does have a lot of nice features, I would still recommend that you don’t use it.
Getting a dedicated server is way under valued and over-techysized and i think those of us who have been doing this for a while should be pushing its benefits more than we do. Next to registering my first domain name i think learning to manage my own dedi has been the most important move i made ten years ago…with wp, even more so
I think that while it is a very valuable skill to learn and is a great benefit to have your sites on one, a lot of people don’t have the time or the interest to learn how to manage one or the time to actively manage it. That is why I recommend managed hosting because your site gets the benefits of a VPS or dedicated server, but you don’t have to learn how or take the time to manage it while you still get the same benefits.
Use htpasswd on your server to protect your admin folder; you will need go through two login panels to access your admin, but it makes hacking much more difficult. I use this instead of only allowing my IP, as it is much more convenient if you are on the go or have a dynamic IP.
Also, in your .htaccess, limit access to config, .htaccess and other sensitive files and directories, and don’t allow directory browsing. Just look-up htaccess security for WordPress.
Those are good tips as well! One option you have with limiting by IP is to always use a VPN when you login to your sites which will normally be 1 static IP address if you want it to be. This way your login information will be sent over a encrypted and secure connection along with the wp-admin folder being limited to one IP address.
As far as htpasswd goes, it does reduce the chance of a successful brute force attack, but the login information is still sent unencrypted unless you use a VPN or have a SSL certificate configured. So, keep that in mind that if you use public WIFI at places like Starbucks or McDonald’s because your login information could be stolen by a hacker by sniffing all of the passwords sent over the public WIFI network.
The other option to consider in reducing the chances of a successful brute force attack is two factor authentication. I would recommend Duo Security or Google Authenticator if you are going to use two factor authentication.
wordpress have a many bug. now im using jomla for my profesional web. long time ago, 2 of my web is hack, coz i’m using wordpress. jomla is strong. tru joomla.
Actually, the WordPress core is very secure and way more secure than Joomla is. Often times it is a plugin or theme that allows a hacker to successfully hack your blog, not the WordPress core if you keep it up to date. The main reasons for being hacked are not keeping everything up to date, poor password strength and management, and not securing your site against brute force attacks.
Excellent advice! I am seeing blogs with “admin” as the author way too many times! Thanks for bringing awareness!
It is crazy how often I see the username admin with websites! :) You are giving hackers 50% of the information they need to brute force your site. Since 99% of the time brute force attacks are done automatically if you don’t use the admin username and use a random password you are going to be pretty secure from brute force attacks. Of course you should still take the additional precautions, but those two basic things will secure your site from the majority of brute force attacks.
Thanks for this all important post, i appreciate your efforts in putting this together. The issue of security in the blogging industry is alarming, however, we shall survive it.
My blog hacked last week I don’t know what to do and what to not. Now I relly want to thank you for giving me this precious information.
This information help me to deal with this problem, my blog is still not as important as you but is still better prevent to be safe.
Very useful tips.
Honestly i don’t usually upgrade my WordPress cause i don’t want to waste time to do it and i don’t relies how dangerous it can be.
thanks for your valuable information
WordPress recently came out with 3.6.1 which is a security update, so make sure you update your WordPress version. Also, make sure you update your themes and plugins to. Lastly, update everything with your sever as well such as MYSQL and PHP for your server.
Well this is the great tips that you have shared on how to protect your website from hackers. I think everyone should use this all steps to protect their wordpress site.
Really useful information, I have experienced this once and it’s a very bad feeling, these tips will definitely help.Regular backup gives peace of mind.
Thanks for the great tips . Is there word press security plugin that you can recommend to us ?
A common misconception is to only use plugins to secure your site and it will be secure. Unfortunately it is not that easy. The two plugins I recommended within the post Limit Login Attempts and WordFence help with security, but you may also consider using the free version of the plugin that Sucuri offers for a variety of features it offers. If you are looking for a specific plugin for something you are looking to do let me know and I will most likely have a suggestion for you.
Great article. Combining plugins with the tips is so useful because all too often bloggers think that installing a few recommended plugins will harden their site enough only to find out later this isn’t the case.
I used to just use ‘Limit Login Attempts’ and would receive around the clock notifications that hackers were trying to access my website. I then used .htacess to password protect the /wp-login.php page using a 50+ character random string for both the username and password. The notifications stopped instantly, but if I ever start receiving them again I’ll know that my first line of defence has been cracked and I can simply generate some new random strings to use.
Yes, if you are receiving a lot of attacks, you could use .htpasswd which is what you described and it is very helpful. You can also consider limiting access to the login page only by your IP. You can set it up to where you only allow your IP by using .htaccess as well. If you want to easily set up limiting by IP for the login page you may consider using Sucuri CloudProxy if you don’t want to mess around with properly configuring and editing the .htaccess file.
I have been ignoring some important points that is being mentioned above.
Bruce Force attacks is a new security precaution that i have learnt from above article ..thanks
I would actually recommend not using any word or variation of a word like password for example. I would recommend something totally random such as “f9ZAche5rU9u#a3uye_e” and use a password manager such as LastPass with a very secure and random master password.
Never really cross my mind to prevent my blog from being hacked. I always thought my blog wasn’t big enough, and hackers would waste their time on my blog. But I could be wrong. Once my blog’s hacked, I’ll lose everything forever.
Better be safe than sorry.
Getting your WordPress site hacked is an awful experience. With this post now I and anyone will be able to secure the site. Great post. Thanks
Nowadays hackers are everywhere and anytime they can attack your site without your notice. So it’s really important to consider those list to protect your site.
I’m glad to see a topic about information security in ProBlogger.
A security specialist once told me ‘If I do my job right, you won’t know I’m here’.
The truth is that most people don’t seem to understand just how vital security is, until they get hacked. Good security is (almost) invisible while the results of bad security make headlines.
One more tip: don’t use the same password for different services.