Published on October 11th, 2012 | by Tom Wake1
7 simple ways to protect your WordPress website (from hackers and bots)
I’ve had websites hacked before and it’s really not a very pleasant experience. The first time it happened it was devastating. I hadn’t taken any precautions and lost a huge amount of data. Luckily it was only a hobby website and I didn’t lose anything of real value… but it still felt horrible, like someone trampling all over your stuff.
When it happened a second time I was fully prepared. This time I was able to recover everything and get ‘back to normal’ very quickly. I also learnt a few more tricks which have *touch wood, cross fingers* helped prevent further attacks.
You only need to worry about the security of your site if you have a self-hosted website or blog. That means if you have your own domain and hosting package (for example www.yourwebsite.com). So if you have a free, unhosted Tumblr, WordPress or Blogger page you can ignore this article – all you need to worry about is keeping your password safe.
If however you’ve got your own self hosted WordPress website security is an issue you need to take seriously.
While there’s no way to 100% safeguard against every attack, if you follow these simple steps you can DRAMATICALLY the reduce the risk of having your website hacked. Better still you can guarantee that if the worst should happen all your content is backed up and you can get everything back online quickly.
Here’s what to do:
1. Run this quick (and free) diagnostic scan – The first thing to do, before putting any other measures in place, is to see whether your site is clean and bug free. Securi Site Check is a clever little scanner which will tell you if there looks like there’s currently anything untoward happening on your site. Take note of any suggestions – for example if it tells you your WordPress software is out of date, make sure you log on and update it right away. WordPress updates don’t just introduce new features they also close up gaps in security.
2. Use a host who backs up your files for you – This is THE most important measure you can take. You should take your own site backups but make sure you also use a host who backs up your website and files each night for you. If you can afford to use a host who also stores weekly and monthly backups. Why? Because if you’re on holiday, or away from your computer for whatever reason while your website is hacked you could still lose everything.
Most hosts will overwrite the backups every 24 hours which doesn’t give you long to identify potential issues. If you’re not sure whether your hosting provider offers this service just drop them a quick email. I use a UK cased company called justhostme because they’ve always given me excellent customer service in the case of a problem (and they’re very good value). I was using them the second time I had a website hacked and they had it up and running from their backup again within an hour. They offer weekly and monthly backups on a number of their packages.
3. Block multiple login attempts – The majority of website attacks come from ‘bots’ using brute force to try and code break your login details. After enough attempts, they can usually get through because the automatic setting on WordPress is to allow unlimited login attempts… not great for security. The good news is there’s a clever, free plugin called Limit Login Attempts which blocks individual IP addresses from making multiple failed login attempts. For simple instructions on how to install a plugin please click here.
4. Choose a hard to guess combination of both letters and numbers for both your username and your password – Whatever you do don’t choose ‘admin’ as your username as this is the WordPress default and therefore the most popular, most cracked username.
If you’ve already got ‘admin’ as your main account username don’t panic! Set up a new username and then delete the old one choosing the option to assign all posts to the new username. Make sure you backup your site before doing this just to be on the safe side.
5. Close up a number of security loopholes instantly by installing this plugin – Secure WordPress is another free plugin. The purpose is simple: to hide installation information and sensitive data from hackers about your WordPress site. On its own this isn’t going to drive away the most intrepid hackers but it’s certainly worth having in your arsenal to ‘beef up’ security. All you have to do is activate it.
6. Make your site ‘Bullet Proof’ – Ok, ‘bullet proof’ might be overstating it a little… but the Bullet Proof Security plugin is an extremely powerful bit of free kit that comes highly recommended by WordPress professionals. This plugin will help protect “your website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts.” Lost yet? Don’t worry getting this one set up is fairly straightforward but it’s not for complete newbies so make sure you backup everything before installing unless you know what you’re doing.
7. Give your site military strength – I’ve started using something called 6scan on a number of websites – This is a plugin that’s free to install but to be honest, to get any real use out of it you really need to upgrade to the monthly subscription (which is $9 a month via Paypal). This plugin was developed by a former military intelligence team and actively tests you website for vulnerabilities – just like a hacker would. Whenever it finds one it will automatically try to fix the vulnerability or loophole. If you have the paid version of this plugin installed you don’t need to use the multiple login plugin I mentioned in step 2 (as there is a similar facility in ‘settings’). While I like this plugin, it certainly isn’t cheap and I’d only recommend looking at this if you’re getting a lot of traffic.
That’s it! At the very least it’s essentially that you have regular backups made of your website as this will give you peace of mind that should the worst happen you’ve got everything stored in a safe place.
If you found this article helpful or if you’ve got any tips of your own please leave a comment below.