Monday, November 17, 2014

5 Tips to Protect Your Wordpress Site From Hackers

I started developing Wordpress sites in early 2011 and it has pretty much been a 3+ year honeymoon....until last month, when I noticed one of the sites I manage had been hacked. On first glance, it didn't appear too bad, I was still able to log in, viewers of the site still saw the same content, and from the outside, things looked ok...from the inside, there were odd little quirks (like not being able to insert hyperlinks or see the names of all the files in the media gallery). Originally I thought it might be the result of a recent update to the newest version of Wordpress, as there is always the possibility that older themes and plugins might not work the way they should after updating. But then I did a search for the site through Google, and realized that the site's description had been changed to garbled sentences about pay day loans. Not. Good.

Wordpress Site Hack - Google site description changed to "Dirty SEO"  using a bunch of spammy keywords. Ugh.

After going into full blown panic mode for a minute, I calmed down, started doing some research. I was able to fix the problem, & added a bunch of safety measure to try to make sure it doesn't happen again. Don't make the same mistakes I once did, and you'll avoid a lot of headache!

Here's 5 Easy Wordpress Security Steps that will go a long way in Protecting Your Site From Getting Hacked

(Please note: I use wordpress.org, the self-hosted, non-free version of wordpress, if you are using wordpress.com, some of the these tips won't apply to you, as you won't be able to install plugins)

1) DELETE the Admin Login ASAP

If you are using the default Wordpress login "Admin", or even if you don't use it, but still have it available in your users list, delete it NOW. Since so many Wordpress sites use this user name (and by default, it has full access privileges), it it the first choice for bots to try to login to your site. From within the Wordpress dashboard, you can see your users list by going to Users >All Users, and add/delete accounts as needed.

2) CHANGE Your Password to Something More Secure- 

With all the online passwords we need to remember today, it may be tempting to use your birthday, your kid's name or some other easy to remember phrase, but it will make it much easier for a hackers/bots to gain access as well. The most secure passwords are 12 characters or longer and contain a random combination of letters, numbers and symbols. There are many free random password generators (like random.org), or you can make up your own random password by using the first letter of each word in a sentence.

Example:  "Lauren likes 2 look @ 5 books Every day but Friday & Sunday" = Ll2l@5bEdbF&S


This will make your password harder to crack, but easier for you to remember. If you've already been hacked and have changed your password, you'll want to change your password again AFTER you've cleaned up any damage.

3) LIMIT Login Attempts

If someone/something is trying to login to your site incorrectly 20 times in 30 seconds, you can pretty much assume it's a brute force attack. By using a plugin to limit login attempts, you can shut down the ability to login after 5 incorrect passwords (or a number of your choice) for 20 minutes (or whatever amount of time you'd prefer). A simple, free plugin that does this is Limit Login Attempts, or can also use a plugin that does this along with other security features (more about this in tip #5).

4) BACK UP Your Site Regularly

This is something you should already be doing, but is particular useful if you get hacked, so you can easily restore your site to a non-infected version. A good rule of thumb is to keep at least 3 backups, preferably in different locations - like one on your computer's harddrive & one in online storage. There are many free and paid plugins that will do automatic backups for you. I've used BackUp Wordpress and Wordpress Backup to Dropbox, but there are more. I like to do weekly or monthly back ups and keep about 3 months of past backups.

5) USE a Multi-feature Wordpress Security Plugin

As I've mentioned above, there are free & paid versions of security plugins that will do everything I've listed above, plus tons more to secure your site. If your site has already been hacked, or if you have a high traffic site (or many sites), it may be worth upgrading to a paid version.  Even using the free versions is a great help, as they offer site scanning, malware removal and security recommendations. In my search, I've found & used both iThemes Security and Sucuri and would recommend either. Just a word of caution, both plugins have so many features to them, they may be overwhelming to a beginner. I would consider myself an above average Wordpress user, and even I was confused by some of it. If you start to feel overwhelmed, just focus on the "High Priority" items and you should be fine! 

Do you use wordpress? What security tips/plugins do you use?

Related Posts Plugin for WordPress, Blogger...