Security is a pretty boring topic and isn’t likely on your radar unless you know someone who has been the victim of a hacker, or you yourself have had your website hacked. September is National Cyber Security Month, in part to raise awareness about this very important, but often overlooked topic.
Recovering from a hack to your site, especially if you are unprepared, can be costly and time consuming. In some cases, you will be offline for weeks as you rebuild your website from scratch, weeks where your business must survive without a web presence.
You might think that your site isn’t valuable enough for someone to mess with, but millions of brand new sites get hacked every year, sites with little content or traffic. Hackers have many reasons for wanting access to your precious website and the spoils they collect make the effort worth it to them.
While you cannot completely prevent your site from getting hacked, you can do some things to reduce your vulnerability to attack. You can also reduce the consequences to your business in the event the bad guys do successfully breach your defenses.
Here are some basic steps everyone should take to protect their WordPress site from hackers:
Use a Secure Password
Secure passwords are at least 7 characters long and contain upper and lowercase letters. Experts used to recommend random lists of characters like b!p*5Ph6 as good passwords. However, modern brute-force password crackers could crack that 8-character string of gibberish in about 4 hours. But a 12-character, plain-English phrase like MyDogEatsIce would take 317 years, and is much easier for a human to remember.
Creating a secure password isn’t a once and done thing; change it frequently. If someone were to crack your perfect password, changing it often limits their access to your sensitive information. If you have trouble managing all of your online passwords, consider a password management tool like Passpack.com. This free service allows you to securely store up to 100 usernames and passwords. I’ve been using it for a couple of months now and love it.
Don’t Use “Admin” as Your WordPress Username
“Admin” is the default username that WordPress sets up for you, unless you choose something else. It’s easy to leave it at the default; after all it’s easy to remember. Unfortunately, the hackers know this as well. If you have a difficult-to-guess username AND a difficult-to-guess password, they have a more difficult time getting into your site. If you use “Admin” as the username, that means they only have to figure out your password to gain access. Why make the process easier on the bad guys? Pick a more difficult-to-guess username.
Limit Login Attempts
By default WordPress allows unlimited login attempts which allows hackers to crack your username and password with what is called a brute-force attack: they simply keep trying combinations until they get in.
Install a plugin that blocks login attempts after a certain number of failed tries and locks the user out by IP address for a period of time. This type of protection makes these kinds of brute force attacks very difficult or impossible, but doesn’t completely block access for authorized users. There are free plugins that just block login attempts as well as some that offer additional security protections.
Keep Your WordPress Version a Closely Guarded Secret
One of the biggest complaints developers and security analysts have about WordPress is that the software broadcasts its version number throughout many channels, including inside your source code and your RSS feed. This information is very useful to hackers, especially when you run an out-of-date version of WordPress. When security holes are found, the developers work hard to create fixes and get those fixes out to the community on a timely basis. But if you run an outdated version, those security holes — the ones the hackers already know about — still exist on your site and are being advertised to the world.
Hiding your WordPress version is as simple as installing a free plugin like Remove WP Version Everywhere.
Keep EVERYTHING Updated
The WordPress developer community works diligently to fix security holes, often before the hackers themselves find them. All of this hard work only benefits you when you diligently upgrade your website to the latest versions — this includes WordPress itself, any plugins, and your theme. Keeping everything on your site updated is one of the very best actions you can take to keep the hackers away.
Even if you take all of the above steps, your site might still get hacked. Hackers are notoriously crafty and will keep looking for vulnerabilities to exploit. As a result, you cannot completely prevent a hack, but you can limit its impact if it does happen.
Limit the Damage Done by a Hacker
Most hacks can be completely eliminated by simply restoring your site to a clean backup version. However, this only works if you actually back up your site regularly, and those backups extend far enough into the past to offer a clean version of your site. With a recent, clean backup version of your site, you can get your site back up within a couple of hours of being hacked… in contrast to several days or weeks spent rebuilding your site. This can’t be stressed enough: backup, backup, backup.
Your website represents the lifeline of your business on the web. Don’t risk that lifeline by leaving your site open to hackers. Take a few precautions to make your site less vulnerable.