Has one of your WordPress sites ever been hacked?
If it has, you know the frustration, time, and money it takes to fix the problem and get everything cleaned up. Skilled hackers will plant a virus deep in your file structure to make it exceptionally difficult to remove. And while you’re trying to figure it out, your website will be doing the hacker’s bidding, whatever that may be – spreading a virus, creating parasite pages for SEO, etc.
Basically, it’s a nightmare.
Securing your site to prevent a hack in the first place is absolutely crucial. Take a few minutes to follow the steps below and you’ll be more secure than of 99% of WordPress users out there. We’ll even give you ways to prevent hackers and spammers from knowing you’re on WordPress in the first place. Read on.
1.Limit Login Attempts
Seriously? You don’t have this installed yet? Without Limit Login Attempts (or another similar plugin), any hacker can “try out” an almost infinite number of combinations on your login screen. If the hacker has another one of your passwords from a compromised database, it may be a matter of trying just a few variations until he’s through.
Download for free from the WordPress repository, or, install automatically upon installing WordPress if you’re using a platform like Softaculous.
2.From now on, you’re not called “admin”
Most webmasters will use admin as a username simply due to the fact that it’s the defaulted text value on installation. With a random password, admin as a username can be okay, but with a custom, easy-to-crack password, the combination is risky.
Use different usernames for all of your websites, and of course, use random strings of numbers, letters and symbols for your passwords. WordPress has a built-in password generator now, or, you can use a browser extension like LastPass to generate passwords and keep them handy.
3.Change the locations of important URLs
Another default you should change is the login and admin URLs. Often times, hackers will scrape for WordPress footprints and append the default folders onto the root URL for quick brute-force access. Plugins like Custom Login URL and Protect Your Admin can help prevent that.
4.Remove WordPress footprints
Prevent your site from getting on a hacker’s “list” of websites to try out in the first place with a plugin like Hide My WP, one of the most popular plugins on Code Canyon.
5.Never mess with cracked plugins or themes
There is no incentive for someone to crack a plugin or theme and release it for free on the internet. Rather, most crackers are profit-driven, meaning they slip something into the code that will make them money.
Most commonly, this is script to steal ad placement or traffic. More malicious versions will auto-install malicious files (such as .exe files) on visitors’ computers, and the script will only run for a percentage of your traffic, so you will likely have no idea it’s running in the first place (until Google deindexes your site).
Don’t risk it. Get the official version, support the developers, and sleep safely at night knowing some random person doesn’t have complete access over your site(s).
6.Delete plugins (and limit plugin use in general)
Any single plugin leaves your WordPress site open to vulnerabilities – even the simple ones.
- Deactivate and delete the plugins you’re not using.
- Don’t use big plugins for small tasks. Adding meta descriptions can be done without installing a massive SEO plugin like Yoast.
- Do things manually wherever possible. If you’re verifying through Google Analytics with a meta tag, go to the Editor and insert the tag into header.php yourself. The fewer plugins you have, the more secure you are – period.
Set both your WordPress core and your plugins to update automatically.
If the developers of a plugin or the WordPress team discovers a vulnerability, they will release a new version with the quiet description of minor bug fixes. You want to download these updates immediately – the easiest way is through doing it automatically.
8.Keep track of logins, just in case
Use a plugin like WP Security Audit Log to see who is coming and going on your website. It’s an easy way to spot a hack (if something does happen) and get to work on fixing it before any serious damage is done.
9.Keylog hackers are just as prominent as WordPress hackers
Keep in mind that if a malicious keylogger is on your computer, it’s absolutely pulling any WordPress credentials you enter. Be just as vigilant with your personal computer’s safety as you are with WordPress’ safety. And, if you have other admins on your site(s), make sure they are being vigilant, too.
Taking preventive action with the above nine steps will take you under an hour, and can potentially prevent hours to days of wasted time and hundreds to thousands of wasted dollars down the line. Be smart and prepare for the worst – good luck!