Recently, I’ve been hearing a lot about people having their WordPress websites hacked and compromised by malicious code. I’ve written about how to secure your WordPress Installation before, but in light of the recent string of hacked websites, I think a more thorough article is needed.
In order to protect your site from being hacked, we need to understand how a hacker would attempt to hack you in the first place. One of the most common (and luckily easiest to proof) ways is through the wp-login.php page – the WordPress login page.
Securing The WordPress Login Proccess
Make Your Password Secure…
Yaya, sounds like a no brainier but I feel like I need to beat this simple idea into some of your heads! If I find one more password that is a clients name plus their birth year I’m going to snap.
Passwords should be 8 characters long, be CaSeSeNsItIvE, and contain numbers and symbols. I really don’t care if you have a hard time remembering it, it’s much better than the headache of dealing with a hacked site
Delete The Admin Username
Every fresh install of WordPress includes a user called admin. Knowing this, hackers attempt to brute force login using the admin username. There are many ‘dictionaries’ of most commonly used passwords online, so what a hacker will do is try each common password with the admin username and hope they break in.
Enable and Use Nicknames
So you are a smart webmaster and deleted the admin user and now have a safe and secure password – hackers are screwed now! Not quite yet my fine friend, because most WordPress themes display the name of the author on posts. This is especially true if you are using WordPress as a blogging platform.
Luckily there is an easy way to fool the hackers on what your username is. If you edit your user profile, you can choose a nickname. Make your nickname different from your username and then select it in the “Display name publicly as” section. So now your username can be “NaNaNaCannotHackMe” but the site will display the author as “Dylan”.
Install the Limit Login Attempts Plugin
This plugin allows you to set a ‘failed login limit’ that is extremely useful in stopping bots and scripts from brute force loging in. Many customization features such as email notification are available as well. Download
Install Semisecure Login Reimagined
Hiding Your WordPress Version
Older versions of WordPress have known vulnerabilities that hackers can use to compromise your site. Hiding what version of WordPress you are running stop most bots/scripts from even attempting to hack you.
Removing Unimportant Files From Your Server
There are many ways you can do this: FTP or maybe just through your hosts file manager. Either way all you have to do is delete these files:
The reason for this is that those two files are not important in any way to run your site, but contain the WordPress version that you have. This information could be used by hackers to help gain access to your site!
Install Secure WordPress
This plugin performs two basic but very important tasks for you. The first is creating an index.html in each sub folder, stopping anyone from browsing and being able to access files in the directories of your site.
The second is the ability to remove default WordPress headers such as the WordPress version.Download
Other Basic Things to Keep Your Install Safe and Secure
Keep Your Version of WordPress and All Plugins Updated
This is another one that seems obvious, but please don’t ignore it! Sometimes it’s not WordPress itself that allows a hacker in, but an outdated plugin instead. There are many common and popular plugins out there with known security vulnerabilities, so keep ahead of the hackers and update.
Change Your Table Prefix
Sometimes instead of using the WordPress files themselves, a hacker will use the database to gain entry by injecting malicious SQL code, or compromising the database through other means.
Because of this, it is important the change the default WordPress table prefix of wp_ to something else. The free WP security plugin WebsiteDefender has a built in tool that will do this for you.
*note: Remember to backup your database before
Hopefully if you follow all of these points, then you won’t ever have to deal with getting hacked or malware on your site – Good Luck!