How To Prevent Your WordPress Site Being Hacked

How To Prevent Your WordPress Site Being Hacked

One of the few downsides when it comes to using WordPress or other CMS, is that there is a risk that your site will be targeted by hackers. Ranging from simple brute force attacks to your login page.

Have A Strong Unique Username And Password

This is your first line of defense. By not having the default username, admin, you’re making it twice as hard for any prospective hacker that is attempting a brute force attack.

Also, you will want to make sure that your username, and the display name that you can set inside the WordPress dashboard is different. If they’re not different, then the username might as well be admin, because it is very likely that a hacker’s first/second option in a brute force attack will be your display name.

Keep Plugins To A Minimum

While all code that is in the WordPress goes through a screening process, given the sheer volume of different plugins and updates, there’s probably a few plugins out there that have weaknesses that can be exploited.

Keep Everything Updated

When WordPress releases a huge security update, not only do all their users get to know it, which is their intent, people with worse intentions also become aware of a weakness in the code. Some people might even use bots to search for sites with outdated versions of WordPress. If a hacker finds your site when it’s behind on an important security update, they’re free to wreak havoc.

Implement Some Border Control For Your Login And Admin Area

How To Prevent Your WordPress Site Being Hacked

While a limit login attempts plugin is a good place to start, there are other, more efficient ways to protect your admin area from unwanted intruders.

Two of your best bets is two-step authentication, and using IP restriction/whitelisting.

Two-step verification is when you add a second step to the login process, like logging into your google account, or getting a code sent to your mobile phone and then entering that before you can log in. While two-step verification is great, it still doesn’t do anything with the wasted bandwidth that is an added ‘bonus’ with brute force attackers.

IP whitelisting basically means that you choose a few IP addresses that can access the login page or admin area. This means that people from unauthorized IP addresses don’t even get to see the login page, they just get redirected elsewhere. This stops brute force attacks from even happening in the first place and ends up saving your bandwidth.

IP Whitelisting is actually one of the things done here at WP Daily Themes to ensure the security of the website.

You can use the plugin Google AuthenticatorRublon Account Security for easy two-step authentication, or you can use the extensive security plugin WordFence to set-up IP-whitelisting.

Change Your MySQL Database Table Prefix

A prefix, in this case, is a small part of a text that goes in front of the names of rows in the database. This prefix is by default set to wp_, and since the latter half of the row names are default (users, posts, etc), this means that your site is vulnerable to SQL injection. (Basically hackers inserting data into your database.)

If there’s a vulnerability on your site that lets someone insert custom SQL into your database, and you use the default table prefix they can basically just create their own admin user.

Now if you change your table prefix, even if they manage to insert SQL you can stop them from easily gaining access to your dashboard and buy yourself time to find the problem when your website.

This can easily be done with the Sucuri plugin. Please note that you should always backup your database before you attempt to change the table_prefix. Luckily, this is something you can also do with from within the plugin.

Hide The Fact That Your Site Runs On WordPress

The fact of the matter is that hackers are more likely to find and attempt hacking your site if your site is advertising that it is run on WordPress.

You can solve this problem with a plugin that’s made for the sole purpose of cloaking the fact that your site runs on WordPress, Hide My WP.

Hide My WP makes sure that hackers and their bots aren’t able to find their website when they’re searching for websites run on specific versions of WordPress, or just WordPress in general.

This means that you reduce the risk by simply avoiding the brunt of WordPress targeted attacks, by tricking bots into thinking that your website is not actually run on WordPress. Almost like a cloaking device.

Scan Your Site Regularly/Check For Changes To Files

Scanning your site regularly is the best way to spot any untoward code, backdoors or even planted malware that someone could have managed to infest your website with.

This can make the difference between getting your website completely pulled apart, or catching a breach early enough to restore a backup and fix the problem before permanent damage is done.

Monitoring changes to your files is also a good way to do this, and also to find out if somebody has gained access to your dashboard.

The great thing about the Wordfence plugin is that it does both of these things, as well as sending you emails whenever someone attempts to login to your dashboard. (When they fail so you can know your website is under attack, and much more importantly when someone succeeds as well.)

Stay Up To Date On Website Security Tips

The world is changing at a rapid pace, and nowhere is that truer than on the internet. To be truly safe, you have to stay up to date so you can secure your site from the threats of tomorrow today.

Back Up Your Site

The great thing about backing your site up, is if somehow, a hacker makes it through your new and improved security, you’re still okay.

While technically, yes, this doesn’t stop your site from being hacked, this is your failsafe to cover absolutely all your bases.

It also protects you from server failures or other problems your web host could run into that could destroy your website.

You can use the plugin BackUpBuddy to completely automate the process of backing your site up.

Conclusion

While this might seem overwhelming or like a lot of work, most of this can be implemented by installing and configuring a single plugin, and will drastically reduce and prevent your chances of becoming another victim of some hacker on a rampage.

If you have a business website, improving your security could easily be the action with the highest return on investment you’ve ever done for your website. After all, it just takes one time to make a significant impact on your business.

Comment (1)

  1. Hi Ragnar,

    Thank you for this information! I currently have WordFence installed on my site but am not familiar with a lot of the available options. I like the idea of IP whitelisting and had no idea that was even a thing! I also have heard about erasing the fact that your site is run using WordPress so thanks for the plugin option. Great info…I will be using these tips!

Top