Securing your WordPress Installation
In recent years WordPress has become one of the most popular ways of creating and managing a website. In fact current estimates reveal that one fifth of all websites are WordPress sites. However its popularity has a downside, WordPress sites are now major targets for hackers. Hacking attempts have massively increased of late and it makes sense to do what you can to secure your installation.
Brute Force attacks are the most common form of attack. A brute force attack will attempt to discover your username/password by using software to repeatedly try to login to your installation until it gets the correct combination. Someone having unauthorised access to your website is obviously a big problem but attacks such as this can also open up ways for hackers to take over entire servers which is often the target of the hacker. There are some simple steps you can take to make your installation secure:
Do not use admin/administrator as a username – ever!
If you are already using a generic username such as admin, editor, user1 etc it is highly recommended this be changed. The easiest way to do this is to:
- Login using your admin username
- Create a new user with Admin rights
- Log out and login using your new username
- Delete the user ’Admin’
Use a strong password
Passwords should include upper & lower case letters, numbers and characters. You can use a password generator such as http://strongpasswordgenerator.com/
Keep your WordPress installation up to date
WordPress is continually evolving and the developers are regularly releasing updates with security fixes,new features and additional functionality. To take advantage of these latest fixes it is important to keep WordPress up to date. If an update is available you will see a message with an update link on your WordPress dashboard. Clicking this link will automatically update your installation.
We highly recommended that you make a backup first before implementing any software changes.
Install a Security plugin
- Limit Login Attempts Does what it says in the tin and limits the number of times someone can login using the incorrect credentials
- Bulletproof Security – a comprehensive security plugin which protects your .htaccess and other files. It also gives the option to monitor file permissions and login attempts.
- WordFence an enterprise class security plugin with built-in firewall, virus scanning, and a premium version to block specific countries.
Keep your Computer Clean
It’s all very well securing your installation against hackers and having confidence that your web host has hardened it’s servers but if your PC is not clean of malware, spyware or viruses it’s possible a simple keylogger could snatch your login credentials and all your hard work securing your site would be for nothing. Ensuring your virus protection is up to date, scheduling scans and using additional anti-malware software are essential to keeping the nasties away.