Keep Hackers Away From Your WordPress
When setting up WordPress there are things you can do to make your installation more secure. Many times people say that WordPress is not secure because they hear of sites getting hacked. There are some basic ways that a WordPress website can be hacked and most of them are preventable by taking simple steps. Some of these problems can be blamed on WordPress because of the way it handles certain setup features, but all of them can be easily remedied. Following these steps won't guarantee that your site will be safe from hackers, but these steps will certainly mitigate the risks.
Securing WordPress: Change Your Username
The easiest way that WordPress can be taken over by a hackers is a brute force attack on the administrator's login. A brute force attack is when a hacker tries to guess the username and password to gain access to WordPress. They may do this by trying to guess the login credentials based on what they know about the site. They usually start with a dictionary attack which means they try to log in by using a list of common words to guess the username and password. By default the site administrator's login name is admin. Because the WordPress default username is well known, it means that hackers only need to try and guess the password to gain access to many WordPress sites.
Choosing any login name other than admin will make make a brute force attack substantially more difficult. Not only will they have to guess the password, but they also have to guess the username. Since a login name can be anything, choose one that is not a dictionary word.
Most of the time, if someone looks at the WordPress site they will see an author's name next to the post. With WordPress, this is not necessarily the person's log in name. This is called a nickname. Using a different name for a nickname than what is used for logging in creates one more barrier that a hacker has to guess.
If, when WordPress was installed, the administrator's username was left as the default, admin, then the change will need to be made in the database table called wp_admin. The easiest way to alter this is through a program called phpMyAdmin inside the webserver's control panel. The only thing that needs to change is in the line user_login. Even though the user_nicename and display_name also have admin in their fields, those can be changed inside WordPress dashboard's Users | Your Profile.
Securing WordPress: Use Strong Passwords
Creating a strong password is important for the administrator and for any of the users. Because the users already have a login name that is not admin, they have a good start in securing their information. User's should be given the least powerful role they require so that if their account is hacked there will be less damage to the site. Using strong passwords will help thwart brute force attacks.
Typically a strong password consists of at least eight characters. These characters should be made up of letters (both capital and lowercase), numbers and symbols. The administrator can reset a password for users either through WordPress or through phpMyAdmin.
Securing WordPress: Update WordPress and Plugins
With WordPress' automatic updates it is much easier to keep an installation of the software up to date than it was just a couple of years ago. In the WordPress dashboard there will be numbered icons over the Plugins menu if any plugins need to be updated. Across the top of the dashboard will be a box letting you know if there is an update for WordPress itself. Often times plugins are updated because of security vulnerabilities or new features. Besides major releases, WordPress updates are almost always bug fixes and security updates. It is important to update both plugins and WordPress.
It is always best to make sure there is a current backup of the website as well as the database before updating WordPress.
It is possible that updating WordPress will break a plugin. Plugin makers work hard to ensure their plugin is compatible with the newest WordPress update. But, be aware that some plugins may not work for a day or two after an update. This rarely happens except on major WordPress releases.
Securing WordPress: Remove WordPress Branding
If the website has been altered considerably from the default WordPress theme, it may be impossible to tell that a site is hosted on the WordPress platform. By removing all WordPress branding, the site will still be just as vulnerable, but it will be less obvious to someone taking a quick look to see if it is worth attempting a hack on the site.
Remove "Powered by WordPress" in the theme's footer if it exists. Using custom permalinks settings, which can be turned on in the Settings | Permalinks options, can help mask that a site is running on WordPress.
The website HTML, which is on every page, may contain a line such as the following in the meta tags:
wp_head();. This can be removed automatically by placing a remove action call in the functions.php file in the current WordPress theme. At the end of the functions.php file add this line to remove the WordPress branding from the head of each page:
This is called security through obscurity in that removing the branding does not make the site inherently more secure but makes it less obvious what the vulnerabilities might be. Hackers learn specific vulnerabilities based on the version of the software that a site runs on. By announcing that a site runs on a specific version of WordPress, the hacker knows how to attack the site. You want to hide any evidence as to the particular version of WordPress.
Some of these steps are more difficult to implement than others, but they are all worth the effort. There is no need to have a site's content mutilated or deleted when these steps take little time and effort to put into practice. If only one of these can be done, you should change the administrator's username to anything besides admin.
Keep full website and database backups in various mediums: webserver, desktop computer and external harddrive as examples. Current backups will make it much easier to restore a site if it is taken over by hackers.
Reading websites and books on WordPress security will help keep your site from being hacked. While some hackers target specific sites, many look for open doors. Closing the doors on WordPress is fairly easy and will cause most hackers to give up and look for something easier.