Millions of websites are powered by WordPress software and there’s a reason for that. WordPress is the most developer-friendly content management system out there, so you can essentially do anything you want with it. Unfortunately, that has some downsides as well.
For example, if you don’t change your default configuration, hackers and some pesky users with too much curiousity immediately know where to log in to get into your admin area. In WordPress, you can just type in domain.com/wp-admin and it will take you right to the login screen. At that point, it’s all about trying to crack your password. The most common method hackers use is brute force, which allows them to test millions of login combinations in short amount of time.
Giving Hackers a Difficult Time
There’s a few different preventive measures you can take in order to minimize the risk of getting your website hacked.
Back Up Your Website Often
Obviously it depends on how often your website gets updated, but I would suggest at least a weekly backup. There’s many WordPress plugins that can help you with that, but my favorite is BackupBuddy. BackupBuddy will run you about $100, which you would happily pay to be able to restore your hacked website in 5 minutes.
If you’re looking for a free alternative, you are in luck! Ready! Backup is a free plugin that allows you to create automated backups, send them off to Dropbox or FTP, and restore them quickly. I haven’t tried it yet, but so far most reviews are positive.
Another option is UpdraftPlus. It has way more positive reviews than Ready! Backup plugin; however, it seems like the user interface is not as polished. Either way, you can’t beat free!
Limit Login Attempts
There is a nifty little WordPress plugin called Limit Login Attempts that enables you to limit the number of failed login attempts and even ban an IP for a specified number of hours. Remember how I mentioned brute force attacks and trying millions of different login combinations? Well, with this plugin, brute force attacks would be much harder to pull off.
The hacker would need to have many different proxies because the plugin would keep banning that IP address after a certain number of failed login attempts.
All options are customizable in this plugin. You can select how many failed login attempts you will allow, how long they’re locked out, and how many lockouts it will take to issue a temporary IP ban.
Don’t Use “admin” as Your WordPress Username
Most hackers try to get your password by trying to bruteforce your admin username. If you change your username to something else, that will protect your website immediately.
If you have already installed your website and you chose “admin” as your username, don’t worry about it. There’s still a way to change it.
Create Another Admin User
The fastest way is to register another user and then give that user admin permission. Then you can login with that new admin username and proceed to delete the old “admin” username.
Change it through PHPMyAdmin
If you have many posts and pages assigned to your user and don’t want to re-assign them, you can change your username through PHPMyAdmin. First login to your cPanel and go into PHPMyAdmin. Select your WordPress database and go into wp_users table. Click Edit next to your “admin” user, and change the user_login field to whatever you want it to be.
Avoid Easy Passwords
I know most people probably think, Oh why would a hacker hack my website!?!, but those are the types of people most likely to be the victims of hacking. So don’t throw hackers a bone by selecting an easy-to-guess password. Avoid anything that has to do with your name, website name, or other publicly available information about you. And always choose complex password combinations.
So you’re probably thinking, how the heck am I supposed to remember those passwords that are considered good? It’s a great question! I would suggest using a password-keeper app such as Dashlane. Yes, that potentially opens you up if Dashlane gets hacked; however, chances of that happening are slim. In addition, all data is heavily encrypted so even if it gets hacked, your passwords should still be pretty safe.
If you’re the only person using your computer, you can also consider allowing your browser to remember your passwords so that you don’t have to type them in each time. If you do that, make sure you also have at least an OK password set for your computer login.
If All Else Fails…
If taking all of the preventive actions outlined above doesn’t help, then the next step to try would be to limit the IP addresses that are allowed to visit /wp-admin/ section of your website. The easiest way to do so is to block all entry except your own IP address with an .htaccess file.
Simply create a plain text file in your /wp-admin/ folder and rename it to .htaccess and place the following code inside of it:
# Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all # Allow acces to wp-admin/admin-ajax.php <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
The first piece of code denies all access to /wp-admin/ folder except your IP address (x.x.x.x), and the second piece of code allows access to admin-ajax.php file, which is needed for some themes and plugins that utilize that file. More information about this can be found on the WordPress Codex website.