With over 77 million websites and counting, WordPress is the world’s most popular and widely used content management (CMS). It offers a user-friendly interface for adding new content or modifying existing content, without the need for manual server-side coding. Whether this is your first attempt to build a website, or if you’ve been in the web design business for years, you’re sure to appreciate its user-friendly, fully customizable interface.
But like all CMS platforms, WordPress is vulnerable to hacking and malicious attacks. Failure to protect your site against such attacks could leave you in a world of heartache. Thankfully, there are several different ways to lock down your site, protecting it from intrusion.
Create a Strong, Unique Password
Preventing malicious attacks on any website or online account begins with a strong password. Avoid using common names or words as your WordPress password, but instead choose a unique, random string of characters consisting of upper-case letters, lower-case letters, numbers and special characters. This makes it much more difficult for both people and automated programs to gain access to your site.
Don’t Use ‘Admin’ Username
One of the most common security mistakes WordPress webmasters make is setting up their account with the “admin” username. Hackers and other people with nefarious intent realize this, so they’ll attempt to gain access to WordPress sites by using “admin” as the username. Being that they already know the correct username, they only have to guess the password to gain access to the site.
When you’re initially setting up a WordPress site, you’ll have the opportunity to specify a username. The default username for new installs is “admin,” but you can change this during the setup. Specify a new username to help protect your site against malicious attacks.
In the event that you already set up your site with the “admin” username, you can change it by adding a new user with admin privileges in the dashboard and deleting the old “admin” user. There’s also a workaround for this by editing the database files, but adding a new user and deleting the old “admin” user is easier.
Note: it’s recommended that you set your display name to something different than your actual username. Why is this important? If your username and display name are the same, visitors will know the username for your site’s login, at which point they only need to guess the password to access your site’s admin panel.
Running earlier versions of WordPress places your site at risk for malicious attacks. Hackers often use exploits in outdated versions to gain access to sites, which is why it’s important to update frequently. WordPress introduced automatic updated in version 3.7; however, this only affects “minor and security” updates. You must still log in and manually update your site when large-scale changes are made.
“For WordPress 3.7+, you don’t have to lift a finger to apply minor and security updates. Most sites are now able to automatically apply these updates in the background. If your site is capable of one-click updates without entering FTP credentials, then your site should be able to update from 3.7 to 3.7.1, 3.7.2, etc. (You’ll still need to click ‘Update Now’ for major feature releases.)”
In addition to updating your core WordPress files, you should also update any themes and plugins installed. WordPress’ automatic update feature does handle themes and plugins by default, so you’ll need to update them manually when a new version is released.
Limit Login Attempts
Hackers have grown increasingly savvy in their use of automated programs. Rather than spending countless hours manually entering random username/password combinations, they’ll set up bots to perform this operation around the clock.
Limit Login Attempts is a plguin that does just that: it places a limit on the number of login attempts a user – including yourself – can make from a single IP address. If a bot attempting to access your site reaches this limit, the plugin will temporarily restrict all new login attempts.
Disable Dashboard File Editing
By default, users can edit their WordPress files through the Dashboard > Appearance > Editor. But rarely will you ever find the need to edit your files through the browser interface, and leaving this feature turned on allows anyone with your site’s login credentials to add, delete or modify code.
You can disable this feature by adding the following code to the wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true );
If you ever need to modify your files, you can still do so manually via a file transfer protocol (FTP) program, such as FileZilla or CuteFTP.
Following the steps outlined here will help protect your site against malicious attacks. With that said, you should still get into the habit of creating a full backup of your site on a regular basis. In the event of a server crash, you can rest assured knowing that a backup copy of your file is ready to be uploaded.